Changelog

​

SDX moves into active maintenance until March 2029

• SDX continues to run. All your sites, policies, workflows, dashboards, scheduled scripts, and reports keep working exactly as they are today, with full active maintenance through March 2029. Bug fixes, security patches, RouterOS compatibility, and operational stability work continue throughout that window.
• No new feature work in SDX. New capability — AI Copilot improvements, new automation primitives, fleet operations features — is now landing in Altostrat Studio.
• Studio sits alongside SDX. Your existing SDX fleet is fully usable from Studio, and you can adopt Studio at your own pace.

​

What’s new

• AI Co-pilot diagnostic suite. New named prompts — Device Diagnostics, Fleet Health Dashboard, Investigate Fault, Security Audit, and Site Security Review — guide you through systematic diagnostics, root-cause analysis, and security audits across one device or your entire fleet.
• Conversational automation. Use the new Automate Task prompt to design event-driven workflows and generate RouterOS scripts from plain language.
• Configuration backup diffs. Generate a diff between any two Configuration Backups for change management, troubleshooting, and audit trails.
• Dynamic tag-based SLA report selection. Build SLA reports with tag rules (e.g. Location: New York OR Customer: Acme Corp) so new matching sites get included automatically as your network grows.
• Site grouping in SLA reports. Group sites by any tag and compute aggregated uptime — Average, Minimum, Maximum, or Redundancy — invaluable for multi-tenant MSP reporting.
• Recent workflow logs API. A new GET /api/workflows/logs/recent endpoint returns the most recent log entry for each workflow in your organization.

​

Improved

• Rebuilt SLA report scheduling infrastructure. A new cloud-native scheduler delivers scheduled reports more reliably as your reporting volume grows.
• Faster API across the board. Workflow run listings and filtered log queries are dramatically faster, with new database indexes accelerating frequently accessed queries throughout the platform.
• Transient Access supports CIDR. Grant temporary access to entire ranges (e.g. 192.168.1.0/24) instead of single IPs — handy for whole offices or VPN subnets.
• Smarter device product search. The MikroTik product catalog now understands complex product codes, identifies individual products inside hardware bundles, and matches against both names and model numbers.
• More reliable third-party integrations. Slack, Microsoft Teams, and similar workflow integrations are more robust under load and fail faster with clearer errors when an account’s authorization is revoked.
• Less event noise. Refined event detection eliminates spurious “device rebooted” events on normal check-ins, so genuine reboots stand out.

​

Fixed

• Workflow execution logs now display in chronological order.
• PDF download links for some historical SLA reports are no longer generated incorrectly.
• MikroTik product codes containing + are now searchable.
• Older manually created report schedules continue to work without migration.

​

What’s new

• CSV export from dashboard panels. Export the underlying time-series for any panel for offline analysis, audit, or custom visualizations.
• SLA reports auto-organized by year and month. Browsing report history is dramatically faster, especially for organizations with thousands of reports.
• New API endpoints list dashboards by folder and reports filtered by year and month.

​

Improved

• AI Co-pilot upgraded to a more capable model, with faster responses and more accurate suggestions for diagnostics, RouterOS scripts, and workflow automation.
• Dashboards adapt query resolution to the selected time window for faster, more predictable rendering.
• WAN failover priority changes now take effect more quickly and predictably.
• CSV exports use human-readable column headers and include a daily heartbeat point for each metric series.

​

Fixed

• Download links for some historical reports were incorrect after the move to hierarchical storage — now resolved.
• Fixed a Managed VPN route calculation edge case that could destabilize client connections under specific topologies.
• Site metadata used in SLA report calculations is now always read from the authoritative source.

​

What’s new

• Tags on RADIUS Users, Accounts, Containers, and Groups, plus Account Containers. A new API endpoint lists every Account Container with a given tag, making fleet segmentation and dynamic policies easier to build.
• Batched Managed VPN status reporting. VPN clients can report the state of multiple tunnels in a single API call, cutting overhead and speeding up failover synchronization.

​

Improved

• Faster BGP Threat Mitigation. The IP blocklist pipeline has been overhauled — threat feed updates apply substantially faster, even for very large lists, shrinking your exposure window.
• Managed VPN tunnels recover from outages faster, automatically clear related alerts on reconnect, and include workspace_id in auth responses for monitoring integrations.

​

Fixed

• API key creation and rotation are now reliable; an intermittent failure has been resolved.
• Duplicate IPs are no longer added to BGP threat mitigation blocklists.

​

What’s new

• Data quotas for user groups. Define per-group data allowances and apply progressive enforcement (throttle, redirect to a notification portal) once a user exceeds their quota. Maximum quota raised to 10TB.
• Conditional policy enforcement. Apply network access policies based on real-time user state, such as whether they’re within or over their quota.
• Remote session termination. A new API endpoint disconnects active user sessions, useful for incidents, policy violations, or troubleshooting. All admin disconnects are recorded in the Audit Log.

​

Improved

• Vulnerability scans can now run as often as weekly, up from a two-week minimum.
• Network access policies from multiple groups can be combined rather than overwritten — for example, routing rules from two groups can be merged for a user in both.
• User and group attribute API responses use a more consistent structure.

​

Fixed

• Restored the default upstream DNS resolvers that block malware and adult-content domains.
• Legacy SLA report schedules created before the new engine now load correctly, and the full historical report list is visible again.

​

Improved

• Customizable email notifications. Workflow and system emails support custom headings, preview text, personalized greetings, and call-to-action buttons.
• Per-item workflow error reporting. When a workflow processes multiple items and one fails, you now see exactly which item failed and why, instead of a single rolled-up error.
• Authentication realms can be created and modified without an initial group assignment.

