What’s actually shipped.

Readiness you choose, evidence you can trust

This release gives you more control over how your security readiness is measured, reported, and understood, and makes the evidence behind it easier to trust. Readiness now reflects the priorities you set rather than a one-size-fits-all view, and the score and evidence behind it are clearer about what they are based on and where you genuinely stand. Whatever you choose to focus on, significant security risks still remain visible, ensuring important issues are not overlooked.

• Decide which frameworks ScanPosture reports on, and change them as your priorities do. The frameworks you have not selected stay available to explore, but never appear as failed or incomplete.
• Rely on a score that reflects your real position. When a security area depends on Microsoft capabilities that are not available in your tenant, that limitation is clearly reflected in your readiness rather than being silently excluded.
• Explore any supported framework on demand before committing to it. Generate a one-off readiness view you can read or share, and switch on ongoing reporting only when it is useful to you.
• Prepare for Cyber Essentials and Cyber Essentials Plus with more clarity. Each Cyber Essentials area links to the official sources behind it, and a dedicated Cyber Essentials Plus view organises your evidence around the areas an assessment covers while staying clear about what still needs independent checking. It supports your preparation, and does not certify or predict a result.
• Tailor all of this for every client you manage. Each client has its own framework choices, readiness, and Cyber Essentials Plus preparation, with reporting kept cleanly separate.

Clearer scan emails and evidence reporting

The scan summary email now explains anything that could not be assessed automatically in plain language, grouped into evidence you can supply, automated evidence gaps, and checks not counted in the score, each with a direct link to act on it. The dashboard gives every unassessed check a clear reason, and the full record exports as a clean spreadsheet.

• Scan emails summarise evidence and scope in three plain sections with direct links, including straight to an evidence task where one exists.
• Score movement in the email follows the same confidence rules as the dashboard, and the footer says how the comparison was made.
• Every check that was not assessed automatically now shows what it needs, why it was not counted, and what action is available.
• Evidence and scope notes export as a plain-language spreadsheet, suitable for reviews and reporting.

Clearer evidence, readiness, and reporting

This release strengthens how ScanPosture explains evidence, movement, licensing, and readiness across the product, and adds new ways to add your own evidence and approve the applications you expect. Scores, reports, framework views, and MSP surfaces now use the same underlying model, reducing conflicting signals and making limitations clearer. You can also collect evidence for checks Microsoft does not expose, approve the applications you recognise, and run ScanPosture with fewer Microsoft permissions.

• Score movement now uses the same confidence rules across the dashboard, reports, AI summaries, MSP views, and exports.
• A partial or low-confidence scan no longer creates a misleading rise, fall, or change narrative.
• Framework readiness now separates assessed controls, limited evidence, manual evidence, and licence-related evidence gaps more clearly.
• Finding timelines and rechecks are shown as evidence events in their own right, not as extra scans.
• Change-detection checks that simply have no new activity are shown as such, rather than as findings that were resolved.
• MSP and customer views now draw on the same shared model, so signals stay consistent across both.
• Add your own evidence for checks Microsoft does not expose, with a guided helper that uploads it securely.
• Mark expected applications as approved so they are tracked as governance decisions, not hidden issues.
• ScanPosture now runs with fewer Microsoft permissions and no longer needs the SharePoint full-control permission, and you can remove permissions it no longer needs without it keeping standing write access.

Clearer change tracking and workspace-aware alerts

Your scan summary now separates genuinely new findings from ones still open and lists what you have resolved. Critical and high alerts name the workspace they relate to, and a partial scan no longer raises repeat alerts for issues that have not changed.

Clearer score movement and save confirmations

Score changes from a scan that could not collect all its data are shown neutrally rather than as a confident rise or fall, and settings now confirm clearly whether a save succeeded.

Flexible team and workspace access

Admins can now manage your team alongside the owner, and organisations with more than one workspace can give each person access to only the workspaces they need, each with its own role.

Dashboard clarity and scan context

A clearer dashboard with improved posture trends, more readable executive summaries, and easier tenant navigation on mobile.

Collection transparency and reliability

When a setting cannot be read through the access ScanPosture uses with Microsoft, the result is now shown as a clear, score-neutral collection status instead of an ambiguous pass or fail. Evidence collection for administrator sign-in and Microsoft Teams checks is more reliable.

Evidence confidence and reporting consistency

Score confidence, evidence coverage, finding state, and report wording are now presented consistently across the dashboard, PDFs, emails, and integrations, so it is clearer what was observed, what could not be evaluated, and what has changed since your last scan.

