## [Chromium 9.7.0 / Firefox 9.7.0] (March 2026)
### DAST, IAST, and SAST analysis improvements
- **DAST: new Analysis and Coverage tabs**
- Added an **Analysis** tab to highlight the most interesting DAST candidates for manual follow-up, with clearer evidence and faster handoff to R-Builder.
- Added a **Coverage** tab to show which engines (**DAST**, **IAST**, **SAST**, **SCA**) contributed evidence for the same host/session and where coverage is still missing.
- **IAST: new buckets**
- Added **IAST buckets** to group runtime findings and signals into practical client-side attack surfaces such as **Execution**, **Authz/State**, **Data/Storage**, **Messaging**, **Navigation**, and **Runtime**.
- This makes IAST results easier to review even when raw findings are sparse.
- **SAST: new buckets**
- Added **SAST buckets** to group code-level artifacts into practical review areas such as **Routes**, **Endpoints**, **GraphQL**, **Params**, **Surfaces**, and **Gadgets**.
- This helps focus code review on the areas most useful for security testing.
- **Export / import**
- Improved scan export/import handling for easier sharing and reloading of scan results.
- Added clearer progress feedback for long-running scan management actions.
- **UI improvements**
- Reworked **DAST**, **IAST**, and **SAST** result UIs to surface actionable information first and move raw engine metadata into secondary details.
- Improved evidence display, confidence visibility, and R-Builder handoff flows.
- **Performance / Stability**
- Improved cross-engine coverage analysis so DAST can reflect related **IAST**, **SAST**, and **SCA** results from the same host/session.
- Reduced IAST overhead and fixed multiple workflow and UI regressions to make scans more stable and responsive.
This release improves how PTK presents and connects DAST, IAST, and SAST results. DAST now includes dedicated Analysis and Coverage views, IAST and SAST now use bucketed summaries to make large result sets easier to review, and the UI focuses more on actionable testing guidance and less on raw engine metadata.
## [Chromium 9.6.0 / Firefox 9.6.0] (February 2026)
### Reporting overhaul: PDF/Markdown export, Executive vs Technical presets, and correlation
- **Report export (PDF + Markdown)**
- Added report export in **PDF** format.
- Added report export in **Markdown** format for easy sharing in tickets, docs, and GitHub/GitLab.
- **Executive and Technical report presets**
- Introduced **Executive** reports for shareable, prioritised summaries.
- Introduced **Technical** reports with deeper per-engine detail and evidence.
- **Summary section**
- Added a dedicated **Summary** section for quick high-level visibility (totals and key risk highlights).
- **Findings management and triage**
- Added **severity filters** to manage and triage findings faster.
- Improved prioritisation by focusing on Critical/High/Medium findings first.
- **Confidence scoring and correlated findings**
- Added **confidence scoring** to help separate high-signal findings from potential noise.
- Added **correlated findings** across **DAST**, **IAST**, **SAST** and **SCA** to highlight issues backed by multiple engines.
- **Safer, cleaner exports**
- Implemented **safe-by-default redaction** for exports (tokens, `Authorization` headers, cookies, storage values).
- Improved evidence readability with **truncation** and consistent formatting (including monospace blocks where applicable).
- Executive reports now **deduplicate/group** repeated findings to reduce noise (especially for repeated SCA/SAST-style entries).
This release modernizes PTK reporting with PDF and Markdown exports, introduces Executive and Technical report presets, and adds correlation and confidence scoring across DAST/IAST/SAST/SCA to make prioritisation easier. Exports are safe-by-default with redaction enabled, evidence is more readable, and Executive reports are cleaner thanks to deduplication and grouping.
## [Chromium 9.5.0 / Firefox 9.5.0] (January 2026)
### JWT attack accuracy, SPA attack support & faster UI
- **JWT attacks improvements**
- Improved JWT attack validation to reduce noise and increase reliability.
- Fixed false positives for `alg=none` detection by tightening success/verification criteria.
- Improved handling of public/unauthenticated endpoints so “expected” responses aren’t reported as vulnerabilities.
- **SPA attacks support**
- Added improved support for attacking Single-Page Applications (SPAs) with client-side routing.
- More reliable navigation and in-app flow handling during DAST execution.
- **UI performance improvements**
- Faster, more responsive dashboard experience, especially while scans are running.
