The latest updates to the Cado Platform throughout Q3 have brought even more flexibility, automation, and efficiency to cloud forensics and incident response. From enhanced host acquisition options to an improved investigation experience, these updates empower security teams to act faster and with greater confidence.

Here’s What’s New in Q4:

Enhanced Cado Host Acquisition Options

Custom Collection: Choose the Artifacts That Matter Most

With the new ‘Enable Custom Collection’ feature, users can define exactly which groups of artifacts they want to collect during host acquisitions. This granular control helps tailor acquisitions to specific investigations, reducing unnecessary data collection and expediting forensic analysis.

The wide variety of artifact groups the Cado platform now has available to narrow your search.

‘Max Mode’: Capture the Full Picture

For those who need comprehensive evidence collection, ‘Max Mode’ enables the acquisition of a much broader set of artifacts, ensuring that no critical forensic data is missed.

When Max mode is enabled in the Cado Platform a warning is displayed that it will generate a large fileset and take longer than a normal collection.

Account Checks: Validate Permissions Across Cloud, XDR, and SaaS

Managing permissions across multiple cloud and security platforms can be challenging. The new Account Checks feature (Settings > Cloud) allows users to verify whether the correct permissions are in place for cloud, XDR, and SaaS accounts—reducing misconfigurations and ensuring seamless evidence collection.

Acquire-Only Mode: Preserve Evidence for Later Analysis

The Acquire-Only option allows users to collect evidence without immediate processing. This is especially useful for:

• Acquiring evidence with Cado while analyzing it with another tool.
• Preserving evidence for future processing, allowing teams to defer analysis until needed.

Automated Full Disk Acquisition in Response to GuardDuty Alerts

Security teams can now automate full disk acquisitions when AWS GuardDuty alerts are triggered. This ensures rapid evidence preservation in response to potential threats, reducing manual effort and improving incident response efficiency.

JIT Access: Temporary Credentials for Secure Acquisitions

The Just-in-Time (JIT) access feature enables users to perform acquisitions using temporary credentials generated by third-party tools such as HashiCorp Vault. This provides an extra layer of security while improving flexibility in how credentials are managed.

New Overview Page: A Clearer View of Malicious Activity

A redesigned Overview Page introduces enhanced visualizations, allowing security teams to quickly assess malicious and suspicious activity on a timeline. This streamlined interface makes it easier to identify patterns and key events in an investigation.

Automated Investigation Relevance Filtering

The new ‘Relevance’ filter enhances Automated Investigations, allowing users to quickly narrow down timeline events based on their importance to an investigation. This significantly reduces noise and helps teams focus on the most critical forensic data.

The New Relevance filter in action. 

Simplified Deployment: Single VM Support for AWS, Azure, and GCP

Cado now supports a simplified single-VM deployment model that works across all major cloud providers—AWS, Azure, and GCP. This makes it easier than ever to deploy and manage Cado in multi-cloud environments.

Get Started with the Latest Features

These updates continue to make the Cado Platform faster, more flexible, and more efficient. Want to see them in action? Contact our team to Book a demo.