Clearer finding status and accepted risk

Finding detail now leads with the current state from your latest scan, a risk you have accepted is shown as accepted rather than resolved, and a recheck that fails reopens the finding instead of leaving it marked resolved.

Honest MFA and identity evidence

Where Microsoft cannot answer a question about a user, ScanPosture now says so instead of marking that user as a failure. Multi-factor authentication is assessed per user with an authoritative fallback, and break-glass accounts are recognised separately.

Faster dashboards and more honest checks

Dashboard summaries now load from a single snapshot taken at scan time, the findings list shows one row per issue without historical duplicates, and a few checks that relied on unreliable Microsoft responses now return an honest pass, fail, or skip.

Unified portal + self-serve trial

The biggest release of the year. Three customer-facing changes: (1) Unified portal, Direct customers and MSP partners now share the same portal shell, dashboard renderer, settings, reports and audit trail. One product, one render path, scoped per role. (2) Self-serve trial, sign up directly via Microsoft OAuth at app.scanposture.com/signup. UK data residency acknowledged before sign-up; tenant + 28-day trial provisioned atomically; admin-consent flow with rate-limited email helper for non-Global-Admin signups; first scan auto-runs the moment consent is granted. (3) Trial mechanics, 28-day trial with four reminder emails (Day 14 / 21 / 26 / 28), trial-end → read-only mode (writes return 402, reads stay open), one-click Stripe activation pre-filled with your real Entra user count, 30-day data grace period after expiry. See /docs/getting-started for the new flow and /trial for the mechanics.

8 framework readiness views, NIST split + CAF added

NIST CSF 2.0 and NIST SP 800-53 Rev 5 are now first-class separate readiness views (they are different publications, CSF is outcome/function-based, SP 800-53 is a control catalogue), and NCSC CAF 4.0 joined as a UK sector-framework view. Eight readiness views in total: Cyber Essentials, ISO 27001:2022, GDPR Article 32, NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8.1, SOC 2 and NCSC CAF 4.0.

Security and sub-processors pages

Two new pages dedicated to procurement and SecOps reviews: /security publishes the four pillars (UK residency, read-only, verified publisher, UK company), eight technical-control areas, the framework readiness vs certification split, and a coordinated-disclosure process at security@scanposture.com. /sub-processors lists every vendor with purpose, data category and processing region, grouped by region.

status.scanposture.com launched

A dedicated public status subdomain. Live operational status with a hero card, monitored-services grid, 30-day uptime history, incident timeline, and email + Atom subscriptions for incident notifications. Browser tab title reflects current overall status (✓ / ⚠ / ✕).

UK data migration, London region

All customer data now stored in our Supabase region in London. Application traffic and email delivery routed through UK / EU infrastructure end-to-end. No US round-trip and no replica outside the United Kingdom.

Demo deployment isolation + UK demo project

A dedicated demo Supabase project in London powers the public demo at demo.scanposture.com. Demo trial signup is now blocked at three layers (link, page redirect, API) and routes prospects to the live signup on app.scanposture.com.

External-assessor evidence audience added

Reports now explicitly support the external-assessor audience: framework readiness views map onto Cyber Essentials, ISO 27001, GDPR Article 32, NIST CSF, CIS Controls and SOC 2 evidence requests during third-party assessments.

Premium login experience

Login screen rebuilt with proof cards (continuous monitoring, drift detection, prioritised actions, framework readiness), MSP white-label support, and an MFA-first session flow.

201 read-only checks across 9 weighted security domains

The check registry now totals 201 unique checks, evaluated across nine weighted security domains: Identity & Authentication, Privileged Access, Conditional Access & Policy Enforcement, Account Lifecycle & Governance, Application & Non-Human Identity Security, Data Access & Collaboration Security, Monitoring / Drift / Posture, Logging & Audit, and Device Security.

6 framework readiness views

Findings now map onto six compliance frameworks: Cyber Essentials, ISO 27001, GDPR Article 32, NIST CSF, CIS Controls and SOC 2. Each view is a readiness lens, not certification.

AI-generated executive summaries + per-finding helper

Every completed scan gets an AI-generated executive summary. Individual findings have an "Explain this finding" + AI remediation helper. Both are clearly labelled as AI-generated and sit alongside the step-by-step Microsoft-sourced remediation guides.

Dedicated MSP portal with role-based access

Fleet-wide visibility across managed customer tenants, role-based access (MSP admin, MSP analyst, customer admin, customer viewer), MSP branding on customer-facing reports where enabled, per-customer drill-down from the fleet view.