Changelog — Beacon

v1.13.0 13 June 2026 Current

Content marketing launch — blog, Netherlands go-to-market, and EU legal groundwork

Groundwork for taking Beacon to market in the Netherlands and the wider EU. A new public blog with high-intent articles for MSPs evaluating Azure compliance tooling, plus internal go-to-market, outreach, and EU/AVG legal-readiness documentation. No application behaviour changed — this release is marketing content and internal strategy material.

Features

→Public blog: new /blog section with an index and three SEO-focused articles — "MSP Azure compliance monitoring", "CIPP hosted alternative", and "How to prove client Azure compliance (EU/AVG edition)" — added to the sitemap for discovery
→Netherlands launch playbook: internal go-to-market layer covering the EU data-residency/AVG wedge, EUR + BTW pricing, Dutch channels, a 90-day plan, and the steps to legally start selling in the Netherlands
→Outreach templates: ready-to-send cold email (English and Dutch), community, LinkedIn, founding-partner, and re-engagement messages with tone guidance

Internal

→EU legal-readiness pack: a lawyer-review gap analysis and draft clauses for the existing privacy, DPA, and terms pages, tailored for Dutch/EU (AVG) compliance — Dutch governing law, international-transfer/SCC handling, legal bases, B2B liability, and EUR/BTW billing

v1.12.0 12 June 2026

GDPR compliance, performance monitoring, and operator tooling improvements

Three independent improvements bundled into one release: full GDPR Article 17 (Right to Erasure) and Article 20 (Right to Portability) compliance with self-service org deletion and a data export endpoint; Vercel Speed Insights on both the marketing site and the compliance portal; and a structural decomposition of the operator backend from a single 1,169-line file into six focused modules.

Features

→GDPR Article 17 — self-service org deletion: org super-admins can now delete their organisation via DELETE /api/orgs/me — requires password confirmation (or org-name for SAML-only accounts); atomically anonymises all audit log references and invalidates all sessions before removing the org row
→GDPR Article 17 — hardened user deletion: DELETE /users/:id now runs inside a transaction that NULLs the user's references in the audit log and force-invalidates all their sessions before the row is removed
→GDPR Article 20 — data export: new GET /api/gdpr/export endpoint returns a structured JSON file containing your profile, recent audit activity, and (for org admins) the full org membership and client list; rate-limited to 5 exports per org per day; accepts ?period=30|60|90
→Audit log retention policy: nightly cleanup job prunes general audit log entries older than 365 days and financial records older than 7 years; both thresholds configurable via AUDIT_LOG_RETENTION_DAYS and AUDIT_LOG_FINANCIAL_RETENTION_DAYS env vars
→Report recipient emails encrypted at rest: the recipients column on report schedules now stores email addresses encrypted with AES-256-GCM; existing plaintext rows are transparently decrypted on read and re-encrypted on next write
→Vercel Speed Insights: real-user performance monitoring enabled on the marketing site and compliance portal — tracks Core Web Vitals and page load timing across all routes in production
→Operator org deletion: platform admins can now delete any organisation via DELETE /api/operator/orgs/:id with the same anonymisation guarantee as self-service deletion

Internal

→Operator backend decomposed: the 1,169-line operator.ts has been split into six focused modules — operator-stats, operator-orgs, operator-audit, operator-support, operator-overrides, and operator-waitlist — with requirePlatformAdmin applied once at the router level in each

v1.11.0 12 June 2026

Pre-launch security hardening — auth, multi-tenant isolation, credentials, and input validation

A comprehensive pre-production security review covering six domains across all 297 TypeScript files in the platform. Fixes span authentication hardening, multi-tenant data isolation, credential encryption at rest, CSV and path-injection prevention, and business-logic race conditions — none of which were user-visible but all of which matter before real customer data lands.

