
Co-founder and COO

June was a heavy month for the web app, with three releases landing across the month. The common thread was making AI operations measurable and the vulnerability workflow sharper, with two new integrations, a faster Windows install path, and a long list of fixes alongside. Here are the highlights:
The biggest addition this month is a full picture of what your AI operations actually cost. The AI Usage page now offers 7, 30, and 90-day ranges with a KPI strip covering spend, investigations, cost per investigation, and tokens. From there you can break spend down by model and by detection rule or agent, each with a per-investigation unit cost, and read anomaly and trend indicators against a savings trend chart. Sub-cent costs now display with adaptive precision (for example, $0.0042) instead of rounding away to $0.00.
For MSSPs, the CSV export now supports per-tenant re-bill markup, so chargeback math comes straight out of the platform. The AI Usage view was previously available only in Grid, and it now sits in the main web app sidebar under the AI group, gated by the ai_agent.get permission.
The Vulnerabilities module saw a round of changes driven directly by customer feedback. The host table now splits the combined column into distinct, sortable Application and CVE columns, so sorting by Application groups every CVE for a package together, the per-application view people had been asking for. The org drawer defaults to application sort, while the sensor tab keeps score sort.
The Platform filter now correctly scopes the CVEs tab, which previously ignored it, and the dashboard charts and KPI tiles update to reflect active Severity and Platform facets. A new per-finding "Report incorrect detection" action collects a structured false-positive reason and relays it to the product team, separate from the local triage action for marking a finding as a false positive.
Orgs without the Vulnerability Reporting extension now see a clear subscribe call-to-action instead of a misleading empty state, and several layout and accuracy fixes landed alongside: KEV and Total tiles now read server-computed host-wide counts rather than page-limited values, CVE descriptions render as sanitized HTML, and the CVE detail page layout is stable with tables sized to their actual row count.
LimaCharlie added Fleet Billing, a cross-tenant billing console built for MSSPs managing many customer tenants from one place. It pairs naturally with the new per-tenant chargeback markup in the AI Usage export for providers who need to attribute and re-bill cost across their fleet.
The AI Terminal continued to mature across all three releases. A docked corner chat gives you a persistent launcher with pop-out, draft-new-session, minimize and maximize, and a live-session selector. You can fork an AI session with full lineage tracking, share a session with the ShareCard, and browse sessions from a card-list view inside the chat layout.
Session state reporting got clearer too, with Running, Waiting, and Ended statuses and an indicator when a session is waiting on user input. Completed tool-call groups now render as carded rows matching the system log, and the state badges use cleaner outlines that stay legible in both light and dark mode.
The Gmail adapter arrives with full frontend support for both single-mailbox OAuth and Workspace service-account (domain-wide) setup, with per-feed capability toggles and subject scoping. Service-account credentials are masked and stored as a managed secret.
ThreatLocker support, which landed as a platform and adapter earlier in the month, now exposes Include Child Organizations scoping for parent API tokens along with individual toggles for the Approval Requests, Unified Audit, and System Audit feeds.
Installing the Windows sensor no longer requires the manual EXE or MSI path. The install wizard now leads with a PowerShell tab containing a single copy-paste command using LimaCharlie's hosted install.ps1 script, which auto-detects architecture and runs in an elevated session, mirroring the Linux curl one-liner. The manual installer tab is still there if you need it. The Add Sensor connectivity panel also now lists the org's webhook endpoint alongside the existing addresses, which makes firewall setup for cloud sensors and webhook adapters easier to get right.
Two fixes restored expected behavior for apps. Calls to external origins declared in allowed_origins now work, because apps load from a real HTTP origin with their own permissive floor CSP rather than inheriting the console's strict policy. The brokered lc.api path and app isolation are unchanged. Apps also open correctly on Grid now, where they had been failing with a sandbox handshake timeout.
The per-stage search timing breakdown is now on by default for everyone, with a kill switch for instant rollback. Saved queries got more flexible as well: you can now edit a saved query's body in the Edit Query modal rather than only renaming it, the client-side size limit was raised to match the backend's 1024-byte ceiling, and projection queries that select ts without an alias now keep the column and format it as a readable timestamp.
Branded deployments can now hard-disable entire product areas through runtime config feature flags, covering fleet billing, case management, automation SOPs, mini apps, and the AI terminal. Each flag hides navigation, blocks direct URL access, and removes in-app entry points, with everything enabled by default unless explicitly turned off. Runtime configs also gained support for a dedicated dark-theme logo.
This is a small slice of what shipped in June. For the complete feature list and every bug fix across 5.9.0, 5.10.0, and 5.11.0, read the full release notes on Docs.