February 2026 Product Notes: New Test Catalogue & API Scanning experience

Security is often a game of “you don’t know what you don’t know.” At Detectify, we focus on removing that uncertainty. Whether it’s reaching 922 quintillion payload permutations or refining a UI workflow, our goal is to make the experience of securing your stack as seamless as the tech you’re building.

We believe that a security tool shouldn’t just be powerful, it should be intuitive, fast, and, dare we say, a joy to use. We take our UI and the experience of using Detectify quite seriously. This past month, we’ve rolled out a series of updates ranging from massive new discovery capabilities to smaller but impactful UI improvements. Why? Because we know that a smoother workflow translates into a more secure environment. 

Here’s a look at what we’ve been up to this month:

Deepening Discovery & Transparency

You can’t secure what you don’t know exists. We’ve launched several features designed to give you total visibility over your attack surface and full transparency into how we’re poking at it.

Protocol Discovery

Our new Protocol Discovery helps you find exposed protocols across your entire attack surface by identifying the specific services communicating behind your open ports.

Security teams often focus solely on web traffic (HTTP/HTTPS), but attackers look for any open door. By identifying protocols like SSH, FTP, or SMB across your infrastructure, we provide a more complete view of your risk. Scanning your web apps isn’t enough; we want to give you a map of your entire attack surface so nothing is left to chance.

The new test catalogue

Transparency is essential for trust, so we believe you should know exactly how you’re being protected. The new Test Catalogue is a searchable, comprehensive database of most of the vulnerability tests Detectify performs.

We know that users need this transparency to ensure compliance and coverage. This catalogue allows them to dig into our security research and become more informed defenders. 

Expanded Vulnerability Testing

The threat landscape moves fast. But so do our researchers. In the end, a product is only as good as its engine. We are constantly implementing the latest vulnerabilities so you’re protected against new CVEs and other attack vectors. We’ve added significant new tests in two major batches (Batch 1 and Batch 2).

Here’s a list of a few interesting new security tests, along with a description by our security researchers: 

• Sharp Multifunction Printers Path Traversal (CVE-2024-33605): This vulnerability allows an attacker to peek into the file system of a Sharp printer. It’s a great reminder that the “Internet of Things” includes the giant machine in the hallway that can often sense your nerves. 
• PTZOptics Cameras Remote Code Execution (CVE-2024-8957): Remote take-over of a professional-grade camera (used in boardrooms and studios). An RCE here means an attacker could potentially watch and listen to everything in the room.
• Microsoft Azure SAS Token Exposure: This isn’t a “bug” in the code, but a critical issue in the cloud. Shared Access Signature (SAS) tokens are like the keys to the kingdom for Azure storage. Finding these exposed in the wild is a massive win for a bug hunter and a total nightmare for a DevOps team.
• Nostromo nhttpd RCE (CVE-2019-16278): This vulnerability is famous in the community for being incredibly simple to exploit—just a few characters in a header can lead to full system command execution. 
• Ruby on Rails CSRF Token Leakage via CSS Side-Channel: This is arguably the “weirdest” of the bunch. Most people think of CSS as just colors and fonts, but researchers figured out how to use CSS selectors to “leak” security tokens bit-by-bit.
• CodeMeter Webadmin Dashboard Exposure: CodeMeter is a niche tool used for software licensing and “Digital Rights Management” (DRM). It’s the kind of background service most people don’t even know is running on their servers, which makes it a perfect, obscure attack surface for a hacker to stumble upon.
• AzuraCast Unfinished Install: AzuraCast is an open-source “Radio Station Management” suite. Finding an “unfinished install” means a hacker could potentially hijack a company’s web radio station and start broadcasting their own playlist.
• jQuery BBQ Prototype Pollution: “jQuery BBQ” is an old, obscure library for handling back-button behavior in browser hashes. The fact that it’s vulnerable to Prototype Pollution (a modern, complex JavaScript attack) in 2026 is a beautiful example of how “zombie code” from a decade ago can still haunt modern web apps.

Refining the API Scanning Experience

A large part of our focus this month was shipping improvements to our API Scanning product. We take customers’ feedback quite seriously, so here’s a list of a few enhancements that we shipped:

• Bulk Select Operations: For users with hundreds of API operations, manual selection was rather unpleasant. You can now “quick select” bulk-select operations by method (GET, POST, etc.) during creation or editing. It’s a small change that saves a massive amount of time. 
  • For security engineers with massive APIs containing hundreds of endpoints, clicking each one individually was a chore. We listen, so when a customer tells us a workflow is tedious, we don’t just put it on a roadmap; we build a solution that makes the tool feel lighter and faster.

• Smarter Validation Alerts: We’ve added a new “Server Address Missing” alert. Now, if your spec file is missing a server definition upon upload (Swagger/OpenAPI), we’ll tell you immediately so you can fix it before moving forward .
  • Few things are more frustrating than completing a setup only for the scan to fail later because of a missing URL. This update catches the error at the moment of upload saving time for all engineers. Detectify is all about “frictionless” security. We want to stop errors before they happen, saving you minutes of troubleshooting.
• The “Scans Requiring Attention” Overview: We’ve redesigned our overview cards to highlight what matters most. API Scanning profiles are now included in the “Scans requiring your attention” card, and failing scans are prioritized so you can see exactly where to focus your energy.
  • Information overload is a real problem in security. By moving “Scans blocked by WAF” and “Failing scans” to the top, we ensure that the most critical issues are the first thing you see when you log in. At Detectify we believe great design is about information hierarchy. We want the Detectify dashboard to guide you toward action, not just show you data.
    

It’s really all about the little things

Whether it’s moving a button two pixels to the left or building a complex protocol discovery engine, our goal remains the same: to build a product that works as hard as you do. Security is a journey of continuous improvement, and we’re committed to making every step of that journey as intuitive as possible.

Want to see these updates in action? Check out our latest changes here or dive straight into your API Scanning dashboard.