Security

→Password reset race condition: token invalidation switched from UPDATE SET used=true to a hard DELETE WHERE used=false RETURNING — two concurrent reset requests can no longer both succeed with the same token
→Per-email login rate limiting: added a second rate limiter keyed on email address (10 req/15 min) in addition to the existing IP limiter — prevents distributed credential-stuffing that bypasses IP limits
→Cross-org custom check exposure: GET /custom-checks was returning all organisations' check definitions to any authenticated user — now filtered to the caller's org
→Cross-org user role modification: PATCH /users/:id had no ownership check on the target user — an admin in org A could modify roles for users in org B; now guarded with an org membership check and an atomic UPDATE WHERE clause
→Notification channel credentials encrypted at rest: Slack webhook URLs, SMTP passwords, and PSA API keys were stored as plaintext JSONB — now encrypted with AES-256-GCM before write, decrypted only at dispatch time; GET responses return masked values
→PSA escalation credential bypass: the PSA ticket escalation path was passing raw encrypted config to the PSA HTTP client, causing auth failures and leaking ciphertext into Authorization headers — now decrypted before use
→CSV formula injection: export endpoints (findings, compliance, evidence packs) now prepend a ' character to any cell value starting with =, +, -, @, tab, or carriage return — prevents spreadsheet formula execution on imported exports
→Raw integer path params: three endpoints used Number(req.params.id) directly, producing NaN on non-numeric input that PostgreSQL coerces to 0 — replaced with parseIntParam() which rejects invalid input with 400
→Concurrent scan dedup: two simultaneous manual scan triggers for the same client could both proceed — the sync endpoint now returns 409 if syncStatus is already "syncing"
→Client creation race condition: the plan client-count cap was checked then inserted in two separate queries, allowing concurrent requests to exceed the limit — replaced with a SELECT FOR UPDATE transaction
→Stripe and internal error leakage: two catch blocks returned raw error strings (including Stripe internals) to the HTTP client — replaced with generic messages logged server-side

v1.10.0 12 June 2026

Endpoint, DevOps, and PSA escalation — the largest scan expansion since launch

Beacon's scan engine now reaches two entirely new surfaces: Intune-managed endpoints and developer tooling (Azure DevOps and GitHub). Five new Intune checks surface non-compliant, unsupported, and stale devices across your client fleet. Seven DevOps checks flag public ADO projects, over-privileged service connections, unreviewed branches, secret-like pipeline variables, and unpinned GitHub Actions workflows. On top of the new scan coverage: a cross-client findings view with bulk acknowledge/assign/suppress actions (Pro+), automatic PSA ticket escalation for overdue findings (Growth+), and a Remediation Dashboard showing per-client MTTR, SLA breach rates, and weekly trends.

Features

→Intune endpoint checks (5 new): unenrolled devices, non-compliant devices, unsupported Windows build (below 19H1), stale device sync (14+ days), Windows Update ring not configured — all findings capped at 10 devices per check with NIST/ISO/CIS framework tags
→Azure DevOps checks (4 new): public projects discoverable externally (DEV-001), service connections using Subscription-scope service principals (DEV-002), main/master branches without a blocking reviewer policy (DEV-003), pipeline variables with secret-like names stored unencrypted (DEV-004)
→GitHub checks (3 new): default branch protection absent (DEV-005), branch protection without required pull request reviews (DEV-006), workflow steps using unpinned third-party actions instead of full SHA refs (DEV-007)
→Cross-client findings view (Pro+): aggregate findings from all clients in a single table with severity, status, and client filters; bulk actions let engineers acknowledge, assign, or suppress up to 500 findings at once
→Automatic PSA escalation (Growth+): hourly job creates PSA tickets for open findings that have passed their SLA due date; configurable severity threshold and ticket priority per organisation; supports ConnectWise, HaloPSA, and Freshservice
→Remediation Dashboard (Growth+): per-client MTTR, SLA breach rate league table, assignee response-time breakdown, and weekly opened-vs-resolved bar chart — selectable 30/60/90-day windows
→Credential management UI: new Integrations tab in client settings for configuring the ADO organisation name and adding/removing GitHub PATs per organisation (PATs encrypted at rest, never returned in API responses)

v1.9.0 12 June 2026

M365 + Defender for Cloud scan coverage and client compliance portal

Beacon's scan engine now covers Microsoft 365 and Defender for Cloud alongside its existing Azure/Entra ID checks — adding 18 new compliance checks across Exchange, SharePoint, Teams, and Defender workload protection. MSPs on the Growth plan and above can now share a read-only client compliance portal with each Azure tenant they manage: the client gets their own URL showing current score, active findings, and resolved activity, with no access to internal MSP tooling or other clients' data.

