--- title: "CAL 3.15.4 Release Notes | ThreatConnect" slug: "cal-3-15-4-release-notes" description: "This article provides the CAL 3.15.4 release notes." updated: 2026-05-28T19:42:30Z published: 2026-05-28T19:42:30Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # CAL 3.15.4 Release Notes ## MITRE ATT&CK Enterprise v19 MITRE ATT&CK® Enterprise is the industry-standard taxonomy of adversarial tactics, techniques, and procedures (TTPs) used by real-world threat actors. Through deep integration with this framework, CAL enriches and classifies threat intelligence at scale, providing analysts a structured, consistent foundation for identifying attack patterns, mapping adversary behavior, and prioritizing investigations across their intelligence workflows. CAL has been updated to MITRE ATT&CK Enterprise v19, reflecting [MITRE’s April 2025 release](https://center-for-threat-informed-defense.github.io/attack-sync/v18.0-v19.0/enterprise-attack/): - **ATT&CK AI Techniques**: ATT&CK v19 introduces 9 new parent techniques ([T1682](https://attack.mitre.org/techniques/T1682/)–[T1690](https://attack.mitre.org/techniques/T1690/)) and 14 sub-techniques covering AI-specific attack vectors. These additions are reflected across ThreatConnect’s [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags), Attack Pattern Group objects, and the [ATT&CK Visualizer](https://knowledge.threatconnect.com/docs/attack-visualizer). The [CAL integration with Polarity](https://threatconnect.com/resource/threatconnect-cal-integration-with-polarity/) also reflects these additions. - [**ATT&CK Visualizer**](https://knowledge.threatconnect.com/docs/attack-visualizer):****The ThreatConnect ATT&CK Visualizer has been updated to reflect the v19 technique structure, including the reorganization of T1562 (Impair Defenses) sub-techniques, now split and redistributed across updated tactic categories. Analysts can use the ATT&CK Visualizer to review existing TTP mappings within the new structure, compare threat group behaviors, and assess defensive coverage. Existing technique mappings remain valid, though analysts responsible for T1562 sub-technique coverage should verify their alignment. - [**MITRE ATT&CK AI Classification**](https://knowledge.threatconnect.com/docs/mitre-attack-ai-classification-in-threatconnect): CAL’s AI classification model has been updated for MITRE ATT&CK Enterprise v19, now recognizing **632 techniques and sub-techniques** for implicit classification. The model identifies techniques from sentence-level context clues in intelligence documents in addition to T-code mentions, enabling automatic technique tagging on Report Groups in **the CAL Automated Threat Library** (ATL) Source. - ![Figure 1_CAL 3.15.4 Release Notes](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_CAL%203.15.4%20Release%20Notes.png) *The ATT&CK Visualizer includes redistributed T1562 techniques and sub-techniques* ## NSRL Q1 2026 Refresh When triaging file hashes during an incident, analysts face a constant challenge: separating malicious or unknown files from the massive volume of legitimate operating system and software files. CAL’s integration with the [NIST National Software Reference Library (NSRL)](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl) addresses this issue by matching file hashes against the NSRL known-good dataset. This capability filters noise out of file hash investigations, reducing the time analysts spend chasing benign system files and allowing them to focus their attention on genuinely suspicious activity. All four NSRL feeds have been refreshed: - NSRL Database – Android - NSRL Database – iOS - NSRL Database – Legacy (pre-2015) - NSRL Database – Modern (2015+) This update adds approximately 17.5 million new file hash records to CAL’s known-good reference, growing the total from 602 million to over 620 million records across four feeds. Analysts benefit from a more current baseline when identifying benign files during investigation. File hashes that match records in the NSRL are surfaced in the [**CAL™ File Hash Information** card](https://knowledge.threatconnect.com/docs/cal-indicator-enrichments#file-and-file-hash-information) on the **Details** screen for File Indicators in ThreatConnect and in the [CAL integration with Polarity](https://threatconnect.com/resource/threatconnect-cal-integration-with-polarity/). For additional context on how CAL handles known-good file hashes, see [*CAL Safelist and Known Good Indicators*](https://knowledge.threatconnect.com/docs/cal-safelist-and-known-good-indicators) and [*Managing File Hashes and Known File Occurrences*](https://knowledge.threatconnect.com/docs/managing-file-hashes-and-known-file-occurrences). ![Figure 2_CAL 3.15.4 Release Notes](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_CAL%203.15.4%20Release%20Notes.png) *A file hash matched against the NSRL known-good dataset in the CAL integration with Polarity* ## MITRE ATLAS v5.5.0 and Document Analysis CAL has been updated to MITRE ATLAS™ v5.5.0 (from v4.9.1), incorporating 12 new techniques. With this update, CAL’s ATLAS coverage spans **16 tactics, 97 techniques, and 58 sub-techniques**. When analysts upload intelligence reports via [Document Parsing Import](https://knowledge.threatconnect.com/docs/document-parsing-import), when using the [**ThreatConnect Doc Analysis**](https://threatconnect.readme.io/docs/threatconnect-doc-analysis-playbook) playbook app, or with the [ThreatConnect Intelligence Anywhere](https://knowledge.threatconnect.com/docs/threatconnect-intelligence-anywhere) browser extension, CAL automatically identifies and associates the AI/ML ATT&CK techniques described in the content, giving analysts a machine-readable record of AI/ML threat behaviors without manual tagging. In the **CAL Automated Threat Library** Source, MITRE ATLAS technique associations are also applied automatically as the ATL ingests intelligence from CAL’s supported sources, extending AI/ML threat coverage across the intelligence library without any user action required. ## URL Shortener Classifier Expansion CAL’s `URLShortener` classifier has been expanded with a significantly larger domain reference list, now covering 2,579 URL shortening services, including both active services and domains associated with shorteners that are no longer operational, but whose shortened links remain in circulation. This expansion increases the number of URL Indicators covered by the classifier from approximately 1.2 million to nearly 3 million. When a URL or Host Indicator matches a known shortening service, CAL automatically applies the `URLShortener` classifier label. This label is available on the [ThreatConnect Indicator **Details** screen and drawer](https://knowledge.threatconnect.com/docs/cal-classifiers#viewing-cal-classifiers) and in the [CAL integration with Polarity](https://threatconnect.com/resource/threatconnect-cal-integration-with-polarity/), helping analysts quickly identify shortened links that may obscure malicious destinations and speeding up triage workflows. For a full list of classifier types available in CAL, see [*CAL Classifiers*](https://knowledge.threatconnect.com/docs/cal-classifiers). ![Figure 3_CAL 3.15.4 Release Notes](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_CAL%203.15.4%20Release%20Notes.png) *The `URLShortener` CAL Classifier label applied to a URL Indicator in the CAL integration with Polarity* --- *ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc. MITRE ATT&CK® and ATT&CK® are registered trademarks, and MITRE ATLAS™ is a trademark, of The MITRE Corporation.*