Vault Radar, Boundary transparent sessions, and more at HashiDays 2025

At HashiDays, we are sharing the recent general availability of Security Lifecycle Management (SLM) products and features that further reduce security risks and dramatically improve the user experiences for developers, SecOps, and platform teams. These include HCP Vault Radar, automatic root credential rotation with HashiCorp Vault, Boundary transparent sessions, and Consul external service discovery.

»Seamless user experience with Boundary transparent sessions

HashiCorp Boundary provides secure human-to-machine access for sensitive applications. This includes:

• Identity-based authorization to ensure only the right identities gain access to the right target resources
• Passwordless access for end users
• Automated target discovery
• Reduced risk exposure with dynamic secrets using Vault

The transparent sessions feature for Boundary is now generally available, making the user experience seamless for secure access to infrastructure resources — including VMs, databases, and web applications.

Transparent sessions enable both technical users — such as developers and engineers — and non-technical business users to securely access resources without modifying their existing workflows or client tools. Users can connect to privileged or highly sensitive systems with minimal or zero interaction with Boundary’s CLI or desktop clients.

With Boundary transparent sessions, users only need to authenticate through the Boundary client. Once authenticated, they can continue to use their favorite browser, SSH client, RDP client, or database client tool. This workflow should feel similar to using a VPN.

By simplifying user access, you improve the end user experience, driving much higher adoption, and ultimately strengthening the organization's security posture.

»Discover, remediate, and prevent unmanaged secrets with HCP Vault Radar

HCP Vault Radar, now generally available, expands on Vault’s lifecycle management capabilities, enabling organizations to scan, discover, and remediate unmanaged secrets.

Security-conscious organizations reduce risk by standardizing on platforms like HashiCorp Vault to securely manage, access, and audit secrets across hybrid-cloud environments. However, many developers are still storing secrets and credentials insecurely by placing them directly in source code, configuration files, version control systems like GitHub, collaboration tools like Confluence, or other data sources that are vulnerable to theft and accidental exposure. Without the ability to scan for exposed credentials in your IT estate, it is virtually impossible to fully understand your organization’s current risk level. HCP Vault Radar addresses these concerns and helps organizations locate and secure their unmanaged secrets with four key functions:

Discover: HCP Vault Radar detects secrets in platforms such as GitHub, Confluence, and Jira using pattern matching and entropy analysis to confidently flag passwords, API keys, and other credentials.

Remediate: When insecure secrets are detected, HCP Vault Radar provides a path to import detected secrets into Vault, where they can be centrally protected and managed. HCP Vault Radar also provides guided remediation links and recommendations for various secret types including AWS and GCP credentials. Security teams can also create their own remediation documentation and add links in the HCP Vault Radar UI for faster and consistent adherence to best practices.

Prevent: HCP Vault Radar helps prevent threats by enabling pull-request and tip-of-branch scans in your CI/CD pipeline. Vault Radar also integrates with tools like GitHub pre-receive and pre-commit webhooks to scan code for secrets prior to the CI/CD pipeline. If Radar detects sensitive data, customers can configure settings to block commits until the developer removes the hard-coded secret.

»Bring your own DNS to HCP Vault Dedicated (beta)

Many customers using Vault’s cloud offering want to keep network traffic within isolated or private networks. Now users can connect HCP Vault Dedicated to private systems within AWS through this beta launch, with Azure connectivity coming next. The bring your own DNS feature allows the HashiCorp Virtual Network (HVN) to resolve private endpoints using forwarding rules for DNS resolution queries.

Configuring private DNS servers in AWS to allow resolution from an HVN enables teams to reduce their overall risk profile by ensuring that Vault service names are only resolvable within a private network. This reduces exposure of sensitive services to the internet and prevents potential DNS-based attacks. This feature also allows DNS queries to be logged and monitored centrally, which helps teams retain control over name resolution logs.

