Skip to content
Dreadnode Dreadnode Dreadnode

May 28, 2026

Android APK research capability and issue-tracker connectors for web-security

← All updates

Android APK research capability and issue-tracker connectors for web-security

8 new 3 improved 11 fixed

New capability bundles for Android APK research and issue-tracker integrations land alongside a full sweep of assistant-led CLI guides across the platform.

New

  • Android APK research capability. A new android-apk-research capability bundle ships with a 10-tool MCP server and four skills for static semantic vulnerability research on Android APKs. (dreadnode/capabilities#29)
  • Jira connector for web-security. Web-security agents can now export validated findings directly to Jira Cloud as remediation tickets via a new Jira MCP connector. (dreadnode/capabilities#23)
  • GitHub connector for web-security. A new GitHub MCP connector lets web-security agents file findings as GitHub issues and add follow-up comments without leaving the agent workflow. (dreadnode/capabilities#24)
  • Run artifact logging tools. Web-security agents can now attach screenshots, audio, video, and file artifacts directly to a run using four new path-based logging tools: log_image_output, log_audio_output, log_video_output, and log_file_artifact. (dreadnode/capabilities#21)
  • waymore in web-security runtime. The web-security capability runtime now includes waymore, enabling historical URL and response retrieval from Wayback Machine, CommonCrawl, OTX, URLScan, and VirusTotal for recon and JS archaeology. (dreadnode/capabilities#17)
  • IDOR/BOLA judge scorer rubric. A new built-in IDOR/BOLA rubric is available for the SDK’s default LLM judge scorer, with graduated pentest-aligned cross-boundary access criteria; the web-security scorer-reference skill documents how to compose it in task.yaml and SDK configs. (dreadnode/dreadnode-tiger#1558, dreadnode/capabilities#19)
  • Activity feed on the home page. The home page now shows a live activity feed with recent projects, sessions, evaluations, training jobs, and other workspace activity. (dreadnode/dreadnode-tiger#1569)
  • Administrators Can Now Control Which AI Models Members Use. Organization administrators can now grant each member access to a specific set of AI models, with the limits enforced automatically across the web app, API, and CLI.

Improvements

  • Assistant-led CLI guides across all surfaces. Every in-product CLI guide (capability, task/environment, dataset, model, evaluation, optimization, world manifest, trajectory, training) is rewritten into a two-tab layout with an ‘Ask an agent’ tab, accurate dn alias commands, and corrected flags. (dreadnode/dreadnode-tiger#1538, dreadnode/dreadnode-tiger#1541, dreadnode/dreadnode-tiger#1542, dreadnode/dreadnode-tiger#1543, dreadnode/dreadnode-tiger#1547, dreadnode/dreadnode-tiger#1559, dreadnode/dreadnode-tiger#1560, dreadnode/dreadnode-tiger#1562, dreadnode/dreadnode-tiger#1563)
  • CLI guide launcher button labels clarified. Launcher buttons across nine surfaces now use accurate action verbs (Create, Evaluate, Optimize, Train) instead of generic or incorrect labels. (dreadnode/dreadnode-tiger#1564)
  • AIRT and Traces visual language overhaul. The AIRT Traces view and shared TraceViewer now use consistent design-system primitives, unified span-category colors, and a redesigned trace control bar. (dreadnode/dreadnode-tiger#1536)

Fixes

  • Compound eval false negatives resolved. script_and_judge and flag_and_judge evaluation methods no longer report a failed sample when the agent successfully completes a task. (dreadnode/dreadnode-tiger#1545)
  • Large-trajectory judge staging no longer fails. Outcome-judge staging no longer errors on large eval trajectories; the sandbox now fetches the trajectory directly via session ID instead of having it serialized and shipped by the API. (dreadnode/dreadnode-tiger#1565)
  • Session transcripts no longer truncated. Session transcripts now load all messages via cursor pagination — previously, sessions with more than 2,000 messages were silently truncated, dropping the most recent ones. (dreadnode/dreadnode-tiger#1574)
  • dn task validate accepts compound verification methods. dn task validate now accepts flag_and_judge and script_and_judge, fixing validation failures across 248 tasks. (dreadnode/dreadnode-tiger#1582)
  • TUI Ctrl+C now copies to clipboard. In the agent TUI, Ctrl+C copies selected text to clipboard (with fallback to pbcopy/xclip/xsel/wl-copy); use Ctrl+Q to quit. (dreadnode/dreadnode-tiger#1566)
  • TUI hosted model list no longer shrinks after restart. New platform model deployments now appear in the TUI without manually deleting ~/.dreadnode/proxy-models.json. (dreadnode/dreadnode-tiger#1578)
  • TUI /models screen respects admin model ordering. The TUI /models screen now displays models in the order configured by your admin instead of re-sorting alphabetically. (dreadnode/dreadnode-tiger#1581)
  • TUI no longer crashes on mid-load screen navigation. The TUI no longer throws a NoMatches exception when navigating away from a screen while a background worker is still loading data. (dreadnode/dreadnode-tiger#1570)
  • TUI tool call meta line now visible. TUI tool calls correctly display the ↳ <summary> meta line beneath the tool name instead of showing a blank gutter. (dreadnode/dreadnode-tiger#1546)
  • Image files render correctly in the environment file viewer. Image files in the environment file viewer now render as images instead of garbled binary content. (dreadnode/dreadnode-tiger#1572)
  • Linear MCP credentials now passed correctly. LINEAR_API_KEY, LINEAR_ACCESS_TOKEN, and LINEAR_API_URL are now correctly forwarded to the Linear MCP server in the web-security capability. (dreadnode/capabilities#27)