​

Fixed

• Email notifications send reliably even when optional metadata fields are missing from the payload.
• Searching for an authentication realm by exact name now consistently returns a result.

​

Improved

• RADIUS authentication log retention extended from 4 to 24 hours, giving you a full day to investigate auth issues and access patterns.
• User search now indexes RADIUS reply attributes, so you can locate users by VLAN assignment, bandwidth policy, or other configured attributes.
• Custom metric labels accept a wider range of naming conventions and special characters.

​

Fixed

• System-managed labels (organization and workspace identifiers) are now always enforced on incoming metric data, keeping multi-tenant data properly isolated.

​

Improved

• Faster DNS Content Filtering deployments. Pushing policy changes to MikroTik routers is significantly quicker and more reliable, especially for large or complex policies.
• Site health metrics (CPU, memory, uptime) are collected more frequently for fresher visibility into fleet health.
• Upstream DNS resolvers are upgraded for better filtering accuracy and lower query latency.
• Dynamic DNS handling is more tolerant of brief outages, reducing false-positive alerts.
• The platform stats endpoint reports the total number of authentication realms, user details include a structured organizational path, and device details indicate auto-registration status.
• RADIUS log device identifiers are now consistent and parseable.

​

Fixed

• User account merges include additional safeguards to maintain data integrity through the cleanup process.

​

Improved

• Behind-the-scenes platform stability work — no user-visible changes this week.

​

Improved

• Behind-the-scenes platform stability work — no user-visible changes this week.

​

Improved

• Behind-the-scenes platform stability work — no user-visible changes this week.

​

Improved

• Behind-the-scenes platform stability work — no user-visible changes this week.

​

What’s new

• User preferences API. Store and retrieve per-user settings programmatically, useful for custom dashboards and saved report templates.

​

Improved

• Custom metric submissions no longer require an explicit timestamp, and metric names are normalized automatically.

​

Fixed

• SLA reports now complete even when a single MikroTik device returns incomplete data during collection.
• Tag-based SLA report schedules with multiple AND/OR rules now select the correct sites.

​

What’s new

• Redundancy uptime calculation in SLA reports. A group of sites counts as “online” if at least one is operational, useful for HA clusters and redundant VPN hubs.

​

Improved

• Dashboard graphs render more accurately when zoomed in, with query resolution adapting to the selected time range.
• Vulnerability scans handle large networks and slow links more gracefully.
• Managed VPN tunnel API responses now include a username field for monitoring integrations.
• Performance metric collection (CPU, memory, uptime) is more efficient.

​

Fixed

• Older SLA report schedules continue working without migration.
• Dashboard graph queries no longer fail at very tight zoom levels.
• In-progress vulnerability scans can now be stopped reliably.

​

Improved

• Dashboards now load in parallel rather than sequentially, with substantial speed gains across all panels.
• SLA report generation is faster, especially when WAN performance metrics are included.
• Vulnerability scan API responses are noticeably faster thanks to smarter caching.
• Automatic site geolocation. New sites have latitude, longitude, and timezone inferred from their public IP.
• WAN throughput in SLA reports is now consistently displayed in Mbps.
• Vulnerability scan control links remain valid for six hours, up from one.

​

Fixed

• Vulnerability scan schedules now respect organizational permissions and only show sites in your scope.
• WAN performance metrics (latency, jitter, packet loss) now appear reliably in SLA reports.

​

What’s new

• Metrics and dashboard API. Run custom queries against your time-series data, discover available metrics, and pull dashboard contents programmatically.
• Documentation search. A dedicated endpoint searches product docs and API references.
• Detailed network interface stats. SDX now collects per-interface traffic, error counters, link status, and uptime.
• Automatic logo onboarding. Your organization’s logo is detected from your email domain at signup.

​

Improved

• Vulnerability scan results include richer host info (manufacturer, standardized service names) and CVE entries now carry publication dates and reference links.
• AI-generated scan summaries handle very large vulnerability lists more reliably.
• Configuration deployments adapt to each device’s RouterOS version.

​

Fixed

• VPN configuration files and QR codes download reliably again.
• Hosts from different sites are no longer grouped together in scan results.
• Subscriptions with mixed monthly/yearly products can be edited without errors.

​

What’s new

• API key management for service accounts. Create, list, view, rotate, and delete keys for machine-to-machine integrations, with role-based permissions per key.
• AI Co-pilot diagnostic prompts. New guided prompts let you investigate active faults, check WAN connectivity, inspect Configuration Backups, and run safe read-only commands on MikroTik devices.
• Metrics query API. Run PromQL queries against your monitoring data with custom time ranges and resolution.
• Multi-currency billing. Organizations can now operate in their local currency.

​

Improved

• The AI Co-pilot is faster and routes requests intelligently between models, distinguishing inline autocomplete from full script generation.
• Recent fault lookups are dramatically faster, speeding up dashboards and monitoring integrations.
• Notification delivery (email, webhooks, Slack/Teams) is more reliable.

​

Fixed

• SLA report schedules created in older formats now load correctly.
• Workflows no longer fail when input data contains null bytes or other special characters.
• Notifications now send for sites that lack metadata tags.
• Closed an AI tool cache issue that could have leaked data between sessions.

​

What’s new

• Geolocation suggestions for onboarding. A new API returns appropriate currency and locale based on geographic location, useful for MSPs creating new customer organizations.
• Subscription status endpoint. Check programmatically whether an organization is on a paid plan or in trial.

