Release Notes

Profiling

• Device signature enhancements
  • Our device signature now considers temporal attribute changes to improve matching accuracy, reducing false positives from unlikely short-term changes and strengthening long-term associations. 
  • Joint attributes enhance correlation-based matching, further minimizing false positives. 
  • Additionally, VPN and proxy detection improves identification when devices switch networks to obscure their identity.
• Port scanning / RAT Detection improvements
  • Profiling now provides the ability to check for open ports on commonly used remote access tooling such as teamviewer, anydesk, VNC, and RDP. 
  • This intelligence is coupled with our existing RAT profiling to provide deep insights into whether a users device has been potentially compromised or in-use by a malicious remote actor
• Automation detection
  • Our profiling now provides the ability to detect various headless browsers and browser automations such as puppeteer or selenium, which are frequently used in malicious attacks.
• App cloning detection
  • New global signals trigger on app cloning and use of multiple profiles

Engine

• Quantile Features
  • All features now have the optional ability to generate quantiles.
  • Quantiles values can be used to identify anomalies in comparison with an identifier or the overal population
  • These can be used to set adaptive thresholds. The feature values adjust according to population and user norms, providing model drift protection.
• Probability of Time Feature
  • The probability of time feature assigns a probability (0–1) to indicate confidence in activity patterns, with higher values signaling unusual behavior. 
  • The event count provides context for quantile values, with new sidebar widgets visualize usage patterns, including average velocity and confidence bands.
  • The user activity timing helps detect anomalies like account takeovers and automation.

Journeys

• New rules for handling cookies , JWTs & base64 encoded content
  • We've enhanced data extraction from Cookies and JWT claims with new rules:
    • Extract from JWT – Retrieves JSON paths from the header or payload (extraction only, no signature validation).
    • Extract from Base64 – Decodes and extracts content from Base64-encoded strings.
    • String Key-Value Pair Extraction – Designed for Cookie value extraction but adaptable to other formats.
    • See here
• Journey Debugger
  • The workflows editor now includes a built-in journey debugger, allowing you to test journey changes, validate data mappings, and ensure features and rules function correctly. 
  • It uses a forward proxy server for testing and introduces a visual debugger to replace the previous command-line-only option.

Portal

• Aggregate stats dashboard for investigations
  • Fully configurable widget that enables summarization of events shown in the investigations view- such as “the count of events”, “most common ip address”, etc.
• Key identifier dashboard widget
  • The Key Identifier widget is designed for forensics queries, and enables selecting an event where a specific identifier (such as an IP address) is the mode (i.e. most-common value) for the search results. 
  • This widget can be customized to show any attributes or details from the sample event
• Syntax highlighting
  • Provides coloring for search terms that enables attributes and constants to be visually distinguished and more-easily read in the system.
• Multi-event compare/list capability
  • Multiple events can be selected from the grid in investigations. 
  • New functionality provides a quick comparison of differences in event identifier values, as well as a map showing captured geolocations. 
  • Furthermore the portal now supports labeling of multiple events at once.
• Improvements to cookies UI in journey editor
  • When implementing web-based journey tracking, cookies are a critical piece needed to join multiple events under the same Journey ID. 
  • Our journey editor UI now includes imrpovements to how this functionality is displayed and communicated with journey authors
• TOTP enforcement for non-sso users
  • Although it is mandatory for all production instances to bring their own SSO Identity provider, this functionality ensures non-production users authenticate with a second-factor step up (Google Authenticator or others)
• Condition support in topx dashboard
  • Add query expressions that are applied as additional conditions to filter results
• Journey sankeys in investigations
  • The journey sankeys view enables an operator to see, in aggregate, the flow of traffic between mapped steps for a given set of search results. 
  • Through visual inspection, a user is potentially able to identify anomalies and potentially business logic abuse
• Features UI Visibility
  • The features display in the sidebar has also been extensively updated to sort feature values - with unusual items (whose quantiles sit at the upper-and-lower extremes) shown first, and with color coding to suggest that they may be unusual. 
  • Users may also now hide features in the system whose values remain at their defaults

