Skip to main content

Release 25.4

The Xshield 25.4 release introduces significant enhancements across microsegmentation, cloud integrations, agentless enforcement, visibility, vulnerability intelligence, and platform tooling. These capabilities reduce deployment friction, strengthen Zero Trust adoption, and expand coverage across hybrid, on-premise, cloud, and specialized environments.

Secure Azure Workloads with Cloud Connector

Overview

Xshield Cloud Connector provides deep visibility into Azure workloads. It discovers assets across subscriptions and regions, monitors traffic behaviour, and enables segmentation using Azure-native metadata such as VNETs, tags, and resource groups. This includes support for Azure IaaS workloads (VMs, VNets, NICs) and select PaaS services such as managed database offerings that expose network-accessible endpoints.
Enforcement relies on Azure-native controls (NSGs and Service Tags), eliminating the need for agents.

Key Highlights

  • Automated cloud discovery across subscriptions and regions.
  • Secure IaaS and PaaS (Managed Database) services.
  • Policy enforcement via Azure NSGs, Service Tags, and other native controls.
  • Intelligent grouping using tags, resource groups, VNETs, or applications.
  • Consistent Zero Trust policy application across cloud and on-prem systems.

Customer Value

  • Onboarding is effortless with zero friction for discovery.
  • Comprehensive cloud visibility across regions and subscriptions.
  • Rapid time-to-security with microsegmentation immediately after discovery.
  • Unified hybrid security with standardized policy enforcement.

Enhanced Ecosystem Integrations

  • Leverages Azure-native constructs (NSGs, Tags, Service Tags).
  • Integrates with Azure subscriptions and regions.
  • Supports hybrid visibility and enforcement.

Deployment Flexibility

  • Operates agentlessly through Azure APIs.
  • Supports segmentation across multiple subscriptions, VNETs, resource groups, and eligible PaaS services.
  • Scales with centralized and decentralized cloud teams.

Granular Zero Trust Deployment with Port-Level Control

Overview

Xshield Policy Engine now supports port-level enforcement, enabling security teams to secure high-risk services on specific ports while continuing to validate other services in simulation mode. This approach accelerates Zero Trust adoption, reduces operational risk, and provides full visibility into port-level activity. Existing workflows remain unchanged; port-level enforcement is optional.

Key Highlights

  • Agile microsegmentation by securing high-risk ports (such as SSH and RDP) before enforcing full asset policies.
  • Port-specific policy enforcement in Test or Enforce mode while other ports remain in their existing security state.
  • Safe, iterative testing using per-port Test mode before enforcement.
  • Dual policy layers supporting independent port-specific and asset-wide controls.
  • Guided UI workflows for tracking deployment progress and readiness.

Customer Value

  • Faster time-to-security by immediately securing critical services.
  • Prioritized risk reduction through focused protection of high-risk ports.
  • Increased operational confidence with predictable, phased enforcement.
  • Flexible policy evolution without disrupting existing security models.
  • Comprehensive visibility into port usage, violations, and enforcement state.

Enhanced Ecosystem Integrations

  • Extends Zero Trust capabilities without architectural changes.
  • Compatible with visualizers, templates, and enforcement dashboards.
  • Works alongside segment-level and asset-level policies.

Deployment Flexibility

  • Traditional deployment of all policies into Test or Enforce modes.
  • Selective rollout based on readiness and violation insights.
  • Auto Deployment to transition policies from Test to Enforce based on user-defined criteria.
  • Annotation support for auditability and collaboration.

Improved Workflow

  • Please note that the workflow to secure workloads and assets has considerably changed to include the ability to secure at the port level.

Xshield Spark – Agentless Policy Enforcement via Host Firewalls

Overview

This release introduces a deployment model that uses three components to achieve agentless Zero Trust enforcement:

  1. EDR platforms to import host and network metadata into Xshield,
  2. Configuration managers (SCCM, Tanium, Ansible, BigFix, etc.) to remotely execute Xshield Spark on endpoints
  3. Xshield Spark A lightweight binary that applies Zero Trust segmentation rules directly through the Operating System host firewall

Key Highlights

  • Uses EDR telemetry for accurate asset and network context.
  • Xshield Spark enforces Zero Trust rules through the native firewall on Windows and Linux.
  • Policies are executed remotely using standard configuration tools already present in customer environments.
  • Supports all Xshield segmentation and workload-to-workload policy types.
  • Firewall logs are uploaded for visibility and auditing.