​

Improved

• Subscriptions now accept custom metadata for CRM and billing integrations, and can be marked read-only to prevent edits to managed or white-label accounts.
• The invoice preview endpoint handles monthly and yearly intervals more accurately.
• Security Groups and Prefix Lists now auto-recover from transient sync errors, with clearer messages when intervention is needed.

​

Fixed

• AI Co-pilot conversations are more resilient to upstream model errors and recover more cleanly when issues occur.

​

What’s new

• @foreach loops in scheduled scripts. Generate repetitive RouterOS commands (firewall rules, BGP prefix lists, VLAN assignments) by iterating over a data list from a single template.
• Australia service region. Lower latency for Management VPN, API, and platform operations across Asia-Pacific.

​

Improved

• API responses, dashboard load times, and serverless cold-start times are noticeably faster across the platform.
• Prefix List changes now consistently trigger updates to the Security Groups that depend on them, with better handling of concurrent admin edits.
• Site reboot detection is more accurate, reducing false positives caused by brief network blips.
• Script templates can now declare variables without using all of them.

​

Fixed

• Configuration Backup downloads no longer occasionally produce invalid links.
• Concurrent Security Group edits from different sessions no longer collide.
• Generated firewall rules now produce correct accept actions and handle protocols without ports (ICMP, IGMP).

​

What’s new

• Security Groups and Prefix Lists. Define template-based stateful firewall rules and reusable IP/subnet collections, then apply them consistently across your MikroTik fleet. Reference endpoints help you discover supported protocols and services.
• WAN performance breakdowns in SLA reports. Sites that breach uptime now include a per-WAN section with uptime percentage, ISP, fault count, and downtime totals.

​

Improved

• Site list loading and device check-in processing are noticeably faster.
• The SLA report engine has been rebuilt for more reliable, accurate generation.
• Dynamic DNS updates are more efficient and consistent for sites with frequently changing IPs.
• Security Group rule validation now provides clearer feedback during configuration.

​

Fixed

• Tag-based SLA reports no longer show incorrect site counts in their summaries.
• Grouped-site SLA reports now generate reliably.

​

What’s new

• PDF SLA reports with downtime root-cause analysis. Multi-page reports cover uptime, performance against targets, and incident logs categorized by Power, Network, or Device cause.
• On-demand vulnerability scans against IP lists. Target specific addresses without scanning entire subnets, ideal for validating patches or checking new devices before rollout.
• “Resource Has Tags” workflow condition. Branch automation logic on whether a site or device has specific tag keys, values, or counts.

​

Improved

• Breached sites now appear at the top of SLA reports, with clickable links from the executive summary down to incident details.
• Workflow synchronous timeouts increased from 15 to 30 seconds.
• Workflow test triggers now use your input schema as the sample payload.
• Recent Sites loads noticeably faster.
• Dynamic DNS updates for Managed VPN failover propagate more quickly.

​

Fixed

• PDF SLA reports now show full site detail for grouped sites, the correct organization logo, and accurate WAN interface data in incident logs.
• A site’s “last seen from” IP now consistently reflects the most recent device communication.

​

What’s new

• Tag management API. Create, update, and delete metadata tags programmatically, and query every resource sharing a given key:value pair (for example, all sites with Region:Europe).
• Tag-based SLA reporting. Define a report once with tag rules (like Priority:High); new sites matching the criteria are picked up automatically.
• Site grouping and aggregated metrics in SLA reports. Group sites by tag and view average, minimum, or maximum uptime for each group.
• RADIUS authentication logs in the API. Pull detailed auth and authorization events for NAS devices and user accounts.

​

Improved

• Global search now covers Sites (name, address, IP, MikroTik model), Policies, Managed VPN instances, Notification Groups, Captive Portals, Workflows, and all schedule types, with typo tolerance and relevance scoring.
• SLA report generation is faster, especially for reports spanning many sites with long incident histories.
• Tag values are now case-normalized to prevent accidental duplicates like “new york” vs “New York”.
• Workflows hitting Slack, Microsoft Teams, and webhooks now refresh tokens and retry intelligently on failure.

​

Fixed

• Sites with multiple matching tags are no longer duplicated across groups in the same SLA report.
• Search indexing for MikroTik hardware details and scheduled script metadata is corrected.

​

What’s new

• Custom organization branding. New API endpoints let you set your organization’s display name, logo, and brand colors for a consistent in-product experience.
• RadSec with automated Certificate Authority. SDX now generates and manages RadSec client certificates for new devices, simplifying secure RADIUS-over-TLS deployments.
• EAP support for WPA2/3-Enterprise. RADIUS now supports EAP for enterprise wireless authentication.

​

Improved

• Invoices now show clearer breakdowns for subtotal, taxes, and discounts, with safer handling of payment methods.
• Schedule processing is faster and more reliable for accounts with many schedules.
• WAN tunnel offline detection is more responsive.

​

Fixed

• Schedules with Sunday time slots now activate correctly.
• You can remove an organization’s profile picture again, and concurrent edits to organization limits no longer overwrite each other.
• Coupon PDF generation no longer fails for very large coupon batches.

​

What’s new

• Bulk CSV import for Users, Groups, and NAS devices. Upload a CSV, preview the contents, do a dry run, and download a failure log if rows don’t import. Handles files with 300,000+ rows and supports tags and custom RADIUS attributes.
• Metered usage history API. Pull aggregated usage for billing event types (like sms_messages) over any date range, grouped by day or hour.
• MS-CHAPv2 authentication. RADIUS now accepts MS-CHAPv2 alongside CHAP.

​

Improved

• The workflow Array Filter node now supports nested AND/OR logic and can either include or exclude matching items.
• SSH workflow action errors are more descriptive, making connection issues easier to diagnose.
• Incident end times in PDF reports now respect the report’s configured timezone.