Features

→M365 scan checks (7 new): legacy authentication not blocked by Conditional Access (M365-002), DKIM not configured (M365-004), DMARC missing or set to p=none (M365-005), SharePoint anonymous sharing links enabled (M365-006), SharePoint external sharing policy (M365-007), Teams unrestricted external federation (M365-009)
→Defender for Cloud checks (7 new): stale unresolved recommendations >30 days (DEF-001), active high/critical alerts (DEF-002), workload protection not enabled for VMs, SQL, Storage, Containers (DEF-003–006), regulatory compliance score below 70% (DEF-007)
→Client compliance portal (Growth+): share a signed, expiring URL with each client — they see their compliance score trend, active findings grouped by severity, and resolved activity. MSPs control exactly what's visible per client
→Portal access controls: tokens expire after 90 days; MSPs can revoke at any time; multiple tokens per client supported; portal disabled by default until explicitly enabled
→Framework mappings: new checks mapped to CIS Microsoft 365 Foundations, NIST CSF, and ISO 27001 controls where applicable

v1.8.1 12 June 2026

Collapsible sidebar navigation

The compliance portal's left navigation has been reorganised from a single flat list into labelled, collapsible sections — Core, Resources, Admin, and Settings. Super-admin accounts previously saw up to 15 items with no visual grouping; the secondary sections now start collapsed and remember their state across reloads. Navigating directly to a page inside a collapsed section auto-expands it.

Design

→Grouped sections: nav items split into Core (always visible), Resources, Admin, and Settings — each with a labelled, clickable header
→Collapsible with item count: collapsed sections show a count badge so it's clear items are hidden; chevron rotates on expand
→Persistent state: open/closed state saved in localStorage and restored on reload
→Auto-expand on navigation: navigating to a route inside a collapsed section opens it automatically

v1.8.0 11 June 2026

Beta access control — invite codes, waitlist, and test-mode banner

Beacon's registration flow now has a three-state access gate — closed (waitlist only), beta (invite code required), and open (public launch). Platform admins can manage the live state, create and revoke named invite codes with optional use limits, and view the waitlist from a new Beta Access page in the admin portal. An amber test-mode banner in the compliance portal prevents testers from mistaking the Stripe sandbox for a live environment.

Features

→Three-state registration mode: switch between Closed, Beta, and Open from the admin portal at any time; the compliance portal registration pages adapt instantly without a redeploy.
→Invite code gate: create named beta codes with optional use limits; codes are validated atomically on registration to prevent race-condition overuse; a permanent master code is available via environment variable for internal access.
→Waitlist: when registration is closed, both the MSP and Solo registration pages replace the form with a waitlist sign-up; the admin portal shows all collected emails with source and timestamp and allows individual removal.
→Test-mode banner: a dismissible amber bar at the top of the compliance portal shell (controlled by VITE_STRIPE_TEST_MODE) reminds testers that no real charges will be made; dismissal is per-session so it reappears on fresh login.
→Admin portal Beta Access page: manage registration mode, generate and revoke invite codes, and browse the waitlist — all from a new dedicated page linked in the admin nav.

v1.7.2 11 June 2026

Portal link routing fix

All Sign in, Get started, Portal login, and demo-login buttons on the marketing site were resolving against the marketing origin (beaconcompliance.eu) instead of the compliance portal (compliance.beaconcompliance.eu), causing 404s for every action button in production. The inline PORTAL_ORIGIN helper is now hardcoded to the correct portal subdomain in all eight marketing pages.

Fixes

→Sign in nav button and footer Portal login now correctly link to compliance.beaconcompliance.eu instead of the marketing site
→All plan Get started buttons (Solo, Starter, Growth, Pro) now point to the compliance portal /register route for Stripe checkout
→Demo-login flow redirects to the correct portal API endpoint rather than a non-existent marketing site path
→Fix applied consistently across all eight marketing HTML pages (index, changelog, compare, dpa, privacy, roi, security, terms)

v1.7.1 June 2026

Security hardening & pre-beta stability

A focused hardening pass ahead of the live beta. Four authorisation and authentication findings from an internal security review are closed, and a batch of build-blocking artifacts left by an earlier branch merge are resolved so the full stack compiles cleanly again. No user-facing feature changes.

