Unleash Release Notes

Changelog

• Fix links in Gemini 3 Pro documentation by @gmackall in #13312
• Improve keyboard code parsing by @scidomino in #13307
• fix(core): Ensure read_many_files tool is available to zed. by @joshualitt in #13338
• Support 3-parameter modifyOtherKeys sequences by @scidomino in #13342
• Improve pty resize error handling for Windows by @galz10 in #13353
• fix(ui): Clear input prompt on Escape key press by @SandyTao520 in #13335
• bug(ui) showLineNumbers had the wrong default value. by @jacob314 in #13356
• fix(cli): fix crash on startup in NO_COLOR mode (#13343) due to ungua… by @avilladsen in #13352
• fix: allow MCP prompts with spaces in name by @jackwotherspoon in #12910
• Refactor createTransport to duplicate less code by @davidmcwherter in #13010
• Followup from #10719 by @bl-ue in #13243
• Capturing github action workflow name if present and send it to clearcut by @MJjainam in #13132
• feat(sessions): record interactive-only errors and warnings to chat recording JSON files by @bl-ue in #13300
• fix(zed-integration): Correctly handle cancellation errors by @benbrandt in #13399
• docs: Add Code Wiki link to README by @holtskinner in #13289
• Restore keyboard mode when exiting the editor by @scidomino in #13350
• feat(core, cli): Bump genai version to 1.30.0 by @joshualitt in #13435
• [cli-ui] Keep header ASCII art colored on non-gradient terminals (#13373) by @bniladridas in #13374
• Fix Copyright line in LICENSE by @scidomino in #13449
• Fix typo in write_todos methodology instructions by @Smetalo in #13411
• feat: update thinking mode support to exclude gemini-2.0 models and simplify logic. by @kevin-ramdass in #13454
• remove unneeded log by @scidomino in #13456
• feat: add click-to-focus support for interactive shell by @galz10 in #13341

New Contributors

• @gmackall made their first contribution in #13312
• @avilladsen made their first contribution in #13352
• @holtskinner made their first contribution in #13289
• @kevin-ramdass made their first contribution in #13454

Full Changelog

v0.18.0-nightly.20251118.7cc5234b9...v0.18.0-nightly.20251120.2231497b1

Original source Report a problem

Splunk Enterprise Security version 8.3.0 release notes

Splunk Enterprise Security version 8.3.0 was released on November 19, 2025 and includes the following new enhancements:

• Enhanced version management and tracking: Ability to view the active and the latest version of a detection along with the full author names instead of user IDs. For more information, see Create multiple versions of a detection in Splunk Enterprise Security.

• Streamlined UI workflow in detection versioning: Includes sortable columns, dialog flash fixes, panel state persistence, and the ability to download links for version and activity history of detections. For more information, see Create multiple versions of a detection in Splunk Enterprise Security.

• Mandatory detection version control: Ability for administrators to make version control for detections mandatory. For more information, see Use detection versioning in Splunk Enterprise Security.

• Detection versioning in other apps: Ability to manage and save versions of detections and better organize and track changes to detections. For more information, see Use detection versioning in Splunk Enterprise Security.

• Offset scheduled start time to run detections: Ability to optimize performance and search accuracy by offsetting the start time to run detections based on scheduler load instead of a fixed timestamp. For more information, see Offset scheduled start time to run detections.

• Turning on or off the ability to edit notes: Ability to choose whether users can edit notes that exist for findings and investigations after they're saved. For more information, see Turn on or turn off the ability to edit notes.

• Pairing with Splunk SOAR clusters and warm standby: Ability to pair Splunk Enterprise Security with Splunk SOAR (On-premises) clustered environments, including using warm standby and backup and restore. For more information, see Pair Splunk Enterprise Security with Splunk SOAR in Administer Splunk Enterprise Security and Splunk SOAR Compatibility in the release notes.

• Pinning finding and investigation fields in the analyst queue: Ability to pin specific fields in the side panel of a finding or investigation or on the investigation overview page to keep the information you care about most easily accessible. For more information, see Pin fields for findings and investigations in Splunk Enterprise Security.

• Nested findings in the analyst queue: Ability to navigate complex investigations more efficiently by reducing visual clutter and maintaining context as you drill deeper into related data. Nested findings organize related findings and finding groups into a clear, hierarchical structure across the analyst queue and investigation overview page. For more information, see Navigate nested findings for triage.