• IP address is now treated as PII - Darwinium takes end-user privacy seriously. IP Address is now considered and treated as PII (Personally Identifiable Information)
• Reverse Geocoding
  • latitude and longitude calculated for shipping address
  • nearest city, state and country calculated from device GPS (SDK only)
• API Certificate CA - The CA has been updated so that new API certificates issued have their expiry extended to 36 months
• Labels - Identifier attribute limitation has been removed from queries in Labels view
• Un-deploy button - A new "Un-deploy" button has been added. In the unlikely event that Darwinium is suspected of impacting traffic, Darwinium Edge deployments can be removed with a single button click 
• Audit Logging - logging of all key user actions is now available in new Audit Logging interface
• Encryption Key Rotation - Encryption keys used to secure PII data can now be rotated on demand as required for compliance and security best practice
• Feature Quantiles - The quantile can now be calculated for any feature
• New Tag Profiling interface - An additional tryCollect() interface has been added to tag profiling to provide immediate collection of partial Device Fingerprint attributes

Bug fixes & Improvements:

• Admin Menu - has been moved to user drop down menu and Deployments and Node Settings have been added in place to improve user experience and workflow
• Query language fixes - errors when searching for UUID or (some) signature values has been fixed
• Secure ID - A race condition affecting Secure ID collection rates has been fixed
• CloudFront - misc. bug fixes and enhancements
• CloudFlare - misc. bug fixes and enhancements 

• Attribute Validation - invalid/malformed attributes provided via API or extracted via edge are now recorded in a new "invalid attributes" attributes. Visual queues have been added in both the Event Grid and Event Side Bar to aid investigation of integration issues.
• Features - "Same as current event" added as new selection for all feature types.
• Query Language - checkLabel function has been added to search for labels inside Investigations view.
• Behavioural Identity Graph
  • Support has been added for composite attributes (Address, Telephone etc)
  • Timeline View has been added
• Device Profiling
  • Device Signature model has been enhanced
  • Mobile device identification models have been enhanced
  • Secure ID has has enhancements to make it more robust and effective for session replay detection
  • Bugfix: 'unsafe-inline' now supported in CSP edge processing
• Dashboards
  • Sorting is now available on Dashboards

• Dashboard Linking - Dashboards now provide click-through to Investigations Queries
• Identifier View - Added new Timeline View to provide visualisation/insight into Identifier changes over time

• Identifier View - misc. fixed and improvements
• Device Signature - model updated to improve mobile device recognition
• Event Sidebar - misc. fixes and improvements
• API - Telephone Number support added for Dial Code + National Number in addition to E164 

• Akamai(Linode) CDN Support - Official release supporting Linode CDN integration
• iOS/Android SDK - Official release for both Android & iOS devices. Learn more at Mobile SDK Deployment and API Reference
• Dashboards - 12 New dashboards - New ATO Tab containing Suspect Devices, Potential Victims and Attack Velocity in addition to new Device and BOT dashboards
• Identifier View - Event Grid added to Identifier View to display events when clicking on a graph node

• iOS/Android SDK (beta) - Perform native profiling (with behavioral biometrics) on Android & iOS devices. Learn more at Mobile SDK Deployment and API Reference
• Distance function - search events based on the distance between 2 points
  • find events within a given radius of a coordinate (see the network tab) in the event details sidebar
  • find events where 2 coordinate attributes exceed a particular value
• Touch biometrics signature - we are now creating a biometrics signature for touch devices. This complements our existing functionality delivered in 1.5.13

• Header Enrichment - edge journey authors now have the ability to extract attributes from the request body, run decisions, and inject decision outcomes as headers prior to the request going to the origin
  
• Ability to Create a query from identifier view - users are now able to select 1 or more nodes / clusters in the identifier view, and perform a search in the investigations query view using these values. An icon exists for this on the top-right of the identifier view

Bug fixes & Improvements:

• Granular IP info - Where IP intelligence for a given tcp connection is collected from multiple sources concurrent (eg cloudflare AND ipdb), this information is now properly presented as "IP insights" for that vendor  
  
• Device ID - numerous improvements to device re-recognition and signature
• Bugfix: profiling.set_cookie now returns correct results for both edge and tags implementations
• Bugfix: timestamps in sidebar are now filterable (using the context menu on a value)
• Identifier view: - The identifier view now omits DNS IP from the view. This was previously polluting the identifier view as there was over-connection with iterations (due to many users having the same DNS)

• Biometrics Signatures (mouse)
  
  • Reduces mouse/touch interactions from a step into a single attribute each.
  • Can be compared across events to show similarity, where differences in input that lead to more important changes in outcome cause a larger decrease in similarity than less important differences.
  • Allow interactions with similar behaviors to be grouped together in the UI.
  • Allows outcomes from past events to be extrapolated in real-time to affect decisions about future events with similar biometric behaviors.
  • Allows Darwinium users to efficiently find correlations and discrepancies in biometric behavior for the same account.
• Identity Graph Updates
  
