What's New in CISO Assistant — Week 23, 2026 (v3.17.1 – v3.17.2)

Two releases this week: v3.17.1 on June 3 and a feature-heavy v3.17.2 on June 5. The theme is operability and depth — observability hooks, a meatier AI/MCP server, a new framework, more flexible tables and assets, smarter SSO, and a generous round of fixes.

Headline Features

• Prometheus metrics endpoint — A new endpoint exposes metrics for Prometheus scraping, making it far easier to monitor a CISO Assistant deployment with standard observability tooling (PR #4061), with a follow-up to expose metrics for enterprise as well (PR #4258). Thanks to @melinoix.
• Expanded AI / MCP server — The MCP server gains vulnerability CRUD, asset classes, and richer risk scenario reads — broadening what AI assistants can do against your GRC data (PR #4256). Thanks to @jledoze.
• Cost breakdown on action plans — Action plans now surface a cost breakdown, bringing budget visibility directly into remediation planning (PR #4272). Thanks to @ab-smith.
• Audit aggregation through ancestors — Audit results can now aggregate up through their ancestor hierarchy, giving cleaner consolidated views across nested scopes (PR #4245). Thanks to @ab-smith.
• Expanded comments — The comments feature has been broadened for richer collaboration across objects (PR #4253). Thanks to @ab-smith.

Framework & Library Updates

• ABRO Framework — A new ABRO framework library is now available (PR #4252). Thanks to @tarkadia.
• Journey preset filter in library list — The library list gains a preset filter for journeys (PR #4279). Thanks to @tarkadia.
• Library tooling — convert_library_v2.py now supports Threats annotations (PR #4274), plus an updated example_framework.xlsx and restored French metadata in the Vendor Due Diligence framework (PRs #4275, #4276). Thanks to @tarkadia.

Data Wizard

• Header normalization — The data wizard now normalizes headers on import, smoothing out messy source files (PR #4160). Thanks to @martinzerty.
• ref_id support across the wizard — All data-wizard flows now accept ref_id in addition to name, plus a new test harness to keep the wizard honest (PRs #4087, #4151). Thanks to @tchoumi313.

UX

• Tables column selector — Tables now offer a column selector, letting users tailor which columns are shown (PR #4263). Thanks to @ab-smith.
• User-configurable date format — Users can now choose their preferred date format (PR #4236). Thanks to @ab-smith.
• 1–3 properties scale on assets — Assets can use a 1–3 properties scale (PR #4281). Thanks to @ab-smith.
• Task occurrence description — A task’s occurrence now shows its description (PR #4267). Thanks to @Axxiar.
• Higher autocomplete cap — The autocomplete lazy-mode cap was raised to 20 for more useful suggestions (PR #4268). Thanks to @ab-smith.

Security & Infrastructure

• SSO redirect handling — After SSO login, users are now returned to the URL they originally requested instead of a generic landing page (PR #4255). Thanks to @tchoumi313.
• Allowed IPs list — Infrastructure configuration gains an allowed-IPs list, letting operators restrict access at the application layer (PR #4250). Thanks to @tchoumi313.
• Hide “About” menu for third parties — The About menu is now hidden from third-party users (PR #4240). Thanks to @melinoix.

Performance

• Faster framework library updates — Fixed an O(N²) dedup in the framework library update path (PR #4264). Thanks to @Mohamed-Hacene.

Bug Fixes

• Framework builder nodes at deep nesting — Builder nodes are no longer unusably narrow at deep nesting levels (PR #4271). Thanks to @nas-tabchiche.
• Ordering with negative number values — Fixed wrong ordering for selects with negative number values (PR #3618). Thanks to @monsieurswag.
• Name column ordering — Sorting by the name column now behaves correctly (PR #4242). Thanks to @Mohamed-Hacene.
• Risk-assessment scenario filters — Scenarios can now be filtered by current level and residual level (PR #4257). Thanks to @tchoumi313.
• Incident uniqueness and freshness — Incident uniqueness is now limited to ref_id (PR #4266), and an incident’s last-update timestamp refreshes when timeline entries change (PR #4280). Thanks to @ab-smith.
• Vulnerabilities link in findings — Fixed the link to vulnerabilities from findings (PR #4241). Thanks to @Mohamed-Hacene.
• Markdown rendering and translations — Restored a missing MarkdownRenderer across several pages (PR #3983) and fixed untranslated framework name and description (PR #4278). Thanks to @tarkadia.

Internationalization

• 🇨🇿 Czech localization — A comprehensive update to the Czech translation (PR #4261). Thanks to @zdenek-pergl.

Maintenance

• Vite 7 upgrade — The frontend moved to Vite 7, with the associated Vitest upgrade (PR #4247). Thanks to @ab-smith.
• Pull request template — A PR template was added to streamline contributions (PR #4243). Thanks to @nas-tabchiche.
• Documentation touch-ups — Updated CyFun export docs and fixed a broken link for ENISA’s risk acceptance (PRs #4238, #4244).

For full details, check out the v3.17.1 and v3.17.2 release notes on GitHub.