Appearance
Feed and Updates
AttackLens receives security content and platform component updates through a centralized feed system. The feed delivers policies, rulesets, vulnerability data, and other security content that powers posture evaluation, vulnerability correlation, and attack graph analysis. Component updates deliver new versions of the AttackLens platform itself.
INFO
Requires Admin role or higher.
Accessing Feed and Updates
Navigate to Settings > Feed and Updates in the left sidebar.
Feed Updates
The feed is a curated package of security content published by AttackLens and delivered to your on-premises instance through the license server. Feed updates keep your security policies, rules, and vulnerability data current without manual maintenance.
Feed Content Types
| Content Type | Description | What It Powers |
|---|---|---|
| Policies | Compliance policies mapped to frameworks like ISO 27001, SOC 2, GDPR, CIS Benchmarks, PCI DSS, and NIST. | Posture evaluation -- policies define what is checked. |
| Rulesets | Individual security rules that evaluate specific configurations on assets. Each ruleset contains check logic, expected values, and remediation guidance. | Rule engine -- rulesets contain the actual evaluation logic applied to collected data. |
| Capabilities | Security capability definitions that map what an asset can or cannot do (e.g., "enforce password complexity", "encrypt data at rest"). | Attack graph -- capabilities become edges that connect nodes. |
| Graph Tags | Tags used to classify and group attack graph nodes (e.g., "internet-facing", "credential-store", "domain-controller"). | Attack graph topology and filtering. |
| Toxic Rules | Rules that define dangerous combinations of conditions (e.g., an internet-facing server with a critical vulnerability and admin credentials). | Toxic combinations detection in the attack graph. |
| Vulnerability Data | CVE details, CVSS scores, EPSS probabilities, CISA KEV status, and affected software packages. | Vulnerability correlation -- matching installed packages to known vulnerabilities. |
| MITRE ATT&CK Mappings | Technique and tactic mappings for capabilities and attack patterns. | Attack graph enrichment and reporting. |
| Edge Weights | Curated weights for attack graph edges based on real-world threat intelligence. | Attack path scoring. |
| OS Baselines | Baseline security configurations for common operating systems. | Posture evaluation -- what constitutes a secure OS configuration. |
Feed Tiers
Feed content is available in two tiers:
| Tier | Description |
|---|---|
| Community | Free tier included with all installations. Covers core policies, rulesets, capabilities, and vulnerability data. |
| Enterprise | Licensed tier with expanded coverage: full compliance framework catalog, advanced remediation playbooks, industry-specific policies, and more frequent updates. |
Your feed tier is determined by your AttackLens license.
Feed Sync Status
The feed status section shows:
| Field | Description |
|---|---|
| Last Check | When the system last checked the license server for new feed content. |
| Last Update | When new content was last downloaded and applied. These may differ -- a check may find no new content. |
| Feed Version | The version identifier of the currently installed feed content. |
| Next Check | When the next automatic check is scheduled. |
| Status | Up to date, Update available, Syncing, or Error. |
Automatic Feed Sync
The FeedWorker background service checks for feed updates automatically every 60 minutes. When new content is available:
- The worker downloads the updated feed bundle from the license server.
- The bundle is verified (signature check, integrity validation).
- New and updated content is applied to the local database.
- The rule engine, policy evaluator, and attack graph builder are notified to reload their content.
No manual intervention is required for routine feed updates.
Manual Feed Check
To check for updates immediately without waiting for the next automatic interval:
- Navigate to Settings > Feed and Updates.
- Click Check Now.
The system will contact the license server and apply any available updates.
TIP
Use the manual check after initial installation to ensure you have the latest content, or after renewing your license to pick up enterprise-tier content immediately.
Component Updates
Component updates deliver new versions of the AttackLens platform components: backend, UI, and sensor binaries.
Update Check
The UpdateWorker background service checks for component updates every 6 hours. It contacts the license server and downloads metadata about available updates.
Component Update Status
The component updates section shows:
| Component | Current Version | Latest Available | Status |
|---|---|---|---|
| Backend | CalVer (e.g., 2026.04.0) | Latest published version | Up to date / Update available |
| UI | CalVer (e.g., 2026.04.0) | Latest published version | Up to date / Update available |
| Sensor | CalVer (e.g., 2026.04.0) | Latest published version | Up to date / Update available |
How to Apply Component Updates
Component updates are applied differently depending on the component:
| Component | Update Method |
|---|---|
| Backend | Pull the latest Docker image and restart the container. Run docker compose pull && docker compose up -d in your deployment directory. |
| UI | Included in the backend Docker image. Updated together with the backend. |
| Sensor | Sensors auto-update themselves. No manual action required. See Sensor Auto-Update. |
WARNING
Backend updates may include database migrations that run automatically on startup. Always review the release notes before updating to understand what changes are being applied. Back up your MongoDB and PostgreSQL databases before applying updates.
Manual Component Check
To check for component updates immediately:
- Navigate to Settings > Feed and Updates.
- In the Component Updates section, click Check Now.
Network Requirements
The feed and update system requires your AttackLens backend to reach the license server over HTTPS:
| Direction | Destination | Port | Purpose |
|---|---|---|---|
| Outbound | license.attacklens.com | 443 | Feed content and component update checks |
INFO
In air-gapped environments where the backend cannot reach the license server, feed and component updates must be applied manually. Contact AttackLens support for offline update packages.
Troubleshooting
Feed status shows Error
- Network issue: Verify the backend can reach
license.attacklens.comon port 443. - License expired: An expired license prevents feed downloads. Renew your license.
- Signature verification failed: The downloaded feed bundle failed integrity checks. This may indicate a corrupted download. Click Check Now to retry.
Feed updated but content unchanged
- The check found no new content. The feed version will remain the same until new content is published.
- Verify the Last Update timestamp has changed. If it has not, no new content was available.
Component update available but not applied
- Component updates are not applied automatically (except for sensors). You must manually pull Docker images and restart containers.
- Follow the update method described in the table above.