GreyMatter Autonomous Teammates, GreyMatter Chat, GreyMatter Discover

Autonomous Teammates

GreyMatter Agentic Teammates now activate automatically in response to new threat advisories. When an advisory is published and matched to a customer's environment profile, four teammates spring into action in parallel: Threat Intelligence generates a tailored advisory report, Threat Hunter executes a custom hunt package against telemetry, Incident Response recommends IOCs to block, and Detection Engineering identifies detection coverage gaps and recommends new rules. This release also introduces three manually triggered weekly workflows that surface trends and recommendations on demand:

• Weekly Risky Users Report & Recommendations

• Weekly Rule Performance Review & Recommendations

• Weekly Alert Trends & Patterns Report

GreyMatter Chat — Resource Center Support

GreyMatter Chat can now interact directly with the Resource Center, enabling users to search, discover, and navigate documentation using natural language — without leaving Chat.

GreyMatter Chat — Discover

Customers with Discover can now access Discover data directly in Chat. Users can ask natural-language questions to gain insight into their asset inventory — including outdated operating systems, highest-risk assets, public-facing servers, EDR coverage gaps, and missing security controls. For customers with both Discover and Teammates, the experience is enhanced: teammates analyze asset and misconfiguration data to deliver prioritized findings with actionable remediation steps, and can work across capabilities — for example, pairing with the Threat Hunter to generate hunts based on a customer's highest exposures.

Discover — External Scanning for Asset Discovery

Discover now includes external scanning, giving customers visibility into their internet-facing assets from an attacker's perspective. The feature uses Shodan to monitor customer-defined IP ranges and netblocks, performing daily scans that identify open ports, running services, and known vulnerabilities. Results are automatically ingested, normalized, deduplicated against existing inventory, and enriched with risk context. External scan data appears in new widgets on Discover Asset pages — providing a unified view of exposure to help prioritize remediation.

Discover — Asset Routing

Discover now supports OpCo asset routing, enabling parent companies to share integrations with child operating entities and automatically route assets, identities, software, and misconfiguration data to the appropriate OpCo.

Discover — SaaS Inventory

Discover now includes SaaS Inventory, giving customers visibility into the SaaS applications their organization is using and surfacing exposures tied to threat intelligence to help prioritize action. Data is pulled from supported integrations — initially Okta, Microsoft Defender for Cloud Apps, and Netskope CASB — and presented as a centralized inventory. Customers can also mark applications as unauthorized, which generates an exposure for the application along with associated follow-up tasks for impacted users. In addition, when new threat intelligence advisories are published that match an application in inventory, Discover automatically creates an "Impacted: [threat advisory]" exposure.

IP Allow List Enforcement for GreyMatter API Keys

GreyMatter API keys can now be restricted to trusted IPs or CIDR ranges defined by the customer, adding an extra layer of protection if a key is ever exposed. Refer to the Configuring API IP Allow Lists article in the GreyMatter Resource Center for setup details.

Intel Updates — Run Hunt

Intel Updates now include a Run Hunt button in the top right corner of every update article. With one click, GreyMatter builds a hunt query based on the updated indicator list within that update — no need to leave the article. Users can still launch a hunt from the Actor page to include all updated IOC information for the past 30 days, or hunt on specific indicators in the Intel Update for a more direct query.

New Direct Sources

Enhanced Direct Sources