New ASM Features and Improvements | November 2025
Oliver Sanders
5 December 2025
Throughout April the engineering team were as busy as always, working on a range of updates to Hexiosec ASM, which include improvements to our web application, scan processing, system metrics and testing. To hear about a couple of the features we’ve released in the last month, as well as a couple of other topics, please read on:
This month I will cover:
When you’re reviewing your scan results and any changes, we want to make it as easy as possible for you to understand what’s changed. You may be reviewing historical changes or you may be reviewing the latest changes prompted by an email notification.
The email notification includes a link to the Changes page in Hexiosec ASM, filtered for the relevant changes. For any changes which result in new or removed risks, we’ve added a context menu on the Changes page which links directly to the related Action, and if the risk is new, another option is available to link to the specific risk on the Risks page.

The action link takes you directly to the details of that specific action.

The risks link takes you to a filtered view on the risks page, which makes use of the existing “Source” filter on the risks page. The source filter is a handy way to filter for all risks relating to a specific domain.

Both these new links navigate to pages relating to the specific action or risk for the selected change. This differs from the existing link under the Change column, which takes you to the risk’s Explore page, which is common to all risks of this type. This existing link is absolutely still useful if you want to see the provenance of a risk type across a scan, e.g. all expired certificates in a scan.

Later this month we’re making a further update to this feature for web page related risks, which will also allow you to navigate to the Web Presence page for the source of that risk. Watch this space for more details.
Content Security Policies (CSP) help prevent or minimize the risk of security threats. It sets policies for website code run by a browser, and what it can do. A primary aim of a CSP is to prevent cross-site scripting (XSS) attacks, where an attacker may inject malicious code into a website. Hexiosec ASM already checks websites for the presence of CSPs, and if there is a CSP defined we check this for the recommended configuration.
Typically the CSP for a website is defined in the Content Security Policy response header. However sometimes it isn’t possible or practical to define the CSP here, such as if the website is hosted by an external provider (such as a CDN) who don’t support a CSP. In this instance the CSP can be defined in the http-equiv attribute in your website meta element. The update is that ASM now checks the http-equiv attribute for a CSP as well.
This change went live on the 24th March 2025 (11:03 BST to be precise), and if you’ve had any scans run since then you may have seen a change in results. If you are using the http-equiv attribute for CSPs:
http-equiv attribute, if any configuration is not recommendedOn the Risks charts in the app, we have added a notation to help you clearly see any risk changes relating to this update.

You can also use the Changes page to view any added or removed CSP risks for the iteration after 11:03 BST on the 24th March.
Blink and you might have missed it, but halfway through April you may have seen the news that the Cybersecurity and Infrastructure Security Agency’s (CISA) funding for the CVE programme was about to be cut. The news broke on the 15th April and by midnight the next day all access to the CVE data may have been suspended. It wasn’t clear what state this was going to leave the CVE database in, or what the future held for the programme in general. Cue much online speculation.
Long story short there was a last minute reprieve, and funding was secured for at least 11 months. The CVE programme lives on and updates continue to be available. Hexiosec continue to watch for any updates, and indeed news about the new CVE Foundation.
A strength of Hexiosec ASM is that data we gather, including our own workers, is stored and analysed within Hexiosec ASM. This is also true for CVE data. On a daily basis Hexiosec ASM will pull the latest CVE updates from NIST’s National Vulnerability Database (NVD). If access to the NVD had been cut;
Once a scan has run, your scan results are secure, no matter the state of any external data source. We pride ourselves in the reliability of Hexiosec ASM, and a key part of this is having redundancies in place for external data sources. For many asset results, we will have multiple ways to gather data. This is harder with something like NIST’s NVD, which is a unique vulnerability resource used across the cyber security industry. This uniqueness is why we will continue to watch this news, and if necessary will take steps to ensure the results we produce continue to help you secure your public infrastructure.
Also don’t forget, CVEs are only part of the story when it come to the security of your attack surface, alongside email, network and website configurations. Hexiosec ASM continues to include checks across all these risk categories.
This month I also wanted to highlight another one of our security products, which is our end-to-end encrypted secure file transfer tool, Hexiosec Transfer.
Our engineering team have also been working hard on adding great new features to Hexiosec Transfer, and have recently updated the existing file sharing request feature. Transfer now supports multi-use sharing requests, meaning users can use the shared link multiple times. Read all about this in Rich’s blog.
We’re starting work on some significant features this month, which include: