Summary

CoreStack v6.0 (2601) marks a significant step forward in the platform's AI-native evolution, delivering an expanded AI Agent capability suite, a new generation of AppSecOps infrastructure dashboards, and foundational platform improvements that raise the performance ceiling for enterprise-scale deployments. This release is anchored by five new Assessment Agent use cases powered by real-time AWS intelligence, deep context management improvements, and a production-grade MCP integration — collectively advancing CoreStack's vision of agentic cloud governance.

On the security side, v6.0 introduces a full AppSecOps Infrastructure Dashboard V1 with nine new widgets and explorer views: three purpose-built explorers for Threats, Misconfigurations, and Vulnerabilities, plus six visualization widgets covering regional heatmaps, account-level risk matrices, resource change timelines, Sankey flow charts, Treemaps, and open issue trends. Azure Defender vulnerability integration further extends coverage by pulling native scan results directly into CoreStack's posture and graph layers.

Platform foundations receive significant investment in this release: Kubernetes horizontal scaling readiness, Service Account API redesign, Account Governance page performance optimization, and CSP cost discovery via delegated blob storage all address real-world enterprise deployment friction. FinOps teams gain a new Budget vs. Spend vs. Forecast visualization widget, a realized savings remediation workflow, new Azure and AWS optimization rules for Service Bus, NetApp Files, ElastiCache, EBS, and S3, plus a Dimensions edit access enhancement. Assessments teams benefit from expanded remediation template coverage for WAFR across both AWS and Azure.

Release Highlights:

Assessment Agent — Five New AWS Intelligence Use Cases — Proactively surfaces AWS service deprecations, SKU changes, and price movements directly within your cloud context
Assessment Agent — MCP Integration — Connects the AI Agent framework to Model Context Protocol servers, enabling richer, tool-augmented agent workflows
Assessment Agent — Context Management Improvements — Reduces prompt bloat and inference cost while improving response accuracy and governance traceability
AppSecOps — Infrastructure Dashboard V1 — Unified security operations dashboard with 9 widgets: Threats, Misconfiguration, and Vulnerability Explorers plus six visualization widgets for regional risk, account severity, change timelines, and posture trends
Azure Defender Vulnerability Integration — Native Azure vulnerability data surfaces in SecOps Posture, Dashboard, and AppSecOps Security Graph
Supply Chain Dashboard UI/UX Enhancements & Drill-Down — Refined Supply Chain Dashboard experience plus drill-down now enabled on the Open Vulnerability by Severity time series widget
Kubernetes Horizontal Scaling Readiness — Application refactored for stateless, multi-pod deployment safety — a critical foundation for enterprise scale
FinOps Optimization Expansion — New optimization rules for Azure Service Bus, NetApp Files, AWS ElastiCache, EBS, and S3 plus a Realized Savings remediation workflow
Budget vs. Spend vs. Forecast Widget — New unified FinOps dashboard widget combining actual spend, budget allocation, and forecast in a single monthly view
FinOps MCP Tools — Gives Assessment agents structured, authenticated access to cloud cost management data across eight functional areas including billing, anomalies, budgets, and cost optimization

FinOps

Budget vs. Spend vs. Forecast Visualization Widget

Description: FinOps teams currently need to navigate multiple dashboards to compare actual spend, budget allocation, and forecast projections. This new widget consolidates all three data streams into a single, unified monthly visualization anchored to a selected budget's time scope. Users can select any active budget, choose a time range, and immediately see how actual spend and forecast track against the allocated budget — enabling earlier detection of overruns and tighter financial governance.

Key Capabilities:

Budget selection filter that dynamically refreshes the widget based on the chosen budget's time scope
Combined line/bar chart showing Actual Spend (solid line), Budget (allocation line), and Forecast (dotted line) at monthly granularity
Time range selector with automatic restriction to the selected budget's period, with user-facing validation messaging when a range is out of scope
Graceful handling of empty and expired budgets

Key Benefits:

Enables proactive cost governance by surfacing budget overruns and forecast drift in a single view before month-end
Eliminates context-switching between separate cost, budget, and forecast screens — reducing analysis time
Aligns financial planning discussions with a shared, time-scoped visual reference that administrators and end users can act on together

CSP Cost Discovery via Delegated Blob Storage

Description: CoreStack now supports cost data ingestion for Azure CSP Indirect customers whose billing data is provided by a Distributor through a delegated Blob Storage Account rather than directly from Microsoft APIs. During CSP account onboarding, users can supply delegated storage account details, which CoreStack uses to securely authenticate, retrieve CUR files, and process cost data through the standard cost engine. This removes a significant barrier for CSP Indirect customers migrating from CSP Direct arrangements, ensuring continuous cost visibility without requiring Distributor tenant onboarding.