»Automate root credential rotation with Vault

Vault now provides a centralized plug-in rotation mechanism to automate the rotation of root credentials for AWS, Azure, and Google Cloud auth methods and secret engines, along with LDAP and database plugins.

By creating a centralized rotation manager, similar to Vault’s lease manager, Vault provides an easy and standardized way to add automated rotation of root credentials to plugins.

Customers can regularly rotate credentials, mitigating the risks associated with static secrets and reducing manual interventions. This reduces management burden and helps customers meet compliance and regulatory requirements.

»Isolate PKI workloads with constrained CAs

For better isolation of workloads and implementing security best practices, customers need to configure intermediate certificate authorities (CAs) that will only issue certificates based on specific constraints. To support these capabilities, Vault provides a new PKI API endpoint that allows customers to call for issuance of a constrained CA with one or multiple constraints and associated parameters. Now, any client certificate signing request that does not match the CA constraints will be rejected with appropriate error messages. A key distinction with constrained CAs is that they’re not universally trusted by all systems or applications. This limits where the CA can provide authentication, helping teams build better least-privilege systems.

»Deploy Vault in HSM-compliant FIPS environments

To comply with FIPS and FedRAMP, Vault AppRole data must be secured by Hardware Security Modules (HSMs) — physical devices used to generate, store, and manage cryptographic keys in a secure environment.

To ensure that Vault meets these requirements, seal-wrap functionality now secures AppRole data with HSM-level protection. As a result, customers can deploy Vault in environments with FIPS-compliant requirements.

»Safeguard data with post-quantum-ready encryption

To help companies start preparing for quantum attacks, NIST published three recommended cryptographic standards for post-quantum cryptography (PQC). Like NIST, we believe Vault customers must start safeguarding their applications and services against post-quantum threats today.

In Vault Enterprise 1.19, the transit secret engine introduces experimental support for PQC ML-DSA sign and verify functionality. This allows customers to:

• Evaluate the impact of PQC on their systems and plan for necessary changes
• Protect data from “harvest now, decrypt later” attacks
• Defend against the broader PQC threat

The new PQC support helps organizations test mitigating measures to prevent future threats when quantum computing matures.

»Simplified service discovery for external services with Consul 1.21

HashiCorp Consul is a global service networking platform, and one of Consul’s core capabilities is to provide global service discovery across multiple different runtimes, platforms, and clouds. In this latest release, Consul simplifies its architecture for Consul External Service Monitor (ESM), which provides service discovery of external services like Amazon RDS or Azure Database.

Prior to the Consul 1.21 release, some customers faced challenges configuring Consul ESM due to specific network requirements. For example, bi-directional communication between Consul servers and Consul ESM was required, which can be challenging for organizations with restrictive network security policies. In addition, Consul ESM required Consul agents, increasing management overhead.

In the latest Consul version, these constraints have been significantly reduced. Consul ESM now only requires outbound network connectivity, simplifying deployment in highly restrictive networks. Lastly, Consul administrators no longer need to install and manage Consul agents with Consul ESM, significantly reducing operational complexity. As a result, this new simplified architecture enables organizations to deploy, manage, and maintain Consul ESM more efficiently for discovery of external services.

»Get started with Security Lifecycle Management

With breaches increasing each year, harming revenue, and disrupting consumer experiences, C-suites and investors are pressuring organizations to eliminate as many threats as possible while also reducing costs. HashiCorp’s Security Lifecycle Management portfolio helps organizations by identifying vulnerable unmanaged secrets with Vault Radar and using Vault for centralized encryption and secrets management. By making remote access easy with Boundary, organizations expedite wide user adoption and reduce the risk of shadow IT. And with Consul’s unified service discovery platform, it’s simpler to manage external services across all runtime environments, optimizing operations and reducing management costs.

To see these products in action or to learn more, sign up for a free trial of the HashiCorp Cloud Platform and visit our HashiCorp Developer site.