Customer Value

  • Enables Zero Trust enforcement without installing the Xshield Agent.
  • Leverages existing EDR and configuration management infrastructure.
  • Provides consistent enforcement across diverse endpoints.
  • Simplifies deployment and reduces operational overhead.

Enhanced Ecosystem Integrations

  • Complements EDR visibility with robust firewall enforcement.
  • Enables stronger Zero Trust enforcement across platforms.
  • Provides unified telemetry and log correlation.

Deployment Considerations

  • Works with any environment where EDR metadata and configuration automation tools are available.
  • Suitable for large-scale, agentless enforcement scenarios.

Segment Detail Page – Context-Rich Segment Insights

Overview

The Segment Detail Page provides a consolidated, context-rich view of each segment, combining enforcement information, threat behaviour insights, and asset telemetry to support fast, informed decisions.

Key Highlights

  • Segment summary including enforcement settings, templates, policies, and network behaviours.
  • MITRE ATT&CK insights highlighting lateral movement and adversary techniques.
  • Asset inventory with health, enforcement state, and telemetry.

Customer Value

  • Centralized visibility without context switching.
  • Threat-informed defence through integrated MITRE mappings.
  • Operational efficiency for troubleshooting and tuning.
  • Scalable management for Zero Trust environments.

Policy Rule Analyzer – Template Optimization (Preview Feature)

Overview

As Zero Trust environments evolve, policy templates can grow large and include rules that no longer reflect real-world traffic patterns. The Policy Rule Analyzer introduces usage-based insights to help teams assess which rules are frequently exercised and which may be candidates for refinement or cleanup.

The feature records how often each rule matches observed traffic and captures the last-used timestamp. These insights allow operators to identify low- or zero-usage rules, streamline templates, and maintain clarity without risking accidental disruption.

Key Highlights

  • Per-Rule Usage Telemetry: Tracks how often each rule is matched along with the most recent usage time.
  • Searchable Insights: Filter and locate rules with little or no recorded activity.
  • Safe Cleanup Workflow: Highlights rules for review without automatic deletion or changes to enforcement.
  • Real-Time Feedback Loop: Understand how rules behave in production and tune templates accordingly.

Customer Value

  • Actionable Intelligence: Identify rules that actively contribute to enforcement versus those that may be outdated.
  • Streamlined Templates: Reduce clutter and improve maintainability with data-backed decisions.
  • Confident Changes: Refine or retire rules safely based on measurable usage.
  • Continuous Improvement: Evolve segmentation strategies using actual traffic patterns.

Enhanced Ecosystem Integrations

  • Works seamlessly with existing template and rule workflows.
  • Supports collaborative auditing and policy review across teams.

Deployment Flexibility

  • Automatically tracks usage for rules created through templates.
  • No additional configuration or agent changes required.
  • Operates consistently across on-prem, cloud, hybrid, agent-based, and Spark-protected workloads.
note

This capability is currently available as a preview feature and can be enabled for customers on request.
When enabled ahead of general release, rule usage metrics will not be immediately representative, as data needs time to accumulate based on observed traffic. Customers should expect a warm-up period before insights become meaningful.

Threat Intelligence Feed – Dynamic Blocking of Malicious IPs

Overview

Xshield now supports dynamic blocking of malicious IP addresses on both Windows and Linux endpoints. Known malicious IP lists imported from third-party threat intelligence providers are automatically enforced to block communication.

Key Highlights

  • Windows support added in this release.
  • Automatic retrieval of malicious IP lists.
  • Real-time dynamic blocking of inbound and outbound communication.
  • Centralized visibility into malicious IP blocking events.

Customer Value

  • Reduced manual effort for firewall rule creation.
  • Consistent protection across OS platforms.
  • Improved security posture through proactive blocking.
  • Operational efficiency via automated, real-time updates.

Deployment Flexibility

  • Enable or disable per asset.
  • Supported on Linux and Windows agents.
  • Requires upgrade to Xshield Agent version 25.4.

Minimum supported Windows OS

  • Windows server 2012 and above and User version: Windows 10 and above

Tenable Vulnerability Management Integration

Overview

Xshield now integrates with Tenable Vulnerability Management (TVM) to deliver large-scale, cloud-native vulnerability synchronization.

Key Highlights

  • Continuous synchronization of vulnerability data via API.
  • Unified asset context correlating Tenable findings with Xshield metadata.
  • Risk-aware segmentation using vulnerability insights.

