Summary

CoreStack 2504 delivers significant enhancements across FinOps, SecOps, AppSecOps, Assessments, CloudOps, and the Core Platform.

This release introduces FinOps Visibility for Kubernetes (K8s) , starting with AWS EKS. It further strengthens compliance and security posture, and introduces powerful AI/Agent capabilities and governance improvements throughout the platform.

FinOps

Kubernetes (K8s) Cost Dashboards

Description

New and enhanced dashboards and widgets provide K8s-specific cost summaries, trends, spend by dimension, top pods, and variation analysis with Kubernetes-aware filters. Initial support in this release is for AWS EKS.

Key Benefits

Provide FinOps and platform teams with a single pane of glass for K8s spend.
Support drill-down capability from high-level trends to pod-level costs.
Supports analysis across various dimensions like Clusters, Namespaces, Workload Types, Utilization types, Resource Types, K8s Labels across Pods & Namespaces.
Enable persona-based dashboards for executives, FinOps, and engineering teams.

Kubernetes (K8s) Cost Support in Dimensions

Description

This feature extends CoreStack Dimensions to include Kubernetes filters (clusters, labels, pods, services, namespaces, utilization, labels) to allocated costs to specific groups, while preventing double-counting when combined with cloud accounts.

Key Benefits

Align K8s costs with business dimensions such as business unit, application, team, or environment.
Maintain accurate, non-duplicated cost allocation across cloud and K8s resources.
Reuse Kubernetes dimensions across dashboards, chargeback, and reports.

CoreStack Dimensions – "Unallocated" Grouping Rule

Description

This adds "Unallocated" as an optional grouping rule in Dimension configurations to highlight costs that don't match any defined rules, with RBAC-controlled visibility.

Key Benefits

Quickly identify unmapped or poorly tagged spend.
Improve cost allocation completeness and tagging hygiene.
Respect RBAC controls, ensuring only appropriate roles can view unallocated costs.

Dimension Support for Cost Anomaly

Description

This enables anomaly detection at the Dimension group level (e.g., Department, Application). When anomalies are detected at dimension group level, CoreStack automatically analyzes contributing resources. With dimension detection at multiple levels - cloud account, resource category, Dimension group & resources, Cost Anomaly capability extends its comprehensive coverage.

Key Benefits

Connect usage and anomaly data directly to business dimensions.
Detect unexpected spend spikes in business-relevant groupings.
Provide drill-down capability from dimension group ( Ex: Application) to resource-level impact for root cause analysis.
Configure thresholds for anomaly detection and notifications per dimension for tailored control.

ED – Query-Based Filters - Time Period Additional Presets

Description

This adds new time period presets (e.g., last 3/6/12 months, previous 12 months, previous 3 quarters) to FinOps views.

Key Benefits

Accelerate time-based analysis with one-click presets.
Improve trend and seasonality insights for key customers and partners.

Azure MCA Cost Visibility

Description

This release adds deep visibility for Azure MCA (Microsoft Customer Agreement) billing data across FinOps dashboards, Billing Inventory, Dimensions, and BillOps. MCA cost, usage, adjustments, and marketplace charges are now fully ingested and normalized.

Key Benefits

Unified Azure cost visibility across Azure EA , MCA & other billing models.
Accurate allocation using Dimensions and BillOps rerating.
Marketplace and adjustment tracking with full cost context.
Simplifies transitions from EA to MCA for enterprises and partners.

Note : If existing MCA accounts are onboarded using independent subscriptions and parent account is then onboarded, costs would be duplicated for overlapping accounts. Once new accounts are onboarded, make the individual subscription inactive and update other filters , budgets accordingly.

Export Large Datasets via NextGen Reports

Description

NextGen Reports now supports exporting large datasets (enterprise scale - rows) in structured CSV format. Exports can run on-demand or on a schedule (daily/weekly/monthly), with secure tenant-scoped processing and short-lived download access.

Key Benefits

Reliable large-scale exports across cost, inventory, and usage datasets.
Flexible scheduling to email for analytics, compliance, and archival workflows.
Strong multi-tenant isolation with secure, temporary file access.

SecOps

Compliance Assessment Report Enhancement

Description

This enhances compliance reports to support grouping by control category, severity, and resource type, and adds options to download the full report or only violations filtered by severity.

Key Benefits

Support for different views such as severity and resource types.
Better align with posture-style analysis.

New Compliance Standards

Description

Added CIS AWS 5.0, CIS AWS 6.0, and CIS GCP 4.0 to Compliance Standards marketplace.

Key Benefits

Align environments with industry-recognized best practices.
Simplify audits and regulatory readiness for cloud workloads.

AppSecOps

Dashboard

New Widgets Introduced

Vulnerabilities by Age: A bar chat that provides vulnerabilities grouped by NVD/SBOM age.

Existing Widget Improvements

Vulnerability by Component: Supports drill down for the component showing both total and unique vulnerabilities.
Vulnerability by Severity and KEV: Supports drill down for vulnerabilities allowing toggle for different grouping.
Vulnerabilities over Build by Severity and KEV: Supports drill down for new vulnerabilities, affected components and resolved vulnerabilities.