Key Capabilities:

Delegated Blob Storage Account configuration during CSP Indirect account onboarding
Connection validation (test connection) for supplied storage credentials
Automated retrieval and processing of daily unbilled CUR files and monthly billing files from the delegated storage location
Cost data mapped and processed through CoreStack's standard cost engine — consistent with native CSP ingestion

Key Benefits:

Enables uninterrupted cost management visibility for Azure CSP Indirect customers migrating from CSP Direct, eliminating data gaps during the transition
Removes the dependency on Distributor tenant onboarding into CoreStack, supporting customers whose distributors are not CoreStack users
Maintains full FinOps module functionality (budgets, anomaly detection, reports) for CSP Indirect accounts post-migration

Dimensions — Account Admin Edit Access Enhancement

Description: Account Admins can now edit dimensions regardless of who originally created them. Previously, dimension editing was restricted to the creator, which created operational bottlenecks when original creators were unavailable or had changed roles. This enhancement aligns dimension management permissions with standard administrative access patterns.

Key Capabilities:

Account Admins can edit any dimension irrespective of the creating user

Key Benefits:

Removes operational blockers caused by creator-locked dimension records
Enables consistent dimension governance by account administrators without dependency on original creators

MCP Tools — FinOps

Description: CoreStack FinOps MCP tools give Assessment agents structured, authenticated access to cloud cost management data across eight functional areas: cloud account discovery, billing trends, anomaly detection, budgets, cost optimization recommendations, Reserved Instance management, savings summaries, and dimension discovery. All tools require a valid CoreStack session and return a standard response envelope, making them composable building blocks for agentic FinOps workflows.

Key Capabilities:

Retrieve cloud service accounts with IDs and display names across one or more tenants, used as the input source for all cost and usage tools
Detect and summarize billing cost anomalies within a configurable date range, with breakdowns by type, product category, resource category, and impacted accounts
Query cost trends with dimension grouping, filter trees, and daily or monthly granularity; retrieve resource consumption and unit-price trends over time
List budgets with aggregated health summaries including spend-vs-budget percentages, over-budget identification, and forecast-exceeded items
Fetch cost optimization recommendations grouped by type (idle, orphaned, right-size) with current and recommended SKUs and estimated savings
Get Reserved Instance purchase recommendations based on historical usage patterns; retrieve coverage and utilization metrics per reservation
Aggregated savings overview combining potential RI savings and actual savings realized to date, with per-provider breakdowns
Retrieve cost dimensions available for grouping and filtering across all FinOps queries

Key Benefits:

Enables Assessment agents and agentic workflows to access live FinOps data — including costs, anomalies, budgets, and recommendations — without requiring custom API integration per use case
Provides a composable, standardized tool set covering the full FinOps workflow from account discovery through optimization and savings tracking
Accelerates AI-augmented FinOps experiences by exposing CoreStack's cost intelligence layer through a consistent, authenticated MCP interface

AppSecOps

Infrastructure Dashboard

Description: v6.0 delivers the first release of the AppSecOps Infrastructure Dashboard — a unified security operations center for cloud infrastructure posture management. The dashboard consolidates nine purpose-built widgets into a single, cohesive interface covering three deep-dive Explorers (Threats, Misconfigurations, Vulnerabilities) and six at-a-glance visualization widgets for regional risk, account-level severity, change activity, issue flow, composition, and posture trends. Together they take Security and Cloud teams from high-level signal to actionable investigation without leaving a single dashboard context.