Security

→Cross-org team authorisation: team update, delete, and member add/remove endpoints now verify the team belongs to the caller's organisation, closing an IDOR path between tenants.
→Support-session protection: the originating platform-admin session identifier is now encrypted at rest, preventing replay if the session store is ever exposed.
→MFA recovery brute-force resistance: recovery-code attempts are now rate-limited per account, not just per IP, defeating address-rotation attacks.
→CSRF & demo hardening: state-changing auth requests without an Origin header are rejected, and the read-only demo account now uses a randomly generated credential.

Stability

→Build integrity restored: resolved leftover merge artifacts across the API server and both portals — duplicate imports, a duplicated route, interleaved component bodies, and unterminated markup — so the entire workspace type-checks cleanly.
→Portfolio & org views recovered: the client portfolio table, client detail tabs, and admin org-detail console were reassembled from their intended sources with no loss of functionality.

v1.7.0 June 2026

Platform expansion — 22 features across competitive parity, MSP manageability, and admin operations

The largest release wave in Beacon's history. Twenty-two full-stack features land simultaneously, closing the gaps against CIPP, Cynomi, and Vanta/Drata: framework-to-control mapping, posture drift tracking, compliance baselines, a vCISO risk register, and a dramatically expanded check library. MSP engineers gain bulk actions, saved views, remediation workflows with assignment and MTTR, auto-generated PowerShell and Azure CLI remediation scripts, webhook delivery history with manual retry, and a portfolio command-center. Beacon admins gain cross-org audit log with HMAC integrity, a scan-fleet health dashboard, per-org feature-flag overrides, revenue and churn signals, support-session audit trails, and full org lifecycle management.

Competitive parity

→Framework-to-control mapping: CIS M365 Foundations, NIST CSF, and ISO 27001 controls mapped to every check; per-client and per-org coverage views on a new Frameworks page.
→Posture drift & regression tracking: detect when a check regresses from pass to fail, record a posture-event timeline per client, and fire a drift_regression webhook and notification event.
→Compliance baselines & targets: set required score or required controls per client; dashboard badges and baseline_breached alerts when a client falls below target.
→Risk register / vCISO summary: severity-weighted open findings presented as tracked risks with owner and status; an executive-summary view suitable for client deliverables.
→Expanded check library: new M365 CIS Foundations and identity checks added to the scan engine, each tagged to the framework mapping above.
→Evidence / audit pack export: downloadable findings + check results + framework mapping + scan timestamps as CSV or JSON; gated at the Pro plan tier.

Remediation

→Comprehensive remediation guidance: every check now ships a structured playbook — plain-language impact summary, step-by-step portal instructions, required Entra/Azure permissions, a verification step, and a rollback note.
→Auto-generated remediation scripts: for each open finding, Beacon generates a ready-to-run PowerShell (Graph/Az PowerShell) and Azure CLI snippet parameterised with the affected resource and tenant. Copy script, download .ps1, or download a per-client remediation pack. Scripts include a -WhatIf dry-run variant where available. Beacon remains strictly read-only — scripts are provided for the MSP to review and run.
→Remediation workflow & assignment: assign a finding to a team member with a due date; richer status progression (open → in_progress → resolved); MTTR tracking in finding stats.

MSP manageability

→Guided Azure onboarding wizard: step-by-step App Registration setup with a required-permissions checklist, live credential validation, and a "run first scan" CTA.
→Scan health visibility: per-client last/next scan, surfaced permission and connection failures with actionable error detail, and a manual re-scan button.
→Per-client scan scheduling: configurable scan frequency per client and per tag; the scan worker respects each client's interval independently.
→Bulk finding actions: multi-select acknowledge, suppress (with reason), or assign findings from the findings list in a single operation.
→Advanced filtering & saved views: compose filters across severity, category, framework, status, client, and tag; persist views per user for instant recall.
→Notification & webhook delivery history: every delivery attempt (status, HTTP response, timestamp) is persisted; a history log in the UI with a manual retry action per entry.
→Portfolio command-center: the client list is now a sortable portfolio table showing score, trend sparkline, open-critical count, last scan, tag filter, and CSV export.