​

Fixed

• A workflow validation bug that could prevent one workflow from triggering another is resolved.
• The Iterator node now passes data correctly when it triggers a downstream workflow.
• NAS log timestamps are accurate again.

​

What’s new

• SSH and SMTP workflow nodes. Workflows can now run shell commands on remote servers (with key or password auth from Vault) and send email through any SMTP server, with attachments and custom headers.
• CHAP authentication for RADIUS. RADIUS now accepts CHAP, broadening compatibility with legacy network gear.
• Transient Access auditing. Each Transient Access session now records which user created it, visible in session details via the API.
• Reseller directory API. A new endpoint returns paginated MikroTik reseller listings with location, contact details, and country filters.

​

Improved

• Notification groups now support up to 800 sites, up from 200.
• Listing Transient Access sessions now includes expired sessions for a full historical record.
• API error messages for auth and SMTP actions are more descriptive, and 401 Unauthorized responses are standardized.
• Cursor-based pagination is now available on key list endpoints.

​

Fixed

• Deleting a user now reliably removes all associated group memberships and related data.
• Group membership listings no longer return slow or incomplete results.

​

What’s new

• Fault Management API. Programmatically create, update, comment on, and delete faults for tighter integration with your monitoring and response workflows.

​

Improved

• DNS policy lists tripled. Custom DNS allow/blocklists now hold up to 150 domains, up from 50.
• Fewer false-positive WAN offline alerts. A WAN tunnel must now be unreachable for 5 minutes (up from 3) before triggering an offline alert.
• Wider device support. Lowered the minimum RouterOS to 6.47 (ROS6) and 7.8 (ROS7).
• Faster queries for recent and unresolved faults; site created_at timestamps are now ISO 8601.
• Stricter permission checks on API endpoints — unauthorized calls now correctly return 403.

​

Fixed

• Resolved an issue where alert notifications were not being delivered to channels like Slack.
• Fault Management API now accepts fault IDs with or without the flt_ prefix, and always includes the comments field in responses.

​

What’s new

• Real-time custom dashboards. Build interactive dashboards with live widgets for your MikroTik fleet, with widgets that can trigger workflows — built for NOC displays and proactive monitoring.
• MSP organization branding. Customize display names, colors, and login hints, and use new public endpoints to build fully white-labeled login experiences for clients.
• Expanded workflow actions. New actions for filtering arrays, transforming dates, validating structures, generating random strings/passwords/UUIDs, generating WireGuard keys, and looking up IPv4 details — all directly inside a workflow.
• Multi-button forms with conditional fields. Approval workflows can now have multiple action buttons (“Approve”, “Reject”) that route down different branches, with fields that show or hide based on user input.
• Fault data CSV export. Export historical fault data for offline analysis, compliance reporting, and trend analysis.

​

Improved

• Fault history extended to 14 months. Up from 90 days, with fault filtering by type (site, device, service) and faster queries.
• Better Captive Portal client connectivity detection (including Windows OS) so guests reliably see the portal.
• Hardened deletion process for sites and Managed VPN instances to prevent orphaned resources.

​

Fixed

• Site-specific details and links are now included in alert notifications.
• Cached site data no longer persists after a site is deleted.
• Date range filters now apply correctly when querying site-specific faults.

​

What’s new

• Workflows as serverless APIs. Turn a workflow into a real-time HTTP endpoint that accepts requests and returns responses — ideal for ticketing system, monitoring, and external platform integrations. Secure each endpoint with API keys or a custom JWT authorizer.
• Interactive forms and approval gates. Build multi-step workflows with user approval steps for change management, provisioning, and onboarding.
• Workflow run resume. Restart a failed workflow run from any successful checkpoint instead of starting over.
• Multi-channel Notification API. Send email and WhatsApp notifications to addresses, phone numbers, or tagged user groups, including emails with attachments.
• Reusable script templates. Build a central library of MikroTik RouterOS scripts you can reuse across deployments, kept private to your organization or shared publicly.
• SOAP request action. Workflows can now call SOAP endpoints for legacy network management and billing integrations.

​

Improved

• Liquid templating is now available across all workflow nodes for richer conditional logic and data transformation.
• Granular workflow error handling lets you treat expected errors (like a 404) differently from critical ones.
• Faster network interface graphs and device statistics queries over long time ranges.
• Backend event processing now triggers workflows nearly instantaneously.

​

Fixed

• Corrected timestamp display on aggregated performance graphs.

​

What’s new

• 30 days of fault history and historical device stats. Pull fault history and CPU, memory, and uptime data over arbitrary date ranges — useful for capacity planning, SLA reporting, and identifying recurring issues.
• wan.packet_loss_started and wan.packet_loss_resolved workflow events. Trigger custom automations on WAN quality changes, like failing over to a backup link or opening a ticket.
• Fleet-wide tunnel inventory API. Retrieve all configured WAN tunnels across your network in a single call for compliance audits and configuration review.

​

Improved

• Dashboard charts render significantly faster, especially over longer time ranges.
• More accurate WAN tunnel status detection, with packet loss notifications now including the specific tunnel ID for faster troubleshooting.

​

Fixed

• Corrected timestamps in aggregated chart data.

​

What’s new

• Workflow chaining. Trigger workflows from other workflows to build modular, reusable automations — for example, a “Provision VPN” workflow called by a higher-level onboarding flow. A new API endpoint lists triggerable workflows.
• Real-time site and tunnel events. Site online/offline and WAN tunnel online/offline now fire as workflow triggers, so you can automate incident response the moment status changes.
• Proactive WAN packet loss alerts. SDX now detects when packet loss on a WAN tunnel exceeds critical thresholds and notifies you immediately.