Customer Value

  • Faster sync performance at enterprise scale.
  • Eliminates manual correlation for operational efficiency.
  • Better-informed risk management using communication and exposure context.
  • Smooth workflows from detection to segmentation.

Enhanced Ecosystem Integrations

  • Provides visibility within segment mapping and breach analysis.
  • Enhances microsegmentation policy tuning.
  • Supports policy and compliance workflows.

Deployment Flexibility

  • Configure via Tenable API keys.
  • Scales with cloud or on-premise Tenable deployments.

Breach Response Support for Gatekeeper Assets

Overview

This release extends Breach Response capabilities to Gatekeeper-managed assets, enabling operators to rapidly contain or harden these assets during security incidents. Gatekeepers can now participate in Breach Response Levels (Red, Orange, Yellow, or custom-defined) and enforce the corresponding isolation or restriction policies based on assigned templates.

Key Highlights

  • Gatekeeper assets can now receive and enforce Breach Response templates.
  • Supports all Breach Response Levels for consistent containment behavior.
  • Enables rapid isolation or hardening of Gatekeeper-protected environments.
  • Aligns Gatekeeper behavior with existing endpoint and server Breach Response workflows.

Customer Value

  • Unified containment strategy across both Gatekeeper and agent-managed assets.
  • Faster, more reliable response during potential breach events.
  • Reduced lateral movement risk by extending dynamic isolation to network entry points.
  • Improves overall Zero Trust resilience and incident response readiness.

Operational Notes

To ensure correct functioning, Breach Response templates should be assigned to Gatekeeper assets only after the Gatekeeper has been upgraded to version 25.4.
Assigning templates before the upgrade may result in inconsistent behavior or ineffective enforcement.

Microsegmentation Support for FreeBSD

Overview

Xshield now extends Zero Trust microsegmentation support to FreeBSD, enabling granular enforcement and visibility across environments that rely on FreeBSD-based workloads.

Key Highlights

  • Full microsegmentation support with port-level, inbound/outbound, and Zero Trust policies.
  • Real-time visibility for communication patterns.
  • Lightweight, optimized FreeBSD agent.

Customer Value

  • Expanded coverage for FreeBSD workloads.
  • Strengthened security posture via least-privilege enforcement.
  • Improved compliance and auditability with enhanced visibility and audit trails.

Enhanced Ecosystem Integrations

  • Integrates seamlessly with Xshield features such as asset discovery, tagging, segmentation workflows, traffic analysis, and policy management.

Deployment Flexibility

  • Simple installation and upgrade workflow.
  • Supports progressive enforcement modes, including Test and Enforce.
  • Operates smoothly alongside Linux and Windows deployments in mixed OS environments.

Feature Availability Notes

FreeBSD support in this release focuses on the core microsegmentation - Enforcement and traffic visibility capabilities.
Some advanced agent capabilities are not part of the initial FreeBSD release, including:

  • Malicious IP blocking
  • Process-based policy

Extended Operating System Support

This release expands Xshield’s supported operating system coverage, enabling broader deployment across modern enterprise environments.

Newly Supported Operating Systems

  • Windows Server 2025
  • Ubuntu 24.04 LTS
  • Red Hat Enterprise Linux (RHEL) 10

These additions ensure customers can onboard and protect the latest platforms as part of their Zero Trust and microsegmentation strategies, while maintaining consistent visibility, enforcement, and operational workflows across diverse infrastructures.

North-South Visibility for Endpoints

Overview

Xshield agent now provides IP-level visibility into North-South traffic on endpoints, closing visibility gaps for traffic entering or leaving the enterprise network.

Key Highlights

  • IP-level insights for inbound and outbound external traffic.
  • Extended monitoring for North-South flows.
  • Enhanced traffic logs for investigations and policy design.

Customer Value

  • Eliminates visibility blind spots for external communication.
  • Strengthens Zero Trust beyond East-West visibility.
  • Faster investigation and response to suspicious connections.

Deployment Flexibility

  • Available for all tenants using Xshield endpoint agents.
  • Can be enabled without affecting existing enforcement.
  • Fully backward-compatible.

Operational Considerations

When enabled on user endpoints (desktops and laptops), North–South visibility may surface a large number of unique outbound communication paths due to normal user activity such as web browsing or accessing SaaS applications.
Operators should account for this expected increase in observed flows when designing Zero Trust policies and plan review workflows accordingly.

Windows Notification Center Integration for Endpoint Security Events

Overview

This feature provides real-time security event notifications directly on user endpoints.
By surfacing important enforcement and breach-response events through the operating system’s notification framework, users and administrators gain immediate visibility into critical security actions.

