June 30th, 2026 โ Splunk Observed Threats, GTI Score Explainability, and Private Scanning Access Control Lists (ACLs)
June 29th, 2026 โ Splunk Observed Threats, GTI Score Explainability, and Private Scanning Access Control Lists (ACLs)
๐ New Capabilities
๐ Google Threat Intelligence Score Explainability
We are thrilled to announce GTI Score Explainability. Historically, threat intelligence scoring has functioned as an unverified "black box." This launch delivers a major milestone in threat transparency by revealing the exact logic, signal age-offs, and analyst overrides behind every score.
-
Diagnostic Explainability Cards: The GTI Indicator Score now includes Explainability Cards โ diagnostic cards in the UI and API that break down the "why" behind any score into 11 clear categories (such as Human Verified Ground Truth, Technical Evidence, Machine Learning Models, and Mitigating Factors).
-
Signal Age-Off & Score Decay: Every contributing threat signal carries an expiration timestamp. When signals expire without new corroborating activity, the verdict and score automatically decay, ensuring teams aren't chasing stale indicators.
-
Multi-Channel Accessibility: This transparent scoring data can be consumed seamlessly via both the GUI and our API.
Read our full guide on threat scores and explainability here.
๐ก๏ธ Private Scanning Access Control Lists (ACLs)
We are excited to announce Private Scanning Access Control Lists (ACLs). Previously, any user with access to your organization's private scanning could view all uploaded files. Administrators can now restrict access to specific sensitive binaries.
- Granular Sharing Options: Files remain visible to your broader organization by default (maintaining backward compatibility), but editors can now explicitly restrict visibility to specific individuals.
- How to Manage Access: Editors (the user who submitted the file) will see a new "Share" action in the Private Scanning tab, allowing them to manage per-user access and view the persistent sharing list.
๐ Splunk Observed Threats
Splunk Observed Threats are now available in Google Threat Intelligence. This feature brings Splunk-observed telemetry directly into your GTI Threat Profiles, helping CTI and SOC teams prioritize threats that are actively present in their environment over abstract indicators.
-
Automated Threat Intel Derivation: Splunk IoC matches are automatically mapped to structured threat objects (Threat Actors, Malware Families, Software Toolkits, and Campaigns) within your Threat Profile.
-
Clear Visibility: Synchronized entities appear in your Threat Profile tagged as "Observed" and "Splunk," and can be filtered using the Recommendation Source field.
-
How to Get Started: Configuration is done directly within your Splunk instance by enabling Threat Profile synchronization and linking your GTI Threat Profile ID.

Read the full configuration guide here.
๐ฅ Clearer Group Member Filtering
Group administrators can now search and filter members more easily in the Group Management tab.
- Organized Filter Sections: User and service account filters are now grouped into clearer sections, including Private Scanning and a new Fine-Grained Permissions area, making it easier to locate and manage specific members.
- Plan-Specific Filtering: Filters that don't apply to your group's plan or active privileges are automatically hidden, keeping the interface uncluttered.