- Reduced UI jank caused by heavy analysis/binding work under load.
This release improves the accuracy of JWT attacks (especially around `alg=none` and public endpoints), expands DAST support for modern SPA flows, and delivers UI performance optimizations for smoother day-to-day scanning.
## [Chromium 9.4.0 / Firefox 9.4.0] (December 2025)
### CVE lookup, stronger IAST instrumentation & UI polish
- **CVE Lookup module (passive + active)**
- Added a new CVE Lookup module for passive CVE checks (non-invasive fingerprinting).
- Added 10 new CVEs supported across both passive lookup and DAST attack coverage.
- **IAST improvements with chrome.debugger**
- Enhanced IAST visibility and correlation by leveraging chrome.debugger.
- Improved reliability for complex browser-driven flows and modern SPAs.
- **UI improvements & bug fixes**
- Multiple UI refinements and stability fixes across the extension to improve usability, performance, and overall reliability.
This release introduces CVE-focused passive checks with expanded CVE coverage, strengthens IAST instrumentation via chrome.debugger, and delivers a set of UI and stability improvements.
## [Chromium 9.3.0 / Firefox 9.3.0] (December 2025)
### Unified scan model, smarter attacks & CVE coverage
- **Unified scan model**
- Standardised the DAST, SAST and IAST scan envelope and finding structure (including `effectiveSeverity`).
- Updated the extension UI to use a common `normalizeScanResult` view model.
- **Modules & rules refresh**
- Cleaned up `modules.json` / `catalog.json` and IAST modules with consistent metadata (description, recommendation, links, OWASP/CWE, severity in metadata).
- All recommendations are now HTML-sanitised for safe rich-text display.
- **DAST attack strategy options**
- Added configurable scan profiles: **Fast / Smart / Comprehensive**.
- Control atomic vs per-parameter attacks and stop re-attacking the same URL/parameter once a module has a confirmed finding.
- **CVE-focused DAST modules**
- Added CVE modules using the **React2Shell** attack flow, including coverage for **CVE-2025-55182** labs.
- Targets modern React-based injection chains.
- **IAST stability & noise reduction**
- Fixed IAST module loading (background push + content pull on reload).
- Externalised sink rules into JSON.
- Reduced false positives where sources were previously reported as generic hashes.
- **SCA integration groundwork**
- Defined how SCA scan results fit into the unified scan/finding model.
- Adjusted the portal schema to support SCA alongside DAST/SAST/IAST.
This release focuses on making all engines speak the same scan/finding language, tightening module metadata, and laying the foundations for SCA and CVE-driven DAST, while improving IAST stability and reducing noise in real-world scans.
## [Chromium 9.2.7 / Firefox 9.2.7] (November 2025)
### SAST engine overhaul
- SAST runs off the main thread
- Chrome: MV3 offscreen document + worker
- Firefox: background worker
- Richer SAST telemetry with per-file and per-module progress events
- Improved taint traces and trace visualisation in the findings UI
- Taint model cleanup, new rule filters, and refined `document.cookie` handling
SAST now executes in a dedicated worker context (offscreen document on Chrome MV3, background worker on Firefox), so heavy JavaScript scans no longer freeze the UI and remain responsive even on large SPAs. New structured telemetry emits per-file and per-module progress, while upgraded taint traces and visualisation make it easier to follow data flows end-to-end. The taint model has been refined with cleaner `document.cookie` handling and new rule filters to cut noise and keep reports focused on the most relevant issues.
## [Chromium 9.2.6 / Firefox 9.2.6] (November 2025)
#### DAST
- **Queued, rate-limited attack execution**
Rebuilt the runtime scanner around a queued worker pool with token-bucket rate limiting, per-plan/per-module locking, and resilient worker error handling. Large scans now complete more reliably under throttling, with safe retries and no request storms.
- **Request fingerprinting & consistent drill-downs**
All outgoing requests are fingerprinted before being queued, so duplicate attacks are deduplicated at the planner level. Each attack plan now carries its own context end-to-end, keeping per-request drill-down views consistent with live stats and historical counters.
- **DAST UI filters & live counters**
The DAST panel now supports scoped filters (`all` / `vulns` / `5xx` / `4xx`) plus per-request filtering. Filters feed back into the aggregated counters so operators can slice and dice results without losing a trustworthy high-level view.