Key Capabilities:

Three Explorer views (Threats, Misconfigurations, Vulnerabilities) with tabular drill-down, advanced filtering, policy-level context, and integrated remediation actions
Six visualization widgets covering regional heatmaps, account severity matrix, change timeline, Sankey flow, Treemap, and open issue trend
Cross-widget drill-down navigation — summary widgets link directly into the corresponding Explorer for deeper investigation
Export and reporting capability across all Explorer views for audit and compliance workflows

Key Benefits:

Gives Security Operations teams a single operational interface for cloud infrastructure posture — eliminating the need to switch between disconnected dashboards for threats, misconfigurations, and vulnerabilities
Reduces mean time to investigate and respond by connecting at-a-glance risk signals directly to actionable Explorer detail in one click
Delivers posture accountability through trend tracking and cross-account comparison, making it clear whether remediation efforts are making an impact

Primary Workflows & Use Cases :

Risk Scoring & Prioritization: The Graphion Risk Score is the through-line — calculating it, ranking vulns by it, and layering KEV/EPSS context for triage decisions. Example: "Calculate the Risk Score for all vulnerabilities for a given SBOM"
SBOM, Dependencies & Component Analysis: Understanding what's in the software — components, licenses, suppliers from the SBOM itself, plus the dependency graph view: transitive and shared deps, version and license drift across builds, component prevalence, and intake questions like "should I use this library." Example: "For a given build latest, show all the SBOM details — components / licenses / supplier information"
Vulnerability Discovery, Trends & Build-Time Findings: The workhorse "what do I have and how is it changing" category — listing and filtering findings across any scope (Org / Portfolio / App / Project / Build / Cloud / Container) by severity, keyword, or CWE, plus posture trends over time and container-hardening findings from Hadolint/Dockle. Example: "List top xx critical vulnerabilities that include the keyword Python in the description"
Remediation: Patches, Fixes & Supply Chain (OSV.dev): Fix availability and remediation workflow — what's patchable, what's behind on patches, validating that a fix actually closed the CVE — combined with OSV.dev-sourced supply chain vulns and the CVE ↔ GHSA ↔ OSV alias-mapping problem. Examples: "For a given build, show all vulnerabilities that have a patch available"
Asset Hierarchy & Organizational Management: Managing the Portfolio → Application → Project → Build model itself — owners, BCS scores, tags, orphan detection, summary rollups. Less about vulns, more about the org model your customers configure. Example: "Provide a summary of all portfolios within my Organization"

Widgets included in this release:

Widget	Type	What it shows
Threats Explorer	Explorer	All detected threats with drill-down, filtering, policy context, and remediation
Misconfiguration Explorer	Explorer	All configuration policy violations with drill-down, filtering, and remediation
Vulnerability Explorer	Explorer	Infrastructure vulnerabilities correlated with NVD/CVE data
Security Issues by Region	Visualization	Geographic heatmap of vulnerabilities, misconfigurations, and threats by region
Security Issues by Severity and Account	Visualization	Risk matrix showing issue type and severity concentration per cloud account
Resource Changes Over Time	Visualization	Timeline of infrastructure change activity for posture correlation
Security Issues Sankey Chart	Visualization	Flow chart of issue distribution across cloud layers
Security Issues Treemap	Visualization	Hierarchical view of issue composition and severity by resource category
Open Issues Trend	Visualization	Time-series of open infrastructure security issues by severity

Widget Details:

Threats Explorer — Provides a centralized investigative view of all security threats across cloud environments, sourced from runtime detections, behavioral analytics, anomaly detection, and threat intelligence. Users can drill into individual threats, track lifecycle status, review policy-level context and recommended fixes, and trigger manual or integrated remediation actions. Export and reporting support audit and incident documentation workflows.

Misconfiguration Explorer — Provides a unified, queryable view of all configuration policy violations detected across cloud resources. Supports drill-down from summary widgets, advanced filtering by account, provider, resource category, severity, and policy, and direct remediation action (manual or automated). Serves as the primary triage interface for Security, Cloud, and Compliance teams managing multi-cloud configuration posture.

Vulnerability Explorer — Surfaces infrastructure weaknesses across cloud environments by correlating asset inventory with public vulnerability databases (NVD and CVE). Provides tabular drill-down, CVE-level context, severity filtering, and optional remediation actions. Designed for security and IT teams who need to prioritize and act on infrastructure vulnerability findings without leaving the dashboard.

Security Issues by Region — A geographic heatmap showing the distribution of vulnerabilities, misconfigurations, and threats across AWS, Azure, and OCI regions. Supports progressive drill-down from world view to region to account. Enhanced from the existing SecOps Vulnerabilities by Region widget to cover all three issue types in a single unified map.

Security Issues by Severity and Account — A risk matrix heatmap presenting each cloud account's exposure across vulnerabilities, misconfigurations, and threats, broken down by severity. Enables instant cross-account risk comparison and serves as an entry point for drill-down into account-specific Explorer views. Enhanced from the existing SecOps dashboard widget.

