First Published: November 18, 2025

Introduction to Cisco Secure Workload, SaaS Release 4.0.1.1

The Cisco Secure Workload platform is designed to secure your applications by creating micro perimeters at the workload level across your entire infrastructure consistently, whether these are deployed on bare-metal servers, virtual machines, or containers. The micro perimeter is available across your on-premises and multicloud environments using firewall and segmentation, compliance and vulnerability tracking, behavior-based anomaly detection, and workload isolation. The platform uses advanced analytics and algorithmic approaches to offer these capabilities.

This document describes the features, bug fixes, and behavior changes, if any, for the Cisco Secure Workload software Release 4.0.1.1.

Note

Agents upgrade to this version will fail, unless cluster and agents are running at least 3.10.6.3 version.

Release Information

Release Version: 4.0.1.1

Published Date: November 26, 2025

New Software Features in Cisco Secure Workload, SaaS Release 4.0.1.1


Feature Name	Description
Operational Simplicity
Cisco Application Centric Infrastructure (ACI) and Cisco Secure Workload Integration	The Application Centric Infrastructure (ACI) and Secure Workload integration is a data center security and automation solution that does the following: Combines ACI’s network fabric provisioning with Secure Workload’s policy-driven segmentation. Provides AI-driven visibility and centralized policy management. Supports both agent-based and agentless enforcement for consistent and scalable workload provisioning. This integration streamlines application workload provisioning with simplified segmentation and centralized monitoring, extending the value of the existing ACI infrastructure and linking with Cisco’s broader security ecosystem. For more information, see ACI Integration with Secure Workload.
Enhancing User Experience
Enhanced UI for Secure Workload Landing page	The application landing page has been redesigned to make it easier to locate and manage applications, especially in environments with a large number of applications. The new page highlights key features, such as Policy Statistics and Policy Conditions while offering a cleaner and more intuitive interface. Key updates: List View: Displays workspaces, scopes, last (ADM) run timestamps, and application status (draft, analyzed, or enforced). It also features the top two AI-suggested tasks per workspace for faster insights. Tree View: Provides a modern look with a horizontal layout and improved spacing of the scope tree. Additional Options: Users can easily switch between the new and earlier landing pages using the toggle button, allowing a seamless transition experience.
Dark Mode option	With the new Dark Mode option, users can toggle between the Dark and Light modes by using the User Preferences page that is available on the user login menu.
Platform Enhancements
Agents-only patch upgrade	You can now apply agents-only patches to clusters. These patches support updated agent package versions without affecting other cluster components or causing downtime to cluster services. Key benefits: Apply agent update independent of complete cluster upgrades. No service interruption or cluster downtime. Simplified and faster patching process for agent updates.
Revoke Agent Packages	The ability to revoke agent packages in Cisco Secure Workload allows administrators to block the installation or upgrade of specific agent versions or packages having critical issues for certain operating systems. This revocation is precise to the affected package and reversible, enabling administrators to temporarily prevent deployment or automatic upgrades to problematic agent versions, as needed. This feature helps maintain system stability and security by controlling agent versions in the environment. Key points: Administrators can revoke specific agent packages to prevent their installation or upgrade. The revocation is reversible, allowing flexibility to block or unblock agent versions. This capability is useful for managing critical issues related to particular agent versions or OS platforms. This concise control over agent package deployment enhances operational security and stability in Secure Workload environments. For more information, see Revoke Agent Packages.
Service Protection for AIX and Linux Agents	The service protection feature is now supported in Secure Workload agents running on AIX and Linux. When enabled in the Agent Configuration Profile, this feature prevents system administrators from disabling or stopping the `csw-agent` service or uninstalling the `tet-sensor` package using standard methods. If necessary, the protection can be temporarily lifted from a workload by using a Time-based One Time Password (TOTP) provided by the Secure Workload administrator, allowing controlled management of agent services while maintaining security. For more information, see Agent Config Profile.
Cluster Certificate	The Secure Workload SaaS platform uses a new set of Cisco-provided certificates for its agent-facing services. This update enhances security by ensuring trusted TLS negotiations between agents and the SaaS cluster. The certificates are publicly trustable, which means all TLS connections initiated by agents to the Secure Workload SaaS cluster will be secured with certificates trusted by public certificate authorities. The new certificates will only validate Fully Qualified Domain Name (FQDN) endpoints under the root domain `secureworkload.cisco.com`. As a result of this change, the downloaded agent installer scripts will no longer function after the publicly trustable certificates feature is enabled, which requires updated scripts compatible with the new certificate infrastructure. This update enhances security by ensuring trusted TLS negotiations between agents and the SaaS cluster. For more information, see Configure the Cisco SSL Services API Key.
Binary and User-based Enforcement on Linux	Linux agents running on Version EL7.1+ and equivalent distributions now support binary and user-based policy enforcement. This enhancement allows policies to match and enforce rules based on the specific binary oruser-initiated outgoing flows, in addition to existing network-based parameters. Key benefits Granular control over outbound traffic by user or process. Enhanced security and visibility for Linux workloads. Seamless integration with existing policy models.