• Finishing existing legacy investigations: Ability to finish your existing work, export data for reports, and maintain visibility into past findings with the legacy investigations interface. If you previously created investigations in Splunk Enterprise Security 7.x, you can still review and complete them after upgrading to version 8.x. For more information, see Review and finish existing legacy investigations.

• Entity risk scoring: Includes the new entity risk score (ERS), an enhanced version of the original risk score in Splunk Enterprise Security. It measures the overall risk level of an entity, such as a user or asset, based on findings associated with that entity. For more information, see Entity risk scoring in Splunk Enterprise Security and Using entity risk scores for detections in Splunk Enterprise Security.

• Threat intelligence storage optimization: Ability to optimize data retention for threat intelligence KV Store collections in Splunk Enterprise Security. For more information, see Threat intelligence collections in Splunk Enterprise Security.

• User and Entity Behavior Analytics (UEBA) for Splunk Enterprise Security Premier: Ability to detect insider threats, reduce false positives, and prioritize investigations based on risk with UEBA. UEBA identifies anomalies by comparing current activity against learned baselines for users and assets. See the following documentation to get started: User and entity behavior analytics (UEBA) overview in Splunk Enterprise Security, Installing UEBA for Splunk Enterprise Security, Configuration checklist for UEBA in Splunk Enterprise Security.

• Analyst queue performance improvements: Searching, automating, and interacting with findings on the analyst queue will load them into the KV Store collection for faster retrieval and load times. For more information, see Optimize storage with KV Store retention policy.

• Updates to hide finding settings for finding groups: Hide findings setting now also hides findings that belong to finding groups. Help text for this feature has been updated to indicate that findings will still appear nested under the investigation or finding group to which they belong.

Upgrade notice for 8.x

• Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
• When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
• If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
• Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
• You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line.
• Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
• The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Share threat data in Splunk Enterprise Security

• Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025.

Compatibility and support

• Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform.
• Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

Deprecated or removed features

• Configuring the investigation type macro is no longer available.
• Incident Review row expansion is no longer available.
• Enhanced workflows are no longer available.
• Sequence templates are no longer available.
• The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
• Service level agreements (SLAs) and role-based incident type filtering are not available.
• The Content management page was updated to remove Workbench Profile, Workbench Panel, and Workbench Tab.
• Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
• Capabilities such as edit_timeline and manage_all_investigations have been removed.
• The Comments feature is replaced by an enhanced capability to add notes.
• In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

• Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework.
• To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically: DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, DA-ESS-ThreatIntelligence, SA-AccessProtection, SA-AuditAndDataProtection, SA-EndpointProtection, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, Splunk_SA_CIM, Splunk_SA_Scientific_Python_linux_x86_64, SplunkEnterpriseSecuritySuite, Splunk_ML_Toolkit.
• Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.

Deprecated or removed add-ons

• Many technology add-ons are no longer included in the Splunk Enterprise Security package and must be downloaded from Splunkbase.
• Some technology add-ons are removed from the installer but still supported.
• Some technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version.
• The Common Information Model Add-on is updated to version 6.3.0.

Libraries included

• Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
• Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
• Splunk_SA_Scientific_Python_windows_x86_64-3.0.0

Original source Report a problem

Deprecate in_catalog and catalogs fields from object type Location

The in_catalog and catalogs fields represents the legacy concept of direct connected catalogs to a location. Since the introduction of Markets Home this is not a valid concept anymore.

These fields are now deprecated and will be hidden from documentation starting in version 2026-04.

Developers who previously relied on these fields should update their integrations accordingly. No further action is required if these fields were not in use.

Original source Report a problem

Frontier coding capabilities

GPT‑5.1-Codex-Max was trained on real-world software engineering tasks, like PR creation, code review, frontend coding, and Q&A and outperforms our previous models on many frontier coding evaluations. The model’s gains on benchmarks also come with improvements to real-world usage: GPT‑5.1-Codex-Max is the first model we have trained to operate in Windows environments, and the model’s training now includes tasks designed to make it a better collaborator in the Codex CLI.

Speed and cost

GPT‑5.1-Codex-Max shows significant improvements in token efficiency due to more effective reasoning. On SWE-bench Verified, GPT‑5.1-Codex-Max with ‘medium’ reasoning effort achieves better performance than GPT‑5.1-Codex with the same reasoning effort, while using 30% fewer thinking tokens. For non-latency-sensitive tasks, we’re also introducing a new Extra High (‘xhigh’) reasoning effort, which thinks for an even longer period of time for a better answer. We still recommend medium as the daily driver for most tasks.