Admin operations

→Cross-org audit log viewer: searchable and filterable audit log across all organisations, with an HMAC-chain integrity indicator on each entry.
→Scan-fleet health dashboard: worker leader/heartbeat status, due and overdue clients, recent scan failures, and token/permission errors — across all orgs in one view.
→Per-org feature-flag overrides: grant or restrict individual features on top of a plan's defaults without a plan change; consulted by the plan guard on every request.
→Revenue & churn signals: MRR by plan, trial-to-paid conversion rate, expiring and at-risk trials, and tenant-growth expansion signal — all derived from live org and plan state.
→Support-session audit trail: every Beacon support session (who, which org, when, entry and exit) is logged and written to the audit chain; history view in the admin portal.
→Org lifecycle & plan management: change plan and billing interval, apply manual client-limit overrides, suspend or reactivate an org with a reason, and extend a trial — all from the org detail page in the admin portal.

v1.6.1 June 2026

Security hardening — secret rotation

Rotated all exposed secrets (encryption key, database password, HMAC audit key, and API keys) and purged the committed .env from git history. Added a key-rotation migration script for future key rotation operations.

Security

→Rotated ENCRYPTION_KEY, DB_PASSWORD, AUDIT_HMAC_KEY, SETUP_SECRET, Stripe keys, and Resend API key
→Purged committed .env from all git history using git filter-repo
→Added scripts/rotate-encryption-key.ts for future AES-256-GCM key rotation
→Hardened .env.example with lifecycle documentation for all secrets

v1.6.0 June 2026

Emerald refresh, enforced plan limits, and a read-only demo

A wide release wave that resets how Beacon looks and how it is bought. An emerald visual refresh now runs across both portals and the marketing site, plan limits and feature gates are enforced rather than advisory, and two new pages help teams compare Beacon and size the return on investment. Sign-up moves away from a free trial: prospects explore a read-only demo, and paid sign-up takes a card up front with annual billing selected by default. Reliability and observability work rounds out the release.

New feature

→Enforced plan limits: client and seat caps for each plan are now checked at the API layer, so an account cannot exceed the tier it pays for.
→Feature gates: premium capabilities are gated by plan and surface a clear upgrade path instead of failing silently.
→ROI page: a new marketing page that estimates the hours and cost Beacon saves a team against manual tenant review.
→Comparison page: a side-by-side view of how Beacon stacks up against manual checks and adjacent tooling.

Billing

→Read-only demo replaces the free trial: prospects explore a pre-loaded environment without a credential, and the time-limited trial has been retired.
→Card up front at sign-up: paid sign-up now collects a payment method before provisioning, reducing abandoned half-configured accounts.
→Annual billing by default: the billing selector now defaults to the annual plan, with monthly still available on a single toggle.

Design

→Emerald visual refresh: a single emerald accent now runs across the compliance portal, admin portal, and marketing site, replacing the previous cyan-on-navy palette.
→Tinted surfaces and shadows tuned to the new palette, with the accent reserved for primary actions and status.
→Status page moved onto the shared Outfit and JetBrains Mono type stack for consistency with the rest of the site.

Reliability

→Expanded health and status reporting so service state is easier to read at a glance.
→Improved observability across the API and scan worker for faster diagnosis of slow or failed scans.
→Stability fixes across sign-up, billing, and demo flows.

v1.5.0 June 2026

Solo plan — personal Azure compliance monitoring

Introducing the Solo plan: a lightweight tier for individuals who want to monitor a single Azure tenant without the overhead of a full MSP organisation. One account, one tenant, zero team management — sign up, connect your Azure app registration, and land directly on your tenant's compliance dashboard.

Feature

→New Solo plan tier — capped at one user and one Azure tenant; enforced at the API layer so upgrades are a plan change, not a rebuild.
→3-step self-service onboarding — account creation, Azure tenant credentials, and review all in one wizard at /register/solo.
→Auto-routing dashboard — solo users land directly on their tenant's compliance detail page; the multi-client list and MSP overview are skipped automatically.
→Simplified sidebar — Teams, Users, Organisation, and Billing nav items are hidden for solo accounts; compliance settings remain fully accessible.
→Sign-in page now shows a "Start with the Solo plan" link for first-time visitors monitoring their own tenant.

v1.4.1 June 2026

Security patch — 17 vulnerabilities remediated

A focused security hardening release addressing findings from a full codebase audit. Fixes span cross-tenant access control, authentication robustness, injection vulnerabilities, and server-side request forgery vectors. No new user-facing features; all existing behaviour is unchanged.