Enhancements in Cisco Secure Workload, Release 4.0.1.1

All AIX, Linux, and Solaris agent packages are now GPG‑signed by a centralized Cisco signing authority. As a result, the GPG tool (or an equivalent) is required for installing Version 4.0.1.1 agents, and to upgrade existing agents to 4.0.1.1. This requirement applies to agents running on Debian, Ubuntu, AIX, and Solaris.
Linux agents will now apply segmentation policies directly using nftables on hosts with nftables package Version 1.0.0 or later.
Secure Workload agents support Fedora versions 32 through 37.

Changes in Behavior in Cisco Secure Workload Release, 4.0.1.1

After the agent is installed on the workload, unzip is no longer necessary for subsequent agent upgrades.

Resolved and Open Issues

The resolved and open issues for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about issues and vulnerabilities in this product and other Cisco hardware and software products.

Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Resolved Issues


Identifier	Headline
CSCvf63373	Sensor: signed with public trusted CA to meet STIG requirement
CSCwo89435	Agent Enforcement Health shows 'Policy out of Sync'
CSCwp19084	Firewall rules not programmed on hosts post On-Prem to SaaS migration
CSCwq10185	FMC connector creation failing when using FMC HA
CSCwq83014	CSW : Access policy is lost on FTD failover
CSCwr46882	AIX CSW Agent does not add existing users of config file when creating /etc/security/audit/config.tet
CSCwr57676	Agent reports flow export stopped anomaly when using proxy
CSCwr61435	TetSen.exe Crash on CSW Windows Agent Related to dns_cache Feature
CSCwr78143	Agent fails to save/delete offline flows after upgrade to 3.10.4.8

Open Issues


Identifier	Headline
CSCwh45794	ADM port and pid mapping is missing for some ports.
CSCwm40398	Multiple packages have been flagged with CVE 2022-1471 in RHEL8.9 system
CSCwm80745	Cisco Vulnerabilities Workloads Multiple selections across pages does not work in the UI
CSCwn61888	RHEL OS CVEs Inconsistencies report.
CSCwn75424	Azure agentless enforcement out-of-band change not being detected
CSCwn86124	Windows Agent - Missed Packets graph not being populated
CSCwn90706	Vulnerabilities page shows a backend service error
CSCwn99675	Installation of threat intelligence datasets rpms is failing
CSCwo11089	Customers would see temporary spikes in escaped flows when running policy analysis.
CSCwp15933	AI Policy Discovery feature under certain workspace the process fails to complete throws an exception
CSCwp28822	Incorrect workload license usage
CSCwp36145	Quick Policy Analysis for Analysed flows provides incorrect policy mapping
CSCwp46016	Global Visulaization dashboard does not display results on using filters
CSCwp67461	ENH: Add Minimum Supported TLS Version (1.2) in CSW SaaS User Guide and Implement OpenSSL Version Pre-Check in Agent Installation Script
CSCwp95305	Windows Enforcement Agent Does Not Support Multiple Executables Per ANY Policy Rule
CSCwp97029	CSW 3.9.1.x : False positive scenario of flow rejection for permitted policies
CSCwq00489	Enforcement not pushed to FMC access control policies
CSCwq02029	Ingest or virtual appliance remaining in pending registration state
CSCwq19946	At times, Quick Policy Analysis fails to provide outcome
CSCwq20873	Intermittent incomplete results using Quick Hypothetical Flow Analysis
CSCwr97565	ACI In line documentation points to the wrong location
CSCws02884	PDF Download and PDF send in Reporting page is slow
CSCwr89903	Memory limiting on Windows TetSen.exe process may not work
CSCwr89957	TetSen.exe consumes too much memory
CSCws07592	Excessive Lag in Flow Analyitcs Pipeline can cause HDFS to enter SafeMode
CSCws12498	Agent installer script fails on Debian/Ubuntu in 4.0.1.1
CSCws12561	CSW: Delayed Policy Push for Short-Lived Pods

Resources	Description
Secure Workload Documentation	Provides information about Cisco Secure Workload, its features, functionalities, installation, configuration, and usage.
Compatibility Information	Provides information about supported operating systems, external systems, and connectors for Secure Workload agents.
SaaS Scalability Limits	Provides information about the SaaS scalability limits.
Cisco Secure Workload Platform Datasheet	Describes technical specifications, operating conditions, licensing terms, and other product details.
Latest Threat Data Sources	Contains information about the data sets for the Secure Workload pipeline that identifies and quarantines threats that are automatically updated when your cluster connects with Threat Intelligence update servers. If the cluster is not connected, download the updates and upload them to your Secure Workload appliance.

Contact Cisco Technical Assistance Center

If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

Email Cisco TAC: tac@cisco.com
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts

Cisco Secure Workload Release Notes, SaaS Release 4.0.1.1

Available Languages

Download Options

Bias-Free Language