​

Improved

• Dependency protection blocks deletion of workflows referenced by other workflows, and circular dependency detection prevents infinite loops.
• Workflow test editor now ships with sample event data for faster authoring of event-driven flows.
• Tunnel API responses now include external IP addresses for each WAN link.

​

Fixed

• Resolved a critical issue that prevented event-triggered workflows from executing.
• Fixed packet loss alert delivery configuration and notification delays for newly created sites.
• Deleted sites no longer linger in site lists.

​

What’s new

• Scheduled Script email notifications. Get email alerts when a scheduled script needs authorization, starts, or finishes — important for audit trails.
• Workflow date filters. New carbon_date and carbon_condition Liquid filters let workflows parse, format, and compare dates with helpers like is_today and within_7_days.
• Human-readable workflow schedules. Scheduled workflows now show their next run in plain language (“in 5 minutes”, “tomorrow”).

​

Improved

• Email notifications now retry on temporary failures, dramatically improving delivery reliability for alerts and compliance traffic.
• Scheduled script alerts are now sent over both email and your primary notification channel for redundancy.
• Wider date format support and more accurate next-run calculation in workflow schedule triggers.

​

Fixed

• Scheduled script authorization emails now use the correct URLs and templates and deliver reliably.
• Fixed inaccurate workflow run duration reporting and resolved special-character handling in workflow JSON payloads.

​

What’s new

• More email notifications. Get notified for vulnerability scan start/completion, scheduled SLA report delivery, individual WAN interface up/down events, Captive Portal coupon generation (with PDF attached), and Managed VPN credential creation.
• Bulk Configuration Backup API. Retrieve the latest backup for up to 50 sites in a single POST /api/backups/latest call — much faster for compliance and DR validation.

​

Improved

• Single IP addresses entered in Firewall Trusted Networks are now auto-converted to CIDR (10.0.0.1 becomes 10.0.0.1/32).
• Key metrics endpoints accept GET as well as POST for conventional retrieval.

​

Fixed

• Pagination status now reports correctly on filtered API responses.
• Corrected the Captive Portal coupon notification email subject and template.
• Improved clarity of the “WAN Interface Down” alert subject line.

​

What’s new

• Advanced audit log filtering. Filter audit logs by HTTP status category, method, or individual user, and see enriched entries with display names and emails — useful for security investigations and compliance audits.
• Proactive billing checks. SDX now validates subscription health before service access and surfaces guidance to resolve issues before they cause interruptions.

​

Improved

• Captive Portal sessions up to 7 days. Maximum session duration extended from 24 hours to 7 days for hotels, conferences, and long-term guest access.
• 95% faster audit searches. Filtered audit log queries now return near-instantly.
• Dashboard throughput, data-transfer, and MAC vendor endpoints now support both GET and POST.

​

Fixed

• Device re-registration no longer consumes an extra license seat.
• Corrected Managed VPN peer seat counting for accurate billing.
• Captive Portal custom assets (logos, icons) now load reliably, and portal preview URLs use the production domain.
• Fixed organization profile picture clearing and audit log date-range accuracy.

​

What’s new

• Usage reporting and exports. Export per-organization resource consumption to CSV or PDF for client billing, capacity planning, and compliance.
• Flexible resource limits. Set “unlimited,” “deny” (zero), or a specific number per organization, with SSO now tracked as a manageable resource alongside devices, VPNs, and sites.
• Automatic site resource accounting. SDX now verifies seat availability before adopting a device and releases resources when a site is deleted.

​

Improved

• New organizations created via the API automatically receive default user roles and authentication connections.
• More accurate user-count tracking for Managed VPN instances against subscription limits.
• Comprehensive checks prevent setting resource configurations that exceed subscription, parent, or current usage limits.

​

Fixed

• Corrected user seat increment/decrement logic for accurate subscription tracking.
• Available capacity calculations now reflect organization hierarchy correctly.

​

What’s new

• Expanded payment methods. Billing now supports US ACH, AU BECS, SEPA Direct Debit, PayPal, and Link — important for international MSPs.
• Detailed invoice previews. Previews now show line items, taxes, and discounts so you can reconcile against client billing before charges land.
• Organization resource usage API. Retrieve current usage and configured limits per organization for capacity planning and quota management.
• Organization branding. Upload custom logos and profile pictures for white-label MSP portals.

​

Improved

• Standardized JSON shape and pagination across list endpoints.
• You can no longer accidentally delete the only payment method on a billing account, or lock yourself out by demoting the sole workspace owner.
• Billing account creation auto-fills the address from IP geolocation when you don’t provide one.

​

Fixed

• Resource limit enforcement now correctly respects subscription, organization, and parent-org limits when adding resources.
• trialing and past_due subscriptions are now included in total quantity calculations.
• Invoice endpoints consistently return arrays for line items.

​

What’s new

• Hierarchical organizations. Build nested parent/child organization structures with per-org limits on user seats, sites, and storage — ideal for MSPs with multiple clients under one account.
• Workspace member roles over the API. Assign and modify Owner, Admin, and Viewer roles programmatically, backed by consistent role-based authorization across resources.
• Bulk MAC vendor lookup. Look up manufacturer info for up to 50 MAC addresses in a single request — handy for network discovery and inventory.

​

Improved

• Stronger input validation across Workspaces, Organizations, and billing accounts gives clearer errors and more predictable behavior.
• Transient port API responses now include the management server IP.

​

Fixed

• Corrected Managed VPN peer seat checks so subscription limits apply accurately.
• Fixed organization hierarchy data parsing.

