Continuous Coverage Expansion - January 2026 Update

Enhancements to Bitsight’s asset discovery will deliver greater visibility into Bitsight customers’ attack surface, improve exposure detection and risk reduction.

For new findings resulting from the continuous coverage expansion, the incubation period allows time to:

• Analyze: Prioritize the new findings, identify owners, and actions.
• Remediate: Fix new negative findings during the incubation period to prevent similar future issues from affecting the rating

This Continuous Coverage Expansion release covers the following features:

• IPv6 Expansion: Expanding attack surface for Groma scans by an initial step of close to 25M IPv6 addresses. This first phase of the IPv6 expansion will set the baseline for further coverage improvements.
• SMTP Protocol Coverage: This new protocol coverage will be bringing Bitsight’s proprietary internet scanning engine Groma’s SMTP protocol observations into the Bitsight product as findings.
• Improved TLS Coverage: More TLS data arriving through Groma scans will allow some of the up-until-now missing SSL certificate and SSL Configuration findings’ smooth placement in the Bitsight product.

This Continuous Coverage Expansion January 2026 release helps:

Increase Visibility with Incubation period: Expansion of attack surface coverage does not need to risk the predictability and reliability of governance metrics by suddenly impacting the risk vector grades and company rating. The incubation period for the newly arriving findings under Continuous Coverage Expansion builds trust in data and keeps our customers’ focus in the remediation and risk mitigation efforts.

This release does NOT cover the following features:

• Hostname Expansion: Hostnames will be updated more frequently with greater efficiency, providing more assets and faster discovery. 
• New Vulnerabilities: Hostname based scans improve CVE detection under Patching Cadence and Vulnerability Detection, and increase product and vendor coverage significantly.

Hostname Expansion and New Vulnerability Coverage features will arrive at a later time. 

Frequently Asked Questions

Which Diligence risk vectors will receive new Findings with the Groma enhancements under the January release of Continuous Coverage Expansion?

 → SSL/TLS configuration

 → SSL certificates

 → Server software

 → Open ports

Why should Bitsight customers pay attention to the Findings in Incubation Period?

 → Findings that are in the incubation period are valid findings and they are displaying the correct grades without impacting the risk vector grade until the incubation period ends.

We recommend our customers review and remediate these findings while the incubation period is active to mitigate any issues and threats in their security.

How can the customers identify the new Findings arriving in the Incubation Period?

 → Findings arriving from this release can be identified by using two different filter sets:

• First one is under “Impacts Risk Vector Grade” listed as “No: Incubation Period” filter
• Second one is under “Bitsight Filter Sets” listed as “Incubation Period Findings”

Will there be a new finding alert available for the Findings in Incubation?

 → Bitsight customers can set up a new finding alert using the “Incubation Period Findings”  Bitsight Filter Set that is listed under Finding Alert Options Quick Settings.

Let’s say the IPv6 Address Expansion is released in the Finding Incubation Period of Jan 13-Apr 12, 2026. If Groma scan brings a new finding to the customer’s portal related to the IPv6 address in this Groma release phase on Apr 9th, e.g., will that Finding then be rating impacting in 3 days (as of Apr 12th)- or would it be staying non-rating impacting for 90 days after first seen on the customer portal (up to until Jul 9th)?
→ Let’s remember that the “Finding Incubation Period” is tied to the specific features (especially, tied to the Groma features that will bring systemic changes). This finding that appeared on Apr 9th will stay non-risk-vector/rating impacting forever. But, if Groma sees a new finding on Apr 13th on the same IPv6 address, since the IPv6 Address Expansion is now out of the Finding Incubation Period window, the finding will be rating impacting.

While we are in incubation period between Jan 13th though April 12th, let’s say a new IP asset added on the Apr 12th. If this IP asset brings new SMTP findings on April 13th (since now we are out of incubation period for the SMTP feature), will the new SMTP finding on April 13th impact my rating?
→ Yes, it will impact the Rating, unless this new asset is arriving in the Grace Period, which is similar to the customers’ current experience on the product.

Can the findings arriving in the Incubation Period be identified through API? If so, which identifier should the customers look for?
→ Yes. The findings in the Incubation Period can be identified through API. The field is impacts_risk_vector_details and the value is INCUBATION_PERIOD

What is the API endpoint to display the new  findings that are arriving in the Incubation Period from this release of Continuous Coverage Expansion? 
→ Bitsight customers can click to use this API endpoint.

While the findings are in incubation period, will they be visible to third parties (the organizations monitoring the customer)?
→ Yes. The findings in the Incubation Period will keep having the same third party visibility as any other finding today.

Will the manual rescan be available for the findings that are in incubation period?
→ Yes. The findings in incubation can be rescanned manually to reflect  the customers’ remediation efforts.