Security

→Cross-tenant IDOR fix — client PATCH and DELETE routes now enforce org-scope access checks, matching the guard already present on all read routes.
→Custom checks org isolation — PATCH and DELETE on custom compliance checks are now scoped to the caller's organisation.
→TOTP replay protection — each accepted TOTP code's counter step is recorded; replaying a code within the same 90-second window is now rejected.
→Stripe webhook signature verification — raw body is now correctly captured so all Stripe event signatures can be verified.
→Open redirect closed — Stripe checkout and portal redirect URLs are now built from the server-configured ALLOWED_ORIGIN, not the attacker-controlled Origin request header.
→HTML injection in emails — client names and severity labels in notification emails are now HTML-escaped.
→SSRF via SMTP host blocked — email notification channels now validate the SMTP hostname against private IP ranges.
→SAML host-header injection mitigated — ACS URL and SP entity ID now prefer the APP_BASE_URL environment variable over derived request headers.
→Session ID type confusion fixed — getSessionId() now reads exclusively from the HttpOnly cookie; Bearer tokens are no longer silently treated as session IDs.
→CSS injection in charts hardened — colour values interpolated into chart style blocks are validated against a hex/rgb/hsl allowlist.
→Rate limiting added to password change and TOTP disable endpoints to prevent brute-force attacks on authenticated sessions.
→Audit log now records login, logout, password change, TOTP enable/disable, and user create/role/delete events.
→Stack traces are no longer exposed outside of local development environments.
→Demo sessions are created with viewer role instead of admin.
→Missing ALLOWED_ORIGIN in production is now a fatal startup error rather than a silent misconfiguration.

v1.4.0 June 2026

Security hardening & deployment improvements

This release focused on eliminating known vulnerabilities in dependencies, tightening the CI pipeline, and expanding the first-party deployment guide to cover Railway and Vercel as fully supported targets alongside the existing Azure App Service path.

Security

→Resolved high- and critical-severity CVEs across the npm dependency tree.
→Pinned all CI GitHub Action references to commit SHAs to prevent dependency confusion attacks.

Deployment

→New Railway deployment guide — one-click API and database setup with environment variable templates.
→Vercel static deployment guide for the compliance portal and marketing site front-ends.
→Updated Docker Compose configuration for streamlined local development setup.

v1.3.0 May 2026

Admin portal, platform operations & UI refresh

A major platform release adding a fully separate Admin Portal for Beacon operators alongside a comprehensive visual refresh across all three portals. New support session tooling lets Beacon staff assist customers directly from the admin interface.

New feature

→Beacon Admin Portal — a separate application at a distinct URL for Beacon platform operators. Includes org management, support tickets, infrastructure overview, and platform admin user management.
→Platform Admins page — create and delete Beacon staff admin accounts from a dedicated management screen.
→Beacon support sessions — split login system enables Beacon operators to open a scoped support session inside a customer's compliance portal without using a customer credential.

Design

→New Outfit typeface across all three portals for a more modern, readable interface.
→Desaturated brand colour palette — more neutral base tones with focused accent usage.
→Comprehensive UI polish pass: card surfaces, spacing, icon sizing, and interactive states.
→Marketing site redesign matching the new visual language.

Security & stability

→Security hardening across API endpoints: improved input validation, rate limiting, and session management.
→Beta readiness improvements: performance optimisations, admin portal UX polish, and stability fixes ahead of general availability.
→create-super-admin recovery script added for initial platform setup and emergency admin recovery.

v1.2.0 March 2026

Billing, SaaS multi-tenancy & public launch

The foundational SaaS release. Beacon became a fully multi-tenant platform with a public marketing site, Stripe billing, a demo mode for prospective customers, and a built-in support system. Each MSP organisation is completely isolated from all others.

New feature

→Stripe billing — subscription plan management (Starter, Growth, Pro, Enterprise) with per-client usage tracking and seat limits enforced at the API layer.
→Organisation isolation — full SaaS multi-tenancy: every MSP organisation is completely isolated in its own data partition. No cross-organisation data access is possible.
→Demo mode — prospective customers can explore a pre-loaded Beacon environment with 5 sample MSP clients using a demo access code. No sign-up required.
→Built-in support system — raise and track support tickets directly from within the compliance portal. Tickets route to the Beacon Admin Portal for operator response.
→Marketing site — public landing page at the root domain with feature overview, security check catalogue, pricing tiers, and demo access.
→Production Docker stack — a single docker-compose.yml now orchestrates all six services (API, compliance portal, admin portal, marketing site, background worker, database).

v1.1.0 December 2025

MSP readiness — 36 checks, integrations & reporting

A series of milestone releases transforming Beacon from a proof-of-concept into a production-ready MSP platform. Check coverage expanded from 15 to 36 controls, and a complete integration layer was added: SLA tracking, PSA webhooks, API tokens, scheduled reports, share links, and compliance framework mapping.