​

What’s new

• Reports go to notification groups. Scheduled SLA and other reports can now be delivered to notification groups instead of individual recipients, simplifying multi-stakeholder distribution for MSPs.

​

Improved

• Faster site validation when creating or updating scheduled scripts.

​

What’s new

• Aggregated network performance APIs. New endpoints return fleet-wide throughput (bps) and total data transferred (bytes) across sites or site groups, with flexible time windows — built for capacity planning, NOC dashboards, and bandwidth billing.

​

Improved

• All API responses (reports, security scans, access, faults, Configuration Backups) now use ISO 8601 timestamps for easier integration.
• Site serial numbers are now included in minimal API responses.
• Configuration Backup listings now include a created_at field.

​

Fixed

• The Faults API now correctly returns null for unresolved faults instead of erroring on a missing resolution timestamp.

​

Improved

• Faster interface graphs. Network interface graphs and reports load significantly faster — useful for NOC displays and live monitoring.
• Quicker initial config for newly provisioned MikroTik devices.
• More responsive notification group create/update/detail views.
• Adjusted the daily Configuration Backup schedule for better resource use.

​

Fixed

• Managed VPN client config files and QR code downloads now generate correctly.
• Corrected CORS rules so front-end apps can reach the API cleanly.
• Fixed broken deployment management links in device setup scripts.

​

Improved

• Faster device provisioning. Initial setup for new and reset MikroTik devices is now noticeably quicker.
• Site offline/online and WAN tunnel alerts now include explicit UTC timestamps, removing timezone ambiguity for distributed teams.
• Tighter validation of subscription limits during device provisioning prevents accidental seat overages.

​

Fixed

• Deployment management links after device adoption now correctly open the device overview page.
• Notification delivery no longer errors out when a recipient is invalid.

​

What’s new

• WhatsApp notifications. You can now send notification group alerts over WhatsApp — ideal for on-call engineers who need mobile-first delivery. WhatsApp replaces SMS for new and updated groups.

​

Improved

• Notification group recipients are now validated in real time against the user directory, so only active users appear.
• Creating or updating a group now requires explicitly choosing the recipient and channel, preventing silent misconfigurations.
• Faster, more reliable site provisioning when checking seat availability against billing.

​

Fixed

• Resolved false-positive “invalid recipient” errors when configuring notification groups.

​

What’s new

• Team management. Add, invite, and remove team members, and define custom roles with specific permissions — built for MSPs managing technician access across multiple clients.
• Self-service MFA. Users can enable MFA, regenerate recovery codes, or remove MFA from their own account.
• Login with organization context. Login now remembers your organization and supports return URLs for faster multi-tenant access.

​

Improved

• Notification groups now validate recipients against the active user list, so alerts no longer fail because of stale members.
• Team listings are now paginated and include richer user details over the API.

​

Fixed

• Corrected MFA status and login permission flags shown in user details.

​

What’s new

• Auth0 for Captive Portals. You can now configure Auth0 as an OAuth2 identity provider on Captive Portal instances, useful for hotels, universities, and enterprises with existing Auth0 SSO.

​

Improved

• Behind-the-scenes platform updates across reporting, metrics, and admin services for better stability and performance.

​

Improved

• Faster vulnerability views by device. Significantly quicker performance when reviewing security findings across multiple scans and the full fleet.
• Better AI mitigation guidance. An updated model delivers more relevant remediation steps for identified vulnerabilities.
• Smoother API integrations. Improved CORS handling for clients calling the API from diverse environments.

​

Fixed

• Vulnerabilities are grouped correctly across multiple scans and hosts.
• API-initiated Configuration Backups no longer fail, so automated backup workflows run reliably.

​

What’s new

• Bulk vulnerability scan API. Pull vulnerability data for many MikroTik devices in a single request, streamlining security monitoring across large fleets.

​

Improved

• Faster traffic reports. DNS Content Filtering and BGP Threat Mitigation traffic reports load noticeably faster, now showing the last 24 hours for quicker incident review.
• Consistent timestamps in vulnerability responses to simplify parsing in security automation.

​

Fixed

• Date formatting in vulnerability API responses is now consistent.

​

Improved

• Login redirect from the root URL. The main web URL now sends you straight to the login page.
• Longer background task windows. Increased execution time for background jobs prevents long-running operations from being cut short.

​

Fixed

• Transient access and port forwards behave consistently under edge-case conditions.
• BGP Threat Mitigation blocklist updates apply correctly so active threats are filtered as expected.

​

Improved

• More reliable reports and notifications. SLA report data collection retries on failure and email delivery is rate-limited for steadier throughput.
• Foundational platform upgrades. Core framework and language updates lay groundwork for future features and improve baseline performance.

​

Fixed

• Device heartbeat processing now reports accurate online/offline status for monitoring and alerting.

​

Improved

• Cascading cleanup on deletion. Deleting a user removes them from notification groups and Managed VPN configurations; deleting a site cleans up Captive Portal config, scan schedules, and device configuration in one pass.
• Faster SLA report generation. Multi-site reports build more quickly and reliably.
• Vulnerability scan rate limits. API-triggered scans are capped at one per 24 hours per schedule, and recurring scheduled scans require a minimum two-week interval — preventing accidental over-scanning.

​

Fixed

• SLA report PDFs now show the correct site incident downtime cause.
• Site API credential retrieval no longer fails intermittently.

​

What’s new

• Fleet-wide vulnerability view. A new endpoint returns every device with vulnerabilities across recent scans, plus summary stats — useful for executive dashboards and fleet-wide risk assessment.