  • Provide the ability to adjust the similarity match parameters on multiple identifiers simultaneously
  • Note: the behavior of this screen has changed slightly - you need to hit "search" in the top right to update changes
• Journey Authoring Feedback
  
  • Warnings are now shown when authoring journeys where dependencies are not met invoked rules and features where the attribute may not be present
• Query view - The query view has been redesigned with better usability in mind. In particular there have been changes to the time range selector and the query text input may be height-adjusted (similar to Microsoft Excel)
  

Bug fixes & Improvements:

• Device signatures - fixed multiple issues where device signatures were being mis-classified and merged identifiers were not coalescing correctly
• CVV - fixed an issue with input where numbers were being interpreted as a CVV and the data was being dropped

• Journey authoring Feedback - Provides inbuilt diagnostics for self-service journey authoring (streamlines setup process)
• Expression feature - enables aggregate statistics around any user-entered expression that produces a number
• Improved device ID re-recognition
• Numerous Performance tweaks to edge implementations 

• Edge Deployment
  
  • Deployment monitoring - Deployment monitoring enables Darwinium to monitor the status of deployed workers on your CDN infrastructure to ensure their correct operation, and provides user indication if there is a misconfiguration that has occurred after a deployment (such as a change-to or clearing of a route) It has been designed to work with both Darwinium's inbuilt deployment manager and with externally managed deployments using Terraform. To use deployment monitoring you will need to enter a new set of credentials with read-only access to your AWS Cloudfront Distribution or Cloudflare workers in node settings.
  • Support for multiple edge targets - Previously our deployment manager supported a single configuration for Cloudflare and Cloudfront deployment. Release 1.5.11 provides support for sophisticated deployment topologies where multiple edge targets are required. Darwinium routes traffic to specific configurations through the use of a targets valid_host_list parameter, defined in your nodes' journeys.yaml file
  • Support for host aliases - Users now have the ability to define one or more aliases for a given hostname defined in the valid_host_list of journeys.yaml. For example, if your valid_host_list contains example.com - you can provide aliases such as www.example.com, staging.example.com, foo.bar.com. At deploy time, Darwinium reviews this list and re-aligns its routes accordingly. If no aliases are provided, the system will fall back on the original hostname.
  • Ability to use a single git repository for multiple environments - Darwinium provides the concept of nodes. Nodes provide segmentation of event data, access permissions, deployment configuration, and decisions to particular environments (e.g. prod, staging) or brands. In the previous status quo a node has a 1:1 relationship with a git repository that stores node-specific journey definitions.
    With new functionality, a single deployment artifact is able to operate across environments, without having to copy configuration files from one node repo (e.g. staging) to another node repo (e.g. production). This functionality has been designed to operate with our new host aliases and support for multiple edge targets functionality.
  • Ability to work with existing Cloudflare service bindings - This new functionality enables Darwinium's deployment manager to deploy to routes where an existing cloudflare worker is present. We use Cloudflare's Service Bindings to enable both Darwinium workers and your existing workers to co-exist.
• Ability to directly execute PMML models in workflows - This feature enables users to generate Predictive Model Markup Language (PMML) files using their own tooling, which can then be uploaded to your node's git repo and executed in journey workflows in the same way that rules or feature files are executed. Users are able to select an output defined in the PMML model, which provides the model score.
  Under the hood, Darwinium converts this model into WebAssembly, which is then executed directly at the edge.
• Customer S3 bucket transformer - Provides the ability to extract event data written to a customer-hosted S3 bucket using our python library. This can be achieved without needing to call Darwinium's services, and only S3 read credentials to the customer bucket are needed.
• Profiling
  • Support for Shadow DOM elements in edge-side and tags-only deployment. New configuration parameters enable the use of a deep query selector that is able to locate DOM elements that are nested within a shadow root.
  • Touch Dwell Time Biometrics context - Darwinium now provides profiling.javascript.touch_biometrics.swipe['DWELL_TIME'].* attributes. DWELL_TIME is the time interval between a touch start and a touch release, and is useful in models such as bot detection 
    
