CodeWallDocs

Changelog

Recent changes and updates to the CodeWall platform.

Notable changes, new features, and improvements to the CodeWall platform.

May 2026

New features

  • Threat Hunting — proactive, intelligence-driven hunts: KEV (Known Exploited Vulnerabilities) ingestion, CPE/product matching against your assets, and AI-generated hunt proposals (with severity, rationale, and suggested skills) you can launch as a test in one click. Configure sources and thresholds under Settings → Threat Intelligence.
  • Choose worker region — select the geographic region your scan workers run in (e.g. NYC1) for data-residency and latency control.
  • Customizable retests — configure how a finding's retest runs instead of using a fixed default.
  • SSO support — OIDC and SAML single sign-on with per-organization configuration and JIT user provisioning
  • MCP server testing — test Model Context Protocol servers for tool injection, enumeration, and access control vulnerabilities
  • LLM application testing — test LLM-powered apps for prompt injection, system prompt extraction, and data exfiltration
  • Interactive-login credentials (preview) — gray-box tests can now authenticate through dynamic login challenges, not just static tokens:
    • TOTP authenticator — store the authenticator seed; the agent computes the current 6-digit code at the 2FA prompt
    • Email OTP — the agent reads a test mailbox, extracts the emailed one-time code, and submits it
    • Email magic link — the agent retrieves the emailed sign-in link and completes a passwordless login
  • Reusable credentials page — a new Settings → Credentials area to create, manage, and revoke project-scoped credentials, then attach them to a test via Saved Credential in the run wizard
  • CodeWall-provisioned test inbox — for email OTP / magic-link credentials, CodeWall can mint a dedicated receiving address so you don't have to share mailbox credentials (or point the agent at your own IMAP mailbox instead)

Improvements

  • Email OTP / magic-link credentials are passwordless-friendly — only a login identity and a mailbox are required
  • Mailbox reads are scoped to the test's own login attempt and audit-logged; retrieved codes and links never appear in findings or reports
  • The credential list and prompts only ever show metadata — secrets (tokens, TOTP seeds, mailbox passwords) are encrypted at rest and never surfaced

April 2026

Launch

  • Initial platform release — automated web application and API penetration testing

Rate Limits

API request limits and throttling behaviour.

On this page

May 2026New featuresImprovementsApril 2026Launch