This capability enhances transparency, user awareness and supports faster response during security incidents.

Key Highlights

  • Real-Time Block Notifications: When the Xshield Agent blocks malicious or unauthorized communication, a Windows system notification is displayed to the user.
  • Breach Response Alerts: Both activation and deactivation of Breach Response mode generate immediate notifications on the endpoint, ensuring the user is aware when containment is applied or lifted.
  • Native OS Integration: Leverages built-in Windows Notification Center capabilities for reliability, consistency, and user familiarity.
  • Non-Intrusive Visibility: Notifications provide essential information without interrupting user workflows.

Customer Benefits

  • Improved Endpoint Awareness: Users receive clear notifications when key security actions occur, reducing confusion and increasing trust in security operations.
  • Faster incident response: Real-time alerts help both users and administrators understand when an endpoint enters containment, supporting coordinated response workflows.
  • Enhanced Transparency: Security actions are visible at the endpoint level without requiring access to the Xshield console.
  • Better Alignment With End-User Workflows: Notifications follow standard Windows UX patterns, minimizing friction and improving adoption.

Deployment Considerations

  • Available on Windows Server 2016 onwards and user version Windows 10 onwards
  • No additional configuration is required beyond enabling relevant enforcement or breach response policies.
  • Notifications follow system-level Windows settings; if notifications are globally disabled, they may not be displayed.

Other Enhancements and Improvements

  • Improved Agent and Utility Performance: This release includes enhancements that make the Xshield agent and the ctagentcmd utility more stable and consistently available, providing smoother upgrade experiences and reducing operational overhead.
  • Server Agent Interface Detection: Server agents now check for new interfaces at a reduced frequency (every 5 minutes), minimizing performance overhead while maintaining visibility.

Xshield Utility Updates (v25.7.5)

Overview

The Xshield Utility v25.7.5 release includes new functionality, performance improvements, and enhanced automation capabilities.

What's New

  • Breach Response Mode support for template configuration and activation.
  • Malicious IP blocking via CLI workflows.
  • Vulnerability collection and listing across tenant environments.
  • Improved file organization under util_data/input_csv_files and util_data/output_csv_files.
  • Smart asset targeting using segment filters.
  • Updated documentation for all commands.

Resolved Issues

Network Reset During Agent Installation/Uninstallation

  • Issue: Temporary network disruption may occur on Windows Server 2019 during Npcap installation or removal.
  • Root Cause: Known issue with the Windows networking stack (see npcaps open issue 53).
  • Resolution: No agent changes required; behaviour documented for customer awareness.

Auto-Push Behavior Change for Simulate-Secure-All Assets

Overview

This release includes an important behavioral change affecting assets with auto-push enabled that are currently in the simulate-secure-all state.

Key Changes

Auto-Push Port Behavior Modification

Following this upgrade, assets configured with auto-push enabled and operating in simulate-secure-all state will experience the following change:

Previous Behavior

  • Internet traffic on affected ports was blocked

New Behavior

  • Ports will transition to Completely Under Test mode
  • Internet traffic on these ports will be flagged as violations rather than blocked
  • This change enables enhanced monitoring and analysis of traffic patterns

Asset Policy Retention

The underlying asset policy will remain unchanged as Intranet Under Test:

  • Ports without template rules will continue to test intranet traffic
  • Internet traffic blocking will continue as before on non-affected ports
  • No action is required to maintain existing intranet security policies

Selective Enforcement Option

If you require full enforcement on specific ports following the upgrade, you may:

  • Utilize micro deployment capabilities
  • Selectively transition ports to fully enforce mode
  • Apply enforcement based on your specific security requirements and risk tolerance

This approach provides granular control over which ports maintain blocking behavior versus monitoring-only status.

Additional Information

For questions or assistance with post-upgrade configuration, please contact our support team at [support contact information].

Important:
We recommend reviewing your current auto-push configurations and planning any necessary micro deployment strategies prior to the upgrade to ensure continuity of your security posture.

Product Documentation Availability

We’d like to highlight the breadth of Xshield product documentation available to support your deployments and day-to-day operations.
The library includes detailed feature guides, configuration steps, workflow examples and best-practice articles designed to help teams get the most value from the platform.

If you haven’t explored the documentation recently, we encourage you to take advantage of these resources. Ongoing updates will continue as new capabilities evolve.

We’re Listening

Your input drives Xshield’s evolution. For questions, feedback, or further assistance, contact customer.support@colortokens.com