API Security

Description

As part of vulnerability graph, the project node now supports API node. This surfaces AWS API-related misconfigurations from CoreStack policies directly on the AppSecOps Vulnerability Graph, with comprehensive drill-down details.

Key Benefits

Provide early visibility into API-layer risks.
Connect misconfigurations to applications and resources visually.
Accelerate triage and remediation for misconfigured APIs.

Container Security

Description

As part of vulnerability graph, the project node now supports container node. This displays both build and runtime container misconfigurations (AWS and Azure) in the Vulnerability Graph, with full policy and resource context. Build time surfaces the Dockle/Hadolint issues ingested as part of build through API. Runtime surfaces AWS and Azure container-related misconfigurations from CoreStack policies directly on the AppSecOps Vulnerability Graph, with comprehensive drill-down details.

Key Benefits

Strengthen build and runtime container security posture.
Help teams visualize container risk alongside other AppSec issues.
Enable faster remediation through clear, contextual details.

Additional Source Integrations

Description

OSV.dev has been added to enrich vulnerabilities with "fix available" information across AppSecOps views and widgets. This information will be surface in "Risk Prioritised Software Supply Chain Vulnerabilities" widget and in any vulnerability detail pages.

Key Benefits

Make remediation prioritization easier by highlighting fixable issues.
Improve developer workflows by pointing to known fixed versions.

Assessments

"None of the Above" Option for WAFR Assessments

Description

This adds a "None of the above" choice for questions in Assessments, preventing forced, inaccurate answers when no listed option applies.

CloudOps

Proactive Governance Scanner

A new automated scanner has been introduced to validate cloud resources against key governance and compliance rules.

Key Benefits

Improved governance through automated policy checks.
Early detection of misconfigurations and non-compliant resources.
Enhanced security posture with default encryption and NSG validation.
Optimized resource usage with T-shirt size recommendations.
Better operational visibility via tagging and lifecycle rule validation.
Increased reliability of integrations like Service Bus and Logic Apps.

Policies

Three New GCP policies developed

GCP Audit SQL Auto Storage Resize Enabled CS Policy.
GCP Audit Project Has Service Account Creation Disabled CS Policy.
GCP Audit Project Has Restricted API Services CS Policy.
GCP Audit Project Has Cloud Asset Inventory Enabled CS Policy.

Platform

Kubernetes Cluster Onboarding & Governance

Description

This provides a unified experience to discover, onboard, and centrally govern Kubernetes AWS clusters.

Key Benefits

Achieve single-pane governance for AWS clusters.
Reduce onboarding friction with guided workflows and validations.

Azure MCA Onboarding Flow

Description

This enables full onboarding of Azure MCA accounts (Billing Account, Billing Profile, Invoice Section, Subscription) into CoreStack for governance and visibility.

Key Benefits

Simplify modern Azure onboarding as EA transitions to MCA.
Support multi-level governance from global to project/workload levels.
Prepare MSPs and enterprises for future Azure commercial models.

AI Agent Enhancements

Description

This includes a set of enhancements to the CoreStack AI Agent platform in terms of knowledge and performance.

Assessment AI Agent supports additional knowledge on policy violations, violated resources and workload resources.
AppSecOps AI Agent supports additional knowledge on Infrastructure associated with Applications, Threat and Vulnerabilities.
AppSecOps AI Agent now supports agentic feed to surface contextual, AI-driven insights about vulnerabilities and risks.

Key Benefits

Provide richer, context-aware responses across Assessments and AppSecOps.
Provide processing steps during response generation.
Enhanced user experience with improved performance.

Availability of MCP Servers

Description

MCP provides significant value that goes beyond manual interactions. It is currently available for Assessments and AppSecOps.

Key Benefits

Automation at Scale - MCP enables programmatic access to your data.
Real-Time Integration - MCP gives the AI direct access to live data from your databases, APIs, and business systems.
Embedded in Your Workflows - MCP allows you to embed AI capabilities directly into your existing applications, tools, and automated workflows.

Account Management Enhancements

Description

This improves clarity and hygiene around projects and access across CoreStack.

Key Benefits

Access type change from Org Account to Linked Projects – Clarifies and updates how access types are represented when moving from org-level accounts to linked projects.
Auto-Onboarded Linked Projects – 'Onboarded By' System Reference – Clearly shows system-driven onboarding for auto-linked projects.
Deleted Cloud Provider Projects Not Shown in CoreStack – Hides projects deleted in the cloud provider, reducing clutter and confusion.

Add/Update Tags for Not-Onboarded Cloud Accounts

Description

This allows tagging of not-yet-onboarded cloud accounts within CoreStack.

Key Benefits

Enable pre-onboarding organization and planning.
Improve governance readiness by ensuring accounts are labeled before activation.

Reports

New Reports

Report Enhancements

Bug Fixes

Known Issues

Upcoming Changes

The following Compliance standards will be de-commissioned in release 2602

CIS AWS 3.0
CIS AWS 2.0
CIS Azure 2.0
CIS Azure 2.1

External APIs

To see the external APIs which have been added, modified, and removed in this release, refer to: https://docs.corestack.io/docs/external-apis-2504
To see all the available external APIs, refer to: https://docs.corestack.io/reference/accesssummarycount