Security checks

→36 built-in security checks — expanded from 15 to cover Identity (6), Infrastructure (9), Data (5), Patching (4), Security (6), Monitoring (4), and Backup (6) categories. All checks run via Microsoft Graph and Azure Resource Manager APIs — no agent required in the client tenant.
→Custom checks — admins can define additional compliance controls beyond the 36 built-in checks, with configurable name, description, severity, and category.
→Finding suppression — individual findings can be suppressed with an optional reason and expiry date. Suppressed findings are excluded from open issue counts and do not affect the compliance score.
→Global suppressions — platform-wide suppression rules apply a suppression to the same check across all clients simultaneously.

Integrations

→Per-client PSA webhooks — push findings to ConnectWise, HaloPSA, or Freshservice per client. Separate from the global webhook channel configuration.
→Notification channels — configure named Slack, Microsoft Teams, and email delivery channels. Each channel can subscribe to different event types (scan complete, critical finding, scan failure).
→API tokens — machine-to-machine tokens for REST API access. Tokens are scoped to an organisation and never expire unless explicitly revoked.
→Data export — export all compliance findings for a client to CSV or JSON for further analysis or import into a SIEM.

Reporting & compliance

→Scheduled compliance reports — configure weekly or monthly reports to be emailed automatically to a client contact. Reports include score gauge, open findings table, and category breakdown.
→Share tokens — generate a read-only share link for a client's compliance report. Share it directly with your customer without giving them a Beacon login.
→Framework mapping — each of the 36 checks carries CIS Microsoft 365 Benchmark, NIST CSF, and ISO 27001:2022 control IDs. The compliance report includes a framework coverage table with per-framework pass rates.
→Per-client SLA tracking — configure target remediation times (critical, high, medium, low) per client. Beacon automatically flags SLA breaches and sends alerts via notification channels.
→90-day score trends — compliance score history and open/critical finding counts charted over a rolling 90-day window. A data point is written after every successful sync.

Security & identity

→TOTP MFA with QR code — users can now scan a QR code during MFA setup from any TOTP authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator).
→Finding workflow — findings now move through three states: open → acknowledged → suppressed. Every state change is recorded in the tamper-evident audit log with the acting user and timestamp.
→HMAC-SHA256 audit chain — all audit log entries are chained with an HMAC hash. Deletion or modification of any historical entry breaks the chain and is mathematically detectable.
→API rate limiting — per-IP and per-user rate limits on authentication and write endpoints. API key rotation endpoint added for credential hygiene.

v1.0.0 September 2025 Initial release

General availability

The first production release of Beacon. A multi-tenant Azure compliance management platform for Managed Service Providers with 15 built-in security checks, full RBAC, SAML SSO, and a tamper-evident audit log.

→15 built-in security checks covering Identity and Access Management, Network Security Groups, Key Vault, storage accounts, and Defender for Cloud.
→Multi-tenant RBAC — three-role system (Admin, Engineer, Viewer) with team-based client scoping. Each MSP organisation is fully isolated.
→Microsoft Graph API integration — agentless compliance data collection. Beacon only requires a read-only App Registration in each managed Azure tenant.
→Severity-weighted compliance scoring — 0–100 score where failing a critical control has a proportionally larger impact than a low-severity miss.
→6-hour automatic background scans — no manual intervention required. All tenants are scanned on a fixed schedule with scan concurrency limits to protect Microsoft API quotas.
→SAML 2.0 SSO — integrate with Microsoft Entra ID or any SAML 2.0 identity provider. Accounts are auto-provisioned on first SSO login.
→AES-256-GCM encryption at rest — Azure App Registration credentials (client IDs, secrets, certificates) are encrypted before storage.
→Tamper-evident audit log — all significant actions are recorded in an HMAC-SHA256 chained log. Provides an auditable evidence trail for compliance conversations.
→Printable compliance report — every client has a print-optimised A4 compliance report accessible at any time from the client detail page.