Resource Changes Over Time — A timeline visualization tracking infrastructure resource change activity over a configurable period. Identifies spikes in change volume and enables correlation with security posture changes and Explorer findings — bridging infrastructure operations and security context in a single view.

Security Issues Sankey Chart — A flow visualization showing how security issues distribute across cloud layers from provider → account → resource category → issue type. Surfaces which parts of the cloud stack generate the most issues and highlights fixable vs. persistent patterns, supporting prioritized remediation investment.

Security Issues Treemap — A hierarchical, interactive treemap displaying issue composition and severity from resource category down to specific issue types. Rectangle size is proportional to issue volume; color represents severity. Supports progressive drill-down and makes high-volume, high-severity clusters immediately visible without manual filtering.

Open Issues Trend — A time-series chart tracking open infrastructure security issues by severity over time, running parallel to the existing AppSec supply chain vulnerability trend. Enables teams to measure posture improvement over time and holds remediation efforts accountable through a measurable, time-bound open issue count.

Azure Defender Vulnerability Integration

Description: CoreStack now natively ingests vulnerability scan results from Azure Defender, making Azure vulnerability data available across SecOps Posture, the SecOps Dashboard, and the AppSecOps Security Graph. This integration eliminates the need to maintain a separate Azure Defender reporting workflow alongside CoreStack, giving security teams a consolidated view of Azure vulnerabilities within their existing cloud governance context.

Key Capabilities:

Automated ingestion of Azure Defender vulnerability scan results into CoreStack
Vulnerability data surfaces in SecOps Posture, SecOps Dashboard, and AppSecOps Security Graph
Results available for cross-cloud correlation and unified reporting

Key Benefits:

Reduces tool sprawl by consolidating Azure vulnerability visibility within CoreStack rather than requiring separate Defender reporting workflows
Enables cross-cloud vulnerability comparison and posture benchmarking from a single platform
Strengthens AppSecOps Security Graph coverage with native Azure vulnerability intelligence

Supply Chain Dashboard — Enhancements

Description:

This release updates the widget titles across the Supply Chain Dashboard to improve clarity, consistency, and alignment with the naming conventions established in the Infrastructure (Infra) Dashboard. The updated titles are more concise, dashboard-friendly, and reflect the actual content and visualization type of each widget.

As part of this update, the existing Top Ten widget — previously ranked by Graphion score — has been converted to an Explorer widget, offering a more flexible and interactive experience for investigating supply chain vulnerabilities. The widget title has been updated to reflect this change.

Key Capabilities:

The Top Ten (Graphion Score) widget has been converted to an Explorer widget, enabling users to interactively drill down into supply chain vulnerability data rather than viewing a fixed ranked list.
No changes to the underlying data, filters, or chart types for the five non-Explorer widgets — only the display titles are updated.

Key Benefits:

Improved user experience through shorter, cleaner widget titles that are easier to scan at a glance.
Cross-dashboard consistency reduces cognitive load for users who navigate between the Supply Chain and Infra dashboards.
The conversion of the Top Ten widget to an Explorer provides greater analytical flexibility, allowing teams to explore vulnerability data beyond a fixed top-ten view.
Standardized naming conventions make it easier to onboard new users and maintain dashboard documentation.
Lean titles reduce label truncation issues on smaller screen resolutions and embedded dashboard views.

Open Vulnerability by Severity — Drill-Down Enabled

Description: The Time Series Widget showing Open Vulnerabilities by Severity now supports drill-down. Users can click into a severity band on the trend chart to navigate directly to the filtered list of open vulnerabilities at that severity level, enabling faster investigation from the summary view without manually setting filters in the Vulnerability Explorer.

Key Capabilities:

Drill-down enabled on the Open Vulnerability by Severity time series widget
Clicking a severity point or band navigates to the filtered vulnerability list for that severity

Key Benefits:

Reduces investigation time by connecting the trend chart directly to actionable vulnerability detail in one click
Eliminates the need to manually re-apply severity filters in the Vulnerability Explorer when investigating a specific trend data point

Assessments

WAFR Remediation Coverage Expansion (AWS & Azure)

Description: The Assessments module expands its Well-Architected Framework Review (WAFR) remediation template coverage by 10–15% for both AWS and Azure. This release adds remediation templates for 15 AWS policies and 12 Azure policies covering unrestricted port access, encryption gaps, logging configuration, and security contact settings. Broader remediation coverage means more policy violations can be resolved directly within CoreStack without manual remediation steps.

