Back to Blog
July 1st, 2026

Developer Roll Up: June 2026

Picture of Christopher Luft
Christopher Luft

Co-founder and COO

blog post header image

June was a heavy month for the web app, with three releases landing across the month. The common thread was making AI operations measurable and the vulnerability workflow sharper, with two new integrations, a faster Windows install path, and a long list of fixes alongside. Here are the highlights:

AI cost observability and ROI

The biggest addition this month is a full picture of what your AI operations actually cost. The AI Usage page now offers 7, 30, and 90-day ranges with a KPI strip covering spend, investigations, cost per investigation, and tokens. From there you can break spend down by model and by detection rule or agent, each with a per-investigation unit cost, and read anomaly and trend indicators against a savings trend chart. Sub-cent costs now display with adaptive precision (for example, $0.0042) instead of rounding away to $0.00.

For MSSPs, the CSV export now supports per-tenant re-bill markup, so chargeback math comes straight out of the platform. The AI Usage view was previously available only in Grid, and it now sits in the main web app sidebar under the AI group, gated by the ai_agent.get permission.

A sharper Vulnerabilities workflow

The Vulnerabilities module saw a round of changes driven directly by customer feedback. The host table now splits the combined column into distinct, sortable Application and CVE columns, so sorting by Application groups every CVE for a package together, the per-application view people had been asking for. The org drawer defaults to application sort, while the sensor tab keeps score sort.

The Platform filter now correctly scopes the CVEs tab, which previously ignored it, and the dashboard charts and KPI tiles update to reflect active Severity and Platform facets. A new per-finding "Report incorrect detection" action collects a structured false-positive reason and relays it to the product team, separate from the local triage action for marking a finding as a false positive.

Orgs without the Vulnerability Reporting extension now see a clear subscribe call-to-action instead of a misleading empty state, and several layout and accuracy fixes landed alongside: KEV and Total tiles now read server-computed host-wide counts rather than page-limited values, CVE descriptions render as sanitized HTML, and the CVE detail page layout is stable with tables sized to their actual row count.

Fleet Billing for MSSPs

LimaCharlie added Fleet Billing, a cross-tenant billing console built for MSSPs managing many customer tenants from one place. It pairs naturally with the new per-tenant chargeback markup in the AI Usage export for providers who need to attribute and re-bill cost across their fleet.

AI Terminal and session management

The AI Terminal continued to mature across all three releases. A docked corner chat gives you a persistent launcher with pop-out, draft-new-session, minimize and maximize, and a live-session selector. You can fork an AI session with full lineage tracking, share a session with the ShareCard, and browse sessions from a card-list view inside the chat layout.

Session state reporting got clearer too, with Running, Waiting, and Ended statuses and an indicator when a session is waiting on user input. Completed tool-call groups now render as carded rows matching the system log, and the state badges use cleaner outlines that stay legible in both light and dark mode.

Two new integrations

The Gmail adapter arrives with full frontend support for both single-mailbox OAuth and Workspace service-account (domain-wide) setup, with per-feed capability toggles and subject scoping. Service-account credentials are masked and stored as a managed secret.

ThreatLocker support, which landed as a platform and adapter earlier in the month, now exposes Include Child Organizations scoping for parent API tokens along with individual toggles for the Approval Requests, Unified Audit, and System Audit feeds.

A one-line Windows installer

Installing the Windows sensor no longer requires the manual EXE or MSI path. The install wizard now leads with a PowerShell tab containing a single copy-paste command using LimaCharlie's hosted install.ps1 script, which auto-detects architecture and runs in an elevated session, mirroring the Linux curl one-liner. The manual installer tab is still there if you need it. The Add Sensor connectivity panel also now lists the org's webhook endpoint alongside the existing addresses, which makes firewall setup for cloud sensors and webhook adapters easier to get right.

Apps runtime fixes

Two fixes restored expected behavior for apps. Calls to external origins declared in allowed_origins now work, because apps load from a real HTTP origin with their own permissive floor CSP rather than inheriting the console's strict policy. The brokered lc.api path and app isolation are unchanged. Apps also open correctly on Grid now, where they had been failing with a sandbox handshake timeout.

Search and query

The per-stage search timing breakdown is now on by default for everyone, with a kill switch for instant rollback. Saved queries got more flexible as well: you can now edit a saved query's body in the Edit Query modal rather than only renaming it, the client-side size limit was raised to match the backend's 1024-byte ceiling, and projection queries that select ts without an alias now keep the column and format it as a readable timestamp.

Branded deployments

Branded deployments can now hard-disable entire product areas through runtime config feature flags, covering fleet billing, case management, automation SOPs, mini apps, and the AI terminal. Each flag hides navigation, blocks direct URL access, and removes in-app entry points, with everything enabled by default unless explicitly turned off. Runtime configs also gained support for a dedicated dark-theme logo.

This is a small slice of what shipped in June. For the complete feature list and every bug fix across 5.9.0, 5.10.0, and 5.11.0, read the full release notes on Docs.