  • Signal - Profiliing signals disabled/permission denied on device -  profiling.device.signals now provides a number of additional signals to denote when features such as geolocation or accelerometer have been disabled on a profiled device:
    • GEO_DENIED_BY_USER
    • GEO_FAILED_UNKNOWN
    • GEO_DISABLED
    • IOS_SENSOR_DENIED_BY_USER  
    • IOS_SENSOR_DISABLED
• Darwinium Portal
  • Identifiers view
    • Added a setting for max iterations - this defines the number of associated leaves to iterate through when displaying the graph. A lower number of iterations means fewer connections.
    • Display of labels associated with an identifier node - provides the ability to instantly identify good and bad behavior on a given identifier node
    • Ability to maintain focus on a selected node across settings changes
    • Graph layout an performance improvements

• DNS Profiling - Darwinium now supports the ability to profile end-user DNS IP addresses used to resolve hostnames. This feature will automatically begin working when you update your profiling plugin (use marketplace > Darwinium profiling > Install)
• Fuzzy Digital ID Support (Beta) - Our engine has added the ability to resolve multiple similar device  identifiers into a single value automatically. Previously used identifiers are visible in the merged_identifiers attribute
• Identifiers View (Beta) - The identifiers view enables exploration of entities and their links. Devices are grouped into clusters of similarity
• Protobuf Support in Engine - The Journey Assistant and Journey editor now support extraction and mapping of request headers, bodies and query parameters encoded in protobuf format. This is a binary transmission format that has become popular through technologies such as gRPC.
• Journey Metadata - support for signals created in assemblyscript files (.ts) to be visible in the event detail sidebar

• Enhanced signals and scores - We now use metadata collected when you publish a journey to populate signals & scores view of the event details sidebar. This means more granular insights into where a signal produced is coming from in your rules, as well as the ability to filter on the condition constituting a rule (if applicable)
• PII field redaction in query URL - when creating a step where the step url may contain elements of Personally Identifiable Information (PII), Darwinium now redacts this information from the step_url attribute
  
• Daily synchronization of IP database - We now synchronize our IP intelligence database feed on a daily basis (previously this was updated with every release)

• Biometrics Visualization in detail sidebar - Release 1.5.8 includes a significant update around the visualization of biometrics data from keyboard, mouse and sensors. Previously this was shown as raw values in the event detail sidebar. With the new enhancement we provide tabulated statistics for each form field as well as additional timing statistics illustrating how an end user navigated form fields on a page.
• HTTPS profiling - HTTPs profiling provides comprehensive details on device using information extracted from the TLS handshake process. This includes details such as JA3 fingerprints. This can be seen in the event detail sidebar (where supported) under "network insights"
• Feature visualization in event detail sidebar - Feature values now provide detailed insights around the definition that they were created from. To view this, simply hover your mouse over a feature definition in the event details sidebar.

• Edge-side event encryption - Darwinium edge workers now encrypt all sensitive event data on the edge worker prior to this being sent to Darwinium (or your own S3 infrastructure).
• Customer S3 storage - Customers are now able to store their event data on their own S3 infrastructure. More information can be found at Data Storage On Darwinium
  
• Journey Debugger (Alpha) - We have developed a new tool in our workflow editor that enables  Debugging Journeys in a single-user mode prior to deployment using our Journey Assistant proxy. Please view documentation for more information
  
• Tags-only profiling - For customers who do not have a compatible CDN, Darwinium now provides traditional tags based profiling capability. More documentation can be seen at: Tags Deployment
  
• Support for step-level snippets - Marketplace Extension authors can now create snippets and templates that operate at a step level. Previously we provided integrations that operated in the data mapping and workflows scope. This new functionality has been used by Darwinium to create our Tags-only profiling capability.
  
• Terraform support - Customers who have a sophisticated deployment review process or who do not wish to enter their CDN credentials now have the ability to manage deployment using an external Infrastructure As Code (IaC) platform such as Terraform or Pulumi. More details on the use of this can be found at: Controlling Darwinium's deployment using Terraform
  

• New Dashboards - Bot - The bot dashboard provides non-realtime analysis on your event traffic and provides a breakdown of bot traffic - both good and bad. It is available to all customers on Darwinium's main landing page
  

• Migration of event data to use HPKE - Darwinium has migrated encrypted event data from AES-256GCM to Hybrid Public Key Encryption. This provides the advantage of being able to encrypt data with a public key, with the reduced size of assymetric encryption. We plan on using this new functionality to encrypt events at the edge in a later release this year

• Deployment manager - Previously Darwinium was configured to automatically deploy changes to a Journey when they were pushed to a customer's node git repository. Deployment Manager now provides the ability to manage builds, select a build for deployment and roll-back configuration to previous values.