​

Improved

• Faster Managed VPN credential fetching and higher API request limits to support heavier integration use.
• Better AI mitigation formatting. Remediation guidance is more readable and actionable.
• More reliable DNS Content Filtering. Category-based filtering processes more consistently.

​

What’s new

• Per-device vulnerability status. Mark individual CVEs on a device as Accepted or Mitigated to track remediation progress and document risk decisions for audits.
• AI remediation guidance. Pull AI-generated mitigation steps for a specific vulnerability to accelerate response.
• Compliance framework mapping. Vulnerability detail now lists relevant frameworks (PCI-DSS, HIPAA, GDPR, SOC2, ISO 27001, NIST) for compliance reporting.
• Shareable Captive Portal coupon links. Generate a unique link for a valid coupon to hand out without giving the recipient API access.

​

Improved

• Severity filtering on device vulnerabilities. Filter by CVSS score so the most critical issues are easy to focus on.
• Cleaner vulnerability API responses. Findings are grouped by CVE ID, with consistent ISO 8601 timestamps across the API.

​

What’s new

• Captive Portal coupon system. Create coupon codes with custom rules, schedule recurring bulk generation, generate batches on demand for events, track usage, share secure temporary links, and print physical coupon sheets as PDFs.
• Dynamic DNS for Managed VPN tunnels. Each tunnel gets a stable hostname that automatically follows public IP changes, simplifying remote access.
• Richer outage alert emails. Network outage and coupon batch emails now include more context and direct download links.

​

Improved

• Consistent coupon sessions. Coupon-based access honors the portal’s configured session duration.
• Reliable bulk coupon generation. Large scheduled batches generate cleanly even at high volume.

​

Fixed

• Expired coupons no longer appear in active coupon API responses.
• Coupon batches retain their schedule association and PDF download permissions.

​

What’s new

• Captive Portal session API. Programmatically list and filter active guest sessions to power custom reporting, billing integrations, and automated session management.
• Targeted vulnerability scans. Trigger an on-demand scan against one or more IPs inside a site, without running a full network scan.
• Historical device vulnerability lookup. Query past findings for a device by MAC address to track remediation progress over time.

​

Improved

• Better setup validation. Captive Portal and Managed VPN setup return more precise feedback when configuration is invalid.
• Smoother guest authentication flow. Network checks and authentication redirects are more reliable.

​

Fixed

• Captive Portal API no longer forces immediate site association during instance creation.
• ARP data is properly cleaned up when Managed VPN tunnels are decommissioned.

​

What’s new

• ARP group API. Create, view, update, and delete ARP groups inside a site to organize network devices by department, location, or tenant.

​

Improved

• More reliable data collection. Better handling of timeouts and intermittent connectivity for SNMP and WAN tunnel performance stats means more complete monitoring data.
• Vulnerability scan watchdog. Stuck scans are now detected and terminated automatically, keeping the scanning service healthy.
• Sorted scan history. Vulnerability scan lists default to most-recent-first.
• Reliable Dynamic DNS. Hostname updates hold up better when device public IPs change.

​

Fixed

• You can now remove the final site from a Captive Portal instance.
• ARP entries clean up correctly when sites are deleted.

​

Improved

• Much faster SLA report loading. Significant performance gains on report libraries with consistent sorting and pagination.
• Reliable firewall updates on Managed VPN. Adding or removing tunnels now updates filtering rules correctly without manual cleanup.
• Clearer connection errors. Better error messages when fetching details for offline tunnels.

​

Fixed

• Initial setup now completes reliably on freshly connected MikroTik devices.
• Configuration Backup uploads no longer fail intermittently.

​

Improved

• SLA reports default to newest-first. Fresh client reports are at the top of the list, and the list itself loads faster.
• More accurate DNS Content Filtering. Specific domain rules inside broader categories now apply exactly as configured.

​

Fixed

• SLA report generation no longer fails under specific data conditions.

​

Improved

• Faster site and report lists. Caching improvements make site lists and SLA report schedules noticeably quicker, especially when you manage dozens of sites.
• Accurate backup timestamps. Configuration Backup lists now show real creation time with reliable sorting.
• License enforcement on adoption. Adopting sites via runbook now respects your seat limits, preventing accidental overages.

​

Fixed

• Site provisioning reliably finishes critical setup steps, including network address assignment and firewall policy application.
• Recent sites list refreshes properly for all users.
• Subnet detection in Configuration Backups no longer includes internal management lines.

​

Improved

• More resilient data collection. Background metrics keep flowing even when sites have intermittent connectivity.
• Faster scan feedback. Stuck vulnerability scans are detected and surfaced more quickly.
• More reliable Managed VPN provisioning. New tunnels come up cleanly on first attempt.

​

Fixed

• Site provisioning now reliably completes the automatic setup steps for new MikroTik devices.
• WAN ping statistics use the correct timezone and render data points correctly on graphs.
• Manual vulnerability scan termination works again, and OpenVPN peer connection issues on Managed VPN are resolved.
• Configuration Backup file dates respect timezone correctly.

​

Improved

• Faster vulnerability scans. Per-site scans start more quickly and scan results come back more reliably.
• Cleaner email notifications. Refreshed branding and consistent links across alert and report emails.
• Richer site API. Site responses now include device architecture and hardware hash for inventory work, and exclude internal management subnets from subnet lists.

​

Fixed

• Shared SLA report links are accessible again for stakeholders.
• Managed VPN no longer assigns duplicate tunnel IPs during site setup.
• Vulnerability scan completion emails point to the correct report.

​

Breaking change

• SLA report schedule API. GET /sla/schedules/{id} no longer returns recipients; use notification_group instead.