Key Capabilities:

15 new AWS remediation templates covering unrestricted port access (Oracle, RPC, HTTPS, ElasticSearch, MSSQL, RDP, HTTP, SMTP, MySQL, NetBIOS, MongoDB, PostgreSQL), S3 bucket versioning, EBS snapshot encryption, and S3 bucket logging
12 new Azure remediation templates covering unrestricted port access (MongoDB, Oracle, ElasticSearch, MSSQL, RDP, MySQL, HTTPS, HTTP, RPC), critical resource locks, and security contact alert configuration
Remediation templates integrated into the existing WAFR assessment workflow

Key Benefits:

Reduces manual remediation effort for common cloud security and compliance findings by 10–15%
Expands automated fix coverage for both AWS and Azure WAFR assessments, accelerating compliance remediation cycles
Closes coverage gaps for frequently cited unrestricted port and encryption policy violations

Platform

Assessment Agent — Five New AWS Intelligence Use Cases

Description: CoreStack's AI Agent now supports five new proactive intelligence use cases powered by real-time AWS knowledge. These use cases leverage an AWS Master Data graph (covering services, SKUs, regions, pricing, and inventory) and the Assessment Agent framework to surface actionable intelligence about AWS release impacts, instance type deprecations, and price changes — contextualized to each customer's actual cloud usage. Findings are delivered as notifications and email summaries, enabling FinOps and infrastructure teams to act before changes affect them.

Key Capabilities:

Use Case 1: Identify the impact of the latest AWS release on your current cloud infrastructure — analyzes AWS release notes against your inventory and delivers targeted recommendations
Use Case 2: List AWS EC2 SKUs deprecated in the last 3 months — cross-referenced against your active inventory with tenant-specific notification delivery
Use Case 3: List AWS services for which prices have increased in the last 3 months — with per-tenant cost impact analysis
Use Case 4: List AWS services for which prices have decreased in the last 3 months — enabling optimization and renegotiation opportunities
Use Case 5: List AWS services planned for deprecation in the next 3 months — with impact assessment on your current usage

Key Benefits:

Delivers proactive AWS intelligence contextualized to your actual usage — eliminating the manual effort of monitoring AWS release notes and pricing pages
Surfaces deprecation and pricing risks before they become incidents, enabling planned migration rather than reactive response
Scales across multi-tenant deployments with automated background execution and consolidated delivery

Assessment Agent — MCP Integration

Description: CoreStack's Assessment Agent framework now integrates with Model Context Protocol (MCP) servers, expanding the agent's ability to access external tools, data sources, and services as part of its reasoning and response pipeline. This integration unlocks richer, tool-augmented agent workflows — including access to live AWS knowledge bases, external APIs, and future MCP-compatible data sources — without requiring custom integration work for each new capability.

Key Capabilities:

MCP server connectivity integrated into the AI Agent framework
Support for tool-augmented agent workflows using MCP-compatible data sources
AWS Knowledge MCP integration enabling agent access to live AWS release notes and documentation

Key Benefits:

Extends the AI Agent's reach to real-time external data without platform-level custom integration per source
Enables richer, more accurate agent responses grounded in live tool context rather than static training data
Establishes a scalable integration pattern for future MCP-compatible data sources and services

Assessment Agent — Context Management Improvements

Description: CoreStack's Assessment Agent now includes a production-grade context management pipeline designed to improve response accuracy while reducing inference cost. The pipeline automatically detects when a user is referring to prior results, employs a low-cost clarification mechanism for ambiguous references, selectively retrieves execution provenance only for relevant prior turns, and captures structured memory after every interaction. This reduces prompt bloat, improves response consistency, and strengthens the platform's readiness for enterprise compliance requirements.

Key Capabilities:

Automated detection of prior-result references within a user conversation
Low-cost clarification mechanism for ambiguous contextual references
Selective retrieval of detailed execution provenance only for relevant prior turns
Structured memory capture after every interaction for repeatable behavior and governance traceability

Key Benefits:

Reduces inference cost by eliminating unnecessary context injection into every prompt
Improves response accuracy by ensuring the agent has the right context — neither too little nor too much — for each turn
Strengthens enterprise readiness with governance-traceable interaction memory

External APIs

To see the external APIs which have been added, modified, and removed in this release, refer to: External APIs 6.0 (2601)
To see all the available external APIs, refer to: https://docs.corestack.io/reference/accesssummarycount