Foreword from Charles Herring

Almost seven years ago we started research and development on methods that would enable the global community to share workloads, intelligence, reporting and evidence that would make the world more secure while reducing the costs associated with cybersecurity. WitFoo Precinct 6.2 delivers capabilities that have not previously existed to humanity. We can now report crime to law enforcement, prove regulatory and vendor requirements on a continuous basis, law enforcement can safely request assistance from the private sector, organizations can pool expertise across geographically separated security centers.

CISO’s can validate and prove their strategies, budgets and staffing in a language the CEO, CFO and Board can understand. MSSP can identify gaps for their customers before they become breaches and automate detection and response. MSP can safely deliver security services to their existing customers. Unlimited data can be processed, stored and analyzed across federated clusters at the industry’s lowest total cost of ownership. WitFoo powered products are deployed in under an hour with no need to create or maintain connectors, parsers or rule logic.

When we started in 2016, I had no idea how much we would have to solve. Virtually everyone thought we were mad to try to solve such a broad set of problems. I am eternally thankful to the contributors, investors, early adopting customers, advisors and partners that gave us the ability to take a run at it. Precinct 6.2 delivers features that have been validated in military, Fortune 500, public cloud, private cloud, MSSP, mid-market, educational and small business networks and against their unique use-cases. It is my pleasure and deep honor to announce WitFoo Precinct 6.2 is now available for all audiences (GA) to access and use. -Charles D. Herring, WitFoo co-Founder & Chief Technology Officer


Build IDs: 6-2-1, saas-6-2, master-2027


WitFoo Incident Responder

Enhancements in Precinct 6.2 allow Incident Responders to quickly comprehend and respond to ongoing threats and coordinate with law enforcement when appropriate.
WitFoo Incident Responder Workflows

WitFoo Assessor

Assessor workflows transform machine data into reports on compliance, readiness and business effectiveness to enable architects, auditors, insurers, solution developers and executives to do their part to secure the world together.
WitFoo Assessor Workflows

WitFoo Threat Researcher
Precinct 6.2 introduces new features that allow incident responders to coordinate evidence with Threat Researchers across law enforcement and national security to thwart cybercrime and make the world secure together.
WitFoo Threat Researcher Workflows


  • Improved loading indicators in UI
  • Cluster Status (green check mark on top bar) show retention status report to assist in audits and compliance. (RC3)
  • MeasureRisk Cyber Hygiene Score shown on dashboard (RC2)
  • SaaS: Allow Dispatch Jobs to run on on-prem Streamer Node (RC2)
  • Support for WitFoo Precinct Cloud 2.0 (RC2)
  • Build custom lead rules. See : (RC1)
  • Support for DataStax Astra Cassandra Cluster. See: (RC1)
  • Support for RFC6587 framed syslog on port 7514/tcp. (RC1)
  • Asset Search (RC1)
  • Threat Intel Search Interface. (RC1)
  • Threat Actor Creation, Detection and Sharing (RC1)
  • Machine Learning on internal Asset Categorization (RC1)
  • Modus Operandi Support for Network/IT OPS, Financial Crimes and SCADA attacks (RC1)
  • Interface for toggling Modus Operandi (RC1)
  • TAXII 2.0 Support (RC1)
  • Multi-tiered Multi-tenancy reporting (RC1)
  • API for manual Verification of Control (RC1)
  • Incorporate Human annotations into Reports (RC1)
  • Load incident when URL has querystring for ID and partition (RC1)
  • Right bar for Actor Node Type (RC1)
  • Create Agent Editor (RC1)
  • Okta User inventory collected via integration (RC1)
  • UI support Actor facet on Incident listing & query (RC1)
  • Intel: render cyto as Incident linkboard on “Relations” tab (RC1)
  • Time snapshot/histogram of compliance API (RC1)



  • Cassandra to 4.1.0
  • Kafka to 3.3.1
  • Improve RAM recovery (RC2)
  • Faster processing/throughput at lower CPU cost (RC2)
  • Configuration option for Investigative Engine (IE) processing threads (RC2)
  • Up-to-date reporting on message processing for observed tools, sending hosts and streamnames (RC2)
  • Faster loading of Incident Lists (RC1)
  • Improved Resource management in vertical scale (RC1)
  • Faster Artifact Indexing for Searching (RC1)
  • Faster Data disk clean up (RC1)
  • Remove Logstash container from stack (utilize custom listeners) (RC1)
  • Remove Metricbeats container from stack (utilize custom metrics) (RC1)
  • Retool Tenant/Agg key change daily to prevent bruteforce & allow editor (RC1)
  • Retro processing of new hit intel (RC1)
  • Asset Columns (RC1)
  • Node API: Add cyto and caching (RC1)
  • Move Logstash Features to Streamer (Remove Logstash) (RC1)
  • Intel: Zoom map out to global level (RC1)
  • Datacenter awareness (RC1)
  • Allow multiple criteria of the same type on artifact searches (RC1)



  • Dispatch Job interval processing can fail (RC3)
  • Job interval processing can fail (RC3)
  • Attachments can fail to save on casebooks (RC3)
  • Incident loads can fail/time-out (RC3)
  • Casebook status does not sync between aggregator and tenant (RC3)
  • Incident analysis can fail (RC3)
  • UI can present memory leak and poor performance (RC3)
  • When internal IP space is reconfigured, assets doe not update internal determination (RC3)
  • Adding compliance documentation can fail to attach to correct control (RC3)
  • UI compatibility fails in Safari (RC3)
  • Job and update sync can crash in certain circumstances (offline-library) (RC2)
  • Clicking Assets view results in logout (RC2)
  • IG filter count does not match the count of incidents displayed (RC2)
  • Getting kicked out of UI (RC2)
  • Cases not retaining status when closed (RC2)
  • Closing an incident doesn’t POST correct status_id (does use correct status_name) (RC2)
  • Incident Lists may not load (RC1)
  • Compliance calculations are inaccurate in some situations (RC1)
  • Casebooks may not load (RC1)
  • Federated Data may not synchronize (RC1)
  • Artifact Search results may be missing results (RC1)
  • Taxii name can be missing (RC1)
  • Missing name on Assets (RC1)
  • Country code not in Artifact search results (RC1)
  • Nessus integration not working (RC1)
  • Actor edit needs visible scroll bar (RC1)
  • Clicking Search doesn’t give immediate indication that submission was received (leading to multiple submissions from user) (RC1)
  • Global IOC data on right bar should wrap (currently truncating) (RC1)
  • Support Request buttons not rendering properly (RC1)
  • Okta events and Assets not paginating (RC1)
  • Some ThreatFeed submissions do not contain ‘hit’ (RC1)
  • Asset query is slow for some users (RC1)


NOTE: How to take control of when your deployment of Precinct upgrades.

NOTE: Clear Chrome cache using the instructions linked here.

RSS Feed for release notes is:

Email notifications for WitFoo Release Notes can be subscribed to here: