Matters.AI Product Release: March - April 2026

This release expands the Matters.AI platform across five areas: Platform integrations, Database Activity Monitoring, Endpoint visibility, Exposures, and AI Remediation. Highlights include native Jira ticketing, SIEM export via S3, Amazon Redshift support in Database Activity Monitoring, Microsoft 365 public exposure detection, and AI-guided remediation for exposure findings.

Contents

Platform

1. Push to SIEM via S3 bucket integration

2. Jira integration for misconfigurations, DDR, and Database Activity Monitoring alerts

3. Email notifications for alerts and scan findings

Database Activity Monitoring

1. Amazon Redshift integration and policy deployment

2. Behaviour-based detection rules

3. Usertype classification for alert context

Endpoint

1. Default tags for unsupported and unscanned files

2. Unsupported file type visibility in Tagging UI

3. Endpoint file discovery on agent deployment

Exposures

1. Data localisation exposures for AWS S3 and RDS

2. Public exposure detection for Microsoft 365

AI Remediation

1. Exposure support for AI Remediation

Platform

1. Push to SIEM via S3 bucket integration

What's new The platform now supports pushing security logs and findings to a customer-managed Amazon S3 bucket, enabling downstream ingestion into any SIEM or data lake that supports S3 as a source. Customers can configure the S3 destination and control which event types, including Database Activity Monitoring activity logs, DDR alerts, and misconfiguration findings, are exported.

Why it matters Bridges the Matters.AI platform with existing SIEM stacks, enabling security operations teams to correlate data security findings with broader threat intelligence and security events without manual exports or custom pipelines.

Use cases

• Stream Database Activity Monitoring and DDR alerts to Splunk, Microsoft Sentinel, or any S3-compatible SIEM.

• Deliver misconfiguration findings to a centralised security data lake.

• Support multi-region S3 destinations for data residency compliance.

2. Jira integration for misconfigurations, DDR, and Database Activity Monitoring alerts

What's new The platform now integrates natively with Jira, enabling automatic ticket creation for misconfiguration findings, DDR alerts, and Database Activity Monitoring alerts. Customers can configure multiple Jira project integrations simultaneously and apply granular filters to control which finding types, severity levels, or resource categories route to which Jira project, ensuring findings reach the right team without noise.

Why it matters Embeds data security findings directly into existing engineering and security operations workflows, reducing the gap between detection and remediation and eliminating manual ticket creation overhead.

Use cases

• Automatically create Jira tickets for new misconfiguration findings.

• Route DDR alerts to a dedicated security response Jira project.

• Send Database Activity Monitoring alerts to a database operations or SOC Jira project.

• Configure multiple Jira project integrations with independent filter rules.

• Filter by finding type, severity, resource type, or data classification to control ticket routing.

• Avoid duplicate tickets through deduplication logic on recurring findings.

3. Email notifications for alerts and scan findings

What's new Administrators and configured recipients can now receive email notifications for key platform events, including new Database Activity Monitoring alerts, DDR alerts, and fresh findings from misconfiguration scans. Notification rules are configurable per event type and severity, allowing teams to tune alert volume and ensure the right stakeholders are informed in real time.

Why it matters Ensures critical security events surface immediately to the relevant teams without requiring continuous platform monitoring, reducing mean time to awareness for high-priority findings.

Use cases

• Receive instant email alerts when a new Database Activity Monitoring or DDR alert is triggered.

• Get notified when a completed misconfiguration scan surfaces new findings.

• Configure per-event-type notification rules and severity thresholds.

• Support multiple recipients and team distribution lists per notification rule.

• Reduce response latency for high-severity alerts through real-time email delivery.

Database Activity Monitoring

1. Amazon Redshift integration and policy deployment

What's new Database Activity Monitoring now supports Amazon Redshift as a monitored database, with full activity logging, query inspection, and policy enforcement. Out-of-the-box policies cover the most critical attack patterns for Redshift environments, including malicious access attempts, privilege escalation, and suspicious query patterns.

Why it matters Extends Database Activity Monitoring coverage to Redshift-powered data warehouses, ensuring that large-scale analytical datasets receive the same level of threat detection and policy enforcement as operational databases.

Use cases

• Monitor all query activity across Redshift clusters and serverless endpoints.

• Alert on privilege escalation events within Redshift user and role management.

• Identify suspicious query patterns such as bulk exports or unusual data access.

• Deploy malicious access policies with configurable alert and block actions.

2. Behaviour-based detection rules

What's new Database Activity Monitoring now supports behaviour-based detection rules that go beyond traditional policies to identify access patterns that deviate from established norms. This release introduces rules for improper timed access, such as database activity outside approved working hours, and remote location execution, flagging queries originating from unexpected geographies or IP ranges.

Why it matters Enables detection of insider threats and compromised credentials that would otherwise evade signature-based rules, by focusing on the context and pattern of access rather than the content of individual queries alone.

Use cases

• Detect database access occurring outside of configured business hours or maintenance windows.

• Alert on queries executed from IP addresses or geolocations outside approved ranges.

• Identify users accessing databases from new or unrecognised network locations.

• Combine temporal and geographic signals for high-confidence anomaly alerting.

3. Usertype classification for alert context

What's new Database Activity Monitoring now surfaces usertype classification, human, service, or application, directly within alert details, allowing security analysts to immediately understand whether a suspicious database action was performed by an interactive human user or an automated process. This context is applied consistently across alert views, investigation timelines, and exported reports.