#### SAST
- **New rules & expanded coverage**
Added new SAST rules to broaden coverage across client-side injection, cookie handling, and DOM-driven flows, improving the depth and breadth of findings surfaced during scans.
- **Taint trace visualisation**
Taint traces are now surfaced directly in the UI and reports, showing the full `source → propagation → sink` chain. This makes it easier for developers to understand *why* a value is tainted and how it flows through the application.
- **Library-aware scanning (less noise)**
Well-known third-party libraries such as jQuery are now excluded from SAST analysis to reduce false positives and noise, keeping the focus on your application-specific code.
- **Richer, self-contained findings**
Report cards now render sanitized source/sink metadata, taint traces, contextual code snippets, and rule guidance so each finding is self-contained and ready for developers to act on without cross-referencing raw logs.
- **New SAST report UI**
The SAST report UI has been refreshed to better group findings, highlight key context, and keep source/sink traces readable, aligning the in-app cards with exported report structure.
## [Chromium 9.2.5 / Firefox 9.2.5] (June 2025)
### Changes
- Attacks on each parameter separately
- Vulnarable parameter is reported
- Attacks on JSON
- Bug fixes
## [Chromium 9.2.3 / Firefox 9.2.3] (June 2025)
### Changes
- All scans can be managed from the dashboard panel
- Added SAST taint flow rules
- Added DAST settings to manage requests per second and concurrency
- Bug fixes
## [Chromium 9.1.1 / Firefox 9.1.1] (May 2025)
### Changes
- Added SAST freature
- Improved DAST capabilities
- Bug fixes
## [Chromium 9.1.1 / Firefox 9.1.1] (May 2025)
### Changes
- Added SAST freature
- Improved DAST capabilities
- Bug fixes
## [Chromium 9.0.0 / Firefox 9.0.0] (May 2025)
### Changes
- Added IAST freature
- Bug fixes
## [Chromium 8.9.3 / Firefox 8.9.2] (May 2024)
### Changes
- R-Attacker is now DAST
- Cheat sheets added for XSS and SQL
- Bug fixes
## [Chromium 8.8.3 / Firefox 8.8.2] (February 2024)
### Changes
- R-Builder with cURL support
- R-Builder export/import functionality
- Bug fixes
## [Chromium 8.7.3 / Firefox 8.7.2] (January 2024)
### Changes
- JWT attacks added
- Bug fixes
## [Chromium 8.6.3 / Firefox 8.6.2] (December 2023)
### Changes
- Json Web Token Inspector
- Bug fixes
## [Chromium 8.3.3 / Firefox 8.3.2] (February 2023)
### Changes
- Request builder with DAST scan feature.
- More passive attacks according OWASP Secure Headers project.
- Attacks improvements.
- UI improvements
- Bug fixes
## [Chromium 8.2.3 / Firefox 8.2.2] (September 2022)
### Changes
- Request builder with declarativeNetRequest support for Chome/Edge browsers.
- Macro and traffic recording feature is back again.
- Reload extension functionality added. There are a lot of changes related to manifest V3 and due to worker may be inactive after 5 minutes, sometims you may need to reload the PTK
- UI improvements
- Bug fixes
## [Chromium 8.1.3 / Firefox 8.1.2] (August 2022)
### Changes
- Cookie editor allows to manage cookies, eg add, edit or remove cookies. Rules to block or protect cookies. Import and export.
- Bug fixes
## [8.0.3] (June 2022)
### Changes
- Manifest 3 support for chromium based browsers
- R-Attacker, R-Builder and Encoder/Decoder data saved in local storage, so you won't miss your data even after restarting
- Macro and Traffic recording no longer supported
- Bug fixes
## [7.5.3] (February 2022)
### Changes
- Improved R-Attacker module to support attacks for every parameter separately
- Added R-Attacker external integration to support Selenium tests
- Bug fixes
## [7.5.2] (December 2021)
### Changes
- New stored XSS attack with window.postMessage payload!
- Wappalyzer module updated to the latest version
- Bug fixes
## [7.5.1] (November 2021)
### Changes
- New! Reporting feature has been added, so you can generate a report in one click.