We expect the token efficiency improvements to translate to real-world savings for developers.

For example, GPT‑5.1-Codex-Max is able to produce high quality frontend designs with similar functionality and aesthetics, but at much lower cost than GPT‑5.1-Codex.

Long-running tasks

Compaction enables GPT‑5.1-Codex-Max to complete tasks that would have previously failed due to context-window limits, such as complex refactors and long-running agent loops by pruning its history while preserving the most important context over long horizons. In Codex applications, GPT‑5.1-Codex-Max automatically compacts its session when it approaches its context window limit, giving it a fresh context window. It repeats this process until the task is completed.

The ability to sustain coherent work over long horizons is a foundational capability on the path toward more general, reliable AI systems. GPT‑5.1-Codex-Max can work independently for hours at a time. In our internal evaluations, we’ve observed GPT‑5.1-Codex-Max work on tasks for more than 24 hours. It will persistently iterate on its implementation, fix test failures, and ultimately deliver a successful result.

Building safe and trustworthy AI agents

GPT‑5.1-Codex-Max performs significantly better on evaluations that require sustained, long-horizon reasoning. Because it can coherently work across multiple context windows using compaction, the model delivers improved results on challenges in areas like long-horizon coding and cybersecurity. We analyzed the results of this model’s performance on first- and third-party evaluations in the GPT‑5.1-Codex-Max system card.

GPT‑5.1-Codex-Max does not reach High capability on Cybersecurity under our Preparedness Framework but it is the most capable cybersecurity model we’ve deployed to date and agentic cybersecurity capabilities are rapidly evolving. As a result, we are taking steps to prepare for High capability on Cybersecurity and are enhancing our safeguards in the cyber domain and working to ensure that defenders can benefit from these improved capabilities through programs like Aardvark.

When we launched GPT‑5-Codex, we implemented dedicated cybersecurity-specific monitoring to detect and disrupt malicious activity. While we have not observed a meaningful increase in scaled abuse, we are preparing additional mitigations for advanced capabilities. Our teams have already disrupted cyber operations attempting to misuse our models, and suspicious activity is routed for review through our policy monitoring systems.

Codex is designed to run in a secure sandbox by default: file writes are limited to its workspace, and network access is disabled unless a developer turns it on. We recommend keeping Codex in this restricted-access mode, since enabling internet or web search can introduce prompt-injection risks from untrusted content.

As Codex becomes more capable of long-running tasks, it is increasingly important for developers to review the agent’s work before making changes or deploying to production. To assist with this, Codex produces terminal logs and cites its tool calls and test results. While its code reviews reduce the risk of deploying model or human produced bugs to production, Codex should be treated as an additional reviewer and not a replacement for human reviews.

Cybersecurity capabilities can be used for both defense and offense, so we take an iterative deployment approach: learning from real-world use, updating safeguards, and preserving important defensive tools such as automated vulnerability scanning and remediation assistance.

Availability

GPT‑5.1-Codex-Max is available in Codex with ChatGPT Plus, Pro, Business, Edu, and Enterprise plans. For details on how usage limits work for your plan, please see our docs (opens in a new window).

For developers using Codex CLI via API key, we plan to make GPT‑5.1-Codex-Max available in the API soon.

Starting today, GPT‑5.1-Codex-Max will replace GPT‑5.1-Codex as the default model in Codex surfaces. Unlike GPT‑5.1, which is a general-purpose model, we recommend using GPT‑5.1-Codex-Max and the Codex family of models only for agentic coding tasks in Codex or Codex-like environments.

Conclusion

GPT‑5.1-Codex-Max shows how far models have come in sustaining long-horizon coding tasks, managing complex workflows, and producing high-quality implementations with far fewer tokens. We’ve seen the model combined with steady upgrades to our CLI, IDE extension, cloud integration, and code review tooling result in supercharged engineering productivity: internally, 95% of OpenAI engineers use Codex weekly, and these engineers ship roughly 70% more pull requests since adopting Codex. As we push the frontier of what agents are able to do, we’re excited to see what you'll build with them.

Appendix: Model evaluations

GPT‑5.1-Codex (high) vs GPT‑5.1-Codex-Max (xhigh) evaluations on SWE-bench Verified (n=500), SWE-Lancer IC SWE, and Terminal-Bench 2.0 show improved accuracy percentages for GPT‑5.1-Codex-Max (xhigh) over GPT‑5.1-Codex (high).

Original source Report a problem