Why it matters Dramatically reduces alert triage time by eliminating the need for analysts to manually cross-reference database user lists, and enables more accurate risk scoring by distinguishing human-initiated activity from expected automation.

Use cases

• View human vs. application user context on every Database Activity Monitoring alert.

• Prioritise investigation of human-initiated anomalies over automated service activity.

• Apply different response playbooks based on usertype classification.

• Filter alert queues and reports by usertype for focused review.

• Improve false positive rates by suppressing expected application traffic from human alert workflows.

Endpoint

1. Default tags for unsupported and unscanned files

What's new The platform now automatically applies system-defined default tags to files that fall outside standard classification workflows. Files with unsupported formats receive an Unsupported File Type tag, while files that have not yet been processed by the classification engine are tagged as Unscanned. These tags are applied automatically on discovery and are visible alongside customer-defined tags in the Tagging UI.

Why it matters Provides immediate visibility into the completeness of endpoint scan coverage, enabling administrators to identify gaps in classification and take action on files that have not been assessed for sensitive data.

Use cases

• Automatically tag unclassified files as Unscanned on agent discovery.

• Surface files with unsupported formats under a consistent Unsupported File Type tag.

• Use default tags as filters in dashboards and reports to gauge scan coverage.

• Trigger manual review or custom workflows on endpoints with high unscanned file counts.

2. Unsupported file type visibility in Tagging UI

What's new Unsupported file types discovered on endpoints are now surfaced directly in the Tagging UI, providing a dedicated view that lists file types the classification engine does not currently process. Administrators can see a breakdown of unsupported formats by count and location, giving full visibility into what falls outside the current classification scope.

Why it matters Eliminates blind spots in endpoint data coverage by making unsupported file types an explicit and visible category, enabling informed decisions about scope expansion or manual review prioritisation.

Use cases

• View a categorised list of all unsupported file types detected across endpoints.

• See file counts and endpoint distribution for each unsupported format.

• Filter and export unsupported file type data for review or audit.

• Identify commonly occurring unsupported formats to prioritise future classification support.

3. Endpoint file discovery on agent deployment

What's new From the moment the endpoint agent is deployed, the platform immediately begins discovering and cataloguing all files on the device, making them visible in the agent UI before full classification scans complete. This provides an instant inventory of files present on an endpoint, giving administrators early visibility into data footprint without waiting for scan completion.

Why it matters Accelerates time-to-visibility on newly enrolled endpoints, enabling administrators to assess data volume and distribution from day one of deployment, and prioritise which devices or directories require urgent classification.

Use cases

• See a full file inventory on an endpoint immediately after agent deployment.

• Browse discovered files in the agent UI before classification completes.

• Assess endpoint data footprint and file distribution at a glance.

• Identify endpoints with unusually large or broad file inventories for priority scanning.

Exposures

1. Data localisation exposures for AWS S3 and RDS

What's new The platform now detects data localisation exposures across AWS S3 buckets and RDS instances, identifying cases where sensitive data is stored in regions that do not comply with configured data residency policies. Findings surface the affected resources, the detected storage region, and the required region based on policy, enabling targeted remediation.

Why it matters Helps organisations meet country-specific and regulation-specific data residency requirements by proactively identifying sensitive data stored in non-compliant AWS regions, before auditors or regulators do.

Use cases

• Detect S3 buckets containing sensitive data stored outside approved regions.

• Identify RDS instances with sensitive data in non-compliant geographic locations.

• View affected resources grouped by residency policy violation type.

• Prioritise remediation based on sensitivity classification of the exposed data.

• Support GDPR, data sovereignty, and regional compliance frameworks including DPDP Act alignment.

2. Public exposure detection for Microsoft 365

What's new The platform now identifies publicly exposed sensitive data within Microsoft 365, covering SharePoint sites, OneDrive files, and other M365 data sources where content has been shared with external users or made accessible via public links. Findings include the affected resource, sharing configuration, and the sensitivity of the exposed content.

Why it matters Closes a critical visibility gap for organisations using Microsoft 365 as a primary collaboration platform, ensuring that sensitive data shared externally or published via public links is detected and flagged for review.

Use cases

• Detect SharePoint documents and sites shared publicly or with external users.

• Identify OneDrive files accessible via anonymous public links.

• Surface M365 exposure findings alongside other cloud data source exposures.

• Filter exposed resources by sensitivity classification or sharing type.

• Enable targeted remediation of over-shared M365 content from the Matters console.

AI Remediation

Exposure support for AI Remediation

What's new AI Remediation now extends to exposure findings, including the data localisation exposures for AWS S3 and RDS and the Microsoft 365 public exposure detections introduced in this release. From the Matters console, users can initiate AI-guided remediation workflows that analyse the exposure context, recommend appropriate corrective actions, and assist in executing remediation steps such as policy updates, access revocation, or resource reconfiguration.

Why it matters Accelerates exposure resolution by combining automated analysis with actionable guidance, reducing the manual effort required to investigate and remediate complex cloud and SaaS exposure findings at scale.

Use cases

• Remediate AWS S3 data localisation violations directly from the Matters console.

• Address RDS sensitive data residency findings with AI-guided reconfiguration steps.

• Resolve Microsoft 365 public exposure findings through automated sharing policy corrections.

• Receive AI-generated remediation recommendations tailored to each exposure type and severity.

• Track remediation status and audit trail for each resolved exposure finding.

Questions or feedback

Reach the Matters.AI Customer Success team at cs-ops@matters.ai, or visit docs.matters.ai for setup guides and API references.