- Wappalyzer and Retire NPM module updated to the latest version
- Privacy policy is now in place, please check it out
- Bug fixes
## [7.4.0] (September 2021)
### Changes
- Retire.js NPM module added to identify known vulnerbailities (CVE)
- Wappalyzer NPM module updated to the latest version
- Bug fixes
## [7.3.0] (August 2021)
### Changes
- Tabs monitoring functionality improvements
- Bug fixes
## [7.1.0 / 7.2.0] (June 2021)
### Changes
- Recording authentication is now starting with incognito mode when allowed (not supported in Firefox)
- Fixed an issue with recording events on iframes in a new popup window
- R-Builder can now store requests
- Added a blacklist for R-Attacker to exclude .css and .js files from attacking
- Added a new attack - JWT None algorithm
- Added a disclaimer
## [7.0.0] (April 2021)
### Changes
- Added encode and decode features
- Fixed an issue with \ and ` characters in macro recording
## [6.2.5] (April 2021)
### Changes
- Added double click support for macro recording
- Added an option to generate additional delays when export a macro for better SPA support
- Removed HAR viewer due to problem with PerfCascade NPM module
- Bug fixes
## [6.2.1] (March 2021)
### Changes
- Improved dashboard performance and detection
- Added ability to execute requests and export a HAR file with recorded output
- Bug fixes
## [6.2.0] (March 2021)
### Changes
- New R-Attacker functionality - scan in runtime and get a report once completed
- New Proxy tab to monitor requests for selected tab
- Dashborad - Web Application Firewall detection card
- Dashborad - Storage/Authentication card (with auto decoding JWT tokens)
- Incognito mode is now separated, no shared resources between normal and private windows (not supported in Firefox)
- NPM package release - 1.0.2
- Bug fixes
## [6.0.0] (December 2020)
### Changes
- ES6 standart support
- NPM modules support
- Cross-browser support including incognito mode on Firefox browsers
- Added R-Attacker to allow attacks execution on any request
## [5.0.0] (October 2020)
### Changes
- Cross-browser support
## [4.1.0] (September 2020)
### Changes
- Export a list of URLs discovered during browsing an application
- Export a list of FQDNs discovered during browsing an application
- Added SQL Injection attacks against POST requests
## [4.0.0] (May 2020)
### Changes
- New Dashboard view
- Request builder executes a request based on simple url
- New macro event type added to support Javascript. When selected the exported macro will contain javascript code to help simplify playback on most of the modern SPA apps like ReactJS/Angular
- Added recording import to support conversion from Selenium .side and .html recording to javascript macro
- Real time events tracking during recording/playback on the floating window. Tracker window is draggable and resizable
iFrames support added for recording/playback
- Added HAR viewer for traffic recording
- Improved performance by limiting number of tracking tabs
## [3.1.9] (March 2020)
### Changes
- Export macro recording using Driver events by default
- Issue with validate functionality fixed
- Bug fixes
## [3.1.5] (February 2020)
### Changes
- UI changes to improve user experience
- Macro auto export and auto save features have been added
- Bug fixes
## [3.1.1] (December 2019)
### Changes
- Swagger YAML to JSON convertor has been added
- Issue where 'Host' header was missed in recorded traffic
## [3.1.0] (October 2019)
### Changes
- Incognito mode support for traffic/macro recording
- Macro replay notifications added
- Improved display HTML response in request builder
- Added traffic analysis for authentication
## [2.2.11] (May 2019)
### Changes
- Added onChange event support for macro recording and replay
- Fixed an issue with traffic recording
- Fixed an issue with delete event during macro recording
- Fixed an issue with backspace event during macro recording
- Added functionality to validate HTML using a regex after macro replay
- Fixed an issue when request builder used wrong header
- Added functionality to display a response as HTML
## [2.2.7] (April 2019)
### Changes
- Fixed an issue with Access-Control-Allow-Origin response header
- Added local file support for swagger utility
- AS Pro / AS Enterprise support disabled by default
- Minor fix for messages passing
- Added support for AS Pro / AS Enterprise validate functionality
- Fixed issues with export/download macro
- Fixed issue with validate functionality
- Request builder now supports 2xx, 3xx, 4xx, 5xx response statuses. Added support for Referer and User-Agent request headers
- Replay macro functionaly has been added
- Validate functionality for AppSpider Pro reports