May 2026 Release Notes

This release ships the deepest set of changes since Q1. Three additions stand out — each aimed at a different layer of the incident-response stack — plus a long tail of polish across the platform. Here's what's new.

1. Brand Protection — its own page

Look-alike domain monitoring used to live as a tab inside Watchlist Events. It was always a slightly awkward fit — the work flow is different, the signals are different, the response cadence is different. So we moved it out.

Brand Protection is now a top-level destination in the sidebar with two subtabs:

• All Domains — the detection table with WHOIS, DNS, SSL, MX, page title, and screenshot context for every flagged look-alike. Sticky filters for status, identifier, and date range.
• Takedown Requests — the queue of cases your team has filed (in-house or ad hoc), each with its full lifecycle timeline, registrar contact, and any rejection / info-needed notes from the takedown team.

A fast-triage detail side panel pops on any row — domain, screenshot lightbox, raw DNS, inferred registrar, and one-click actions to push to Jira, Slack, or our managed takedown queue.

Where to find it: sidebar → Brand Protection. Available on Enterprise and Threat Intelligence licenses; the entry shows in the sidebar for every plan but unlocks the page only for eligible tiers.

2. Managed Takedowns — now an add-on

We launched Managed Takedown Services last week as a beta workflow. It's now graduated to a fully-supported add-on with explicit pricing, queueing, and SLAs.

The mental model: detection without removal is just expensive monitoring. Our analysts file the request, package the evidence, escalate when the registrar stalls, and document resolution end-to-end. You get a clean queue to watch, your team gets their time back.

Where to find it: Brand Protection → Takedown Requests subtab, or the Ad Hoc Takedown button in the same view.

3. Full Stealer Log Archive Downloads

Threat Intelligence customers can now pull the raw stealer archive for any compromised host — directly from the History tab of any infection record, when archive availability allows.

What lives in the archive that's not already in the credentials view:

• Crypto wallets — wallet files, recovery seeds, exchange session state.
• Browser state — cookies, autofill, saved cards, form history.
• Application data — chat session files, password manager databases, VPN configs, source-control credentials.
• Host-level artifacts — system info, running processes captured at infection time, dropper paths, screenshot of the infected desktop.

The use cases are the high-stakes ones: executive compromise reviews, lateral-movement scoping, breach disclosure, threat-actor attribution. Cases where "we found credentials" isn't enough — you need to reconstruct what attackers actually saw on the host.

A short note on availability: not every infection record carries a downloadable archive. Older logs and certain stealer families ship without a packaged artifact. The History tab now surfaces a Full Download Available indicator next to each snapshot when one is present, so you know without clicking.

Where to find it: any record detail sidebar → History tab → per-snapshot Download Full Log button. Threat Intelligence subscription required.

Smaller polish that adds up

Beyond the three big additions, this release also ships a long tail of usability work:

• Sidebar Pro pills — gated features (Brand Protection, Investigation+, Webhooks) now show a small PRO badge in the sidebar for non-eligible plans instead of disappearing entirely. Click still navigates to the gated page where an upgrade screen explains the requirement.
• What's New menu — a permanent What's New entry in the sidebar (with a purple outline frame) re-opens this release announcement any time, so users who dismissed the launch modal can revisit.
• Mobile defaults — sidebar collapses by default on phones, the Activity panel on Global Search is closed by default on mobile, and look-alike screenshots render with object-contain on narrow viewports so logos don't get cropped.
• Live entitlements — license changes now propagate to the UI without a page reload (after returning from checkout, switching tabs, etc.).
• Takedown detail timeline — the case-detail panel now visualizes the full lifecycle including the new Info Needed and Cancelled states, with their notes surfaced inline.
• Login redirects — ?next= on the login URL now honors deep links to whitelisted internal pages, so SSO/manual logins land where the user was headed.

How to access it

Sign in to platform.whiteintel.io. The What's New modal will fire on your next page load with a quick walkthrough and links to each feature.

New to WhiteIntel? Start a free account to explore the platform, or talk to our team about which tier fits how you operate.