​

Improved

• Faster site data. Site lists and details load noticeably quicker across the dashboard and API.
• Smoother device adoption. Adoption now avoids configuration conflicts on MikroTik devices that already have scheduled tasks.
• Sorted Configuration Backups. Backup lists default to newest-first, so the most recent recovery point is always at the top.

​

Fixed

• Configuration Backup timestamps now show the actual creation time instead of the filesystem modification time.
• Real-time notifications no longer go to inactive recipients.

​

What’s new

• Automated daily Configuration Backups. Every online site now gets a daily backup, giving you regular recovery points for disaster recovery and compliance.
• Device health monitoring. Track online/offline status, CPU, memory, disk, and uptime in real time across your fleet.
• Automatic site geo-location. Sites pick up their address and timezone from the device IP, so you don’t have to enter them by hand.
• CVE notification topic. Subscribe teams to vulnerability scan results through the standard notification groups.
• Auto-expiring transient access. Temporary WinBox/SSH credentials and port forwards now expire automatically, so forgotten access doesn’t linger.

​

Fixed

• SLA report generation no longer fails on scheduled runs and report schedules save reliably.
• Configuration Backup uploads land at the correct path, and notification group settings persist correctly.

​

What’s new

• Live device status across the fleet. Online/offline tracking for every MikroTik device is now active across SDX, giving you instant fleet visibility.
• Performance metrics activated. CPU, memory, uptime, and disk metrics now flow into SDX with historical trending for capacity and reliability planning.

​

Improved

• Smoother device adoption. The bootstrap flow and initial connectivity verification are more reliable.
• Transient WinBox/SSH credentials and port forwards now apply consistently across management servers and respect their expiration.
• Configuration Backup uploads land more reliably in secure storage.

​

Fixed

• Resolved metric ingestion and processing issues that were causing gaps in performance data.
• Backup retrieval no longer fails on rare site-permission edge cases.

​

Improved

• Behind-the-scenes platform stability work, including more reliable Static IP / RADIUS credential synchronization — no user-visible changes this week.

​

Improved

• Faster Managed VPN provisioning. Server provisioning and teardown are quicker and more reliable.
• More efficient DNS and BGP filter generation. Configuration generation for DNS Content Filtering and BGP Threat Mitigation rules is more consistent.

​

What’s new

• Aggregated WAN statistics API. A new endpoint returns latency, packet loss, and jitter aggregated across multiple WAN tunnels for consolidated network performance views.
• BGP and DNS analytics. Initial reporting on BGP traffic (top sources, top ports, blocklist hits) and DNS queries (top applications, categories, sources).

​

Improved

• WAN graphs now visualize collection gaps clearly — periods with missing data over 5 minutes show as 100% packet loss rather than appearing as silent dropouts.

​

Improved

• Behind-the-scenes platform stability work across authentication, device management, monitoring, and notifications — no user-visible changes this week.

​

Improved

• Vulnerability scan reporting. The full lifecycle is now in production — scans process to completion and produce JSON and PDF reports with notifications on delivery.
• SLA reports as PDF and JSON. End-to-end report generation pulls from fault tracking, metrics, and schedules with notifications when reports are ready.

​

What’s new

• Vulnerability scanning. SDX now runs scheduled or on-demand CVE scans against your sites, generates PDF reports, and notifies you when scans complete. Findings are enriched with MAC vendor data, service names, and CVE references from Vulners and MITRE.

​

What’s new

• Notification groups. Build flexible groups linking users, sites, and event topics, with per-recipient channel preferences (email, WhatsApp).
• Scheduled SLA reports. Schedule daily, weekly, or monthly SLA reports delivered as PDF and JSON.
• MikroTik product catalog. Hardware specs and compatibility data are now exposed via API.

​

Fixed

• Organization site counts correctly reflect zero when all team sites are removed.

​

What’s new

• Captive Portal. Full guest-network control with OAuth2 sign-in, coupon-based access, instance management, and Walled Garden rules.
• DNS Content Filtering. Apply DNS-level content filtering to a site through a managed policy.
• BGP Threat Mitigation. Block known-bad IPs at the routing layer with BGP blackholing.
• Static IP Management. Allocate static IPs to subscribers with RADIUS auth and PTR records.
• Developer API. Programmatic platform control with authenticated command execution and asynchronous job dispatch.

​

Improved

• Stricter Walled Garden validation ensures IPs and ranges fall within their network instance subnet.

​

What’s new

• Network Inventory. SDX now tracks devices on each site’s network from the router’s ARP, DHCP, and CDP tables, giving you fleet-wide device visibility without extra agents.
• Scheduled Scripts. A scripting framework with variable injection runs RouterOS commands on a schedule for repeat maintenance and config drift correction.
• Configuration Backup. Daily MikroTik backups land in secure cloud storage with API access for retrieval.
• Slack via webhooks. Forward platform notifications to Slack to keep your team in the loop.

​

What’s new

• Altostrat SDX is live. The platform launches with end-to-end MikroTik fleet management — site adoption, heartbeat monitoring, queued device jobs, and live management access through outbound tunnels.
• Identity, organizations, and billing. Sign-in with users, organizations, and teams; API tokens; and a billing account, all under a single identity layer.
• Notifications. Multi-channel alert delivery over email, WhatsApp, and real-time websockets so on-call engineers see incidents the moment they happen.
• Networking foundations. Managed VPN (WireGuard and OpenVPN), WAN failover, and Static IP with RADIUS-integrated allocation.
• Monitoring foundations. SNMP, ping, and syslog collection with query APIs, plus centralized log search and fault tracking.