Public roadmap

What shipped recently, what's in beta, and what's next. We update this page every time a feature flips state. For procurement: this list is also the basis of our quarterly customer briefing.

Last updated: 2026-05-19

Shipped In production today

Everything below is live on javascriptobfuscator.com and reachable from the dashboard or REST API.

Maximum mode — polymorphic per-build protection

Identifier renaming, encrypted string array, control-flow flattening, member renaming, deep obfuscation, code transposition. Every build is byte-different even when the input is identical.

2024-Q4 · All paid tiers

Runtime Defense suite

Debug protection, console suppression, self-defending integrity heartbeat, devtools-key blocking, headless-browser detection, session-token lock, fingerprint lock, challenge lock, signed envelopes (RSA), beacon callback.

2026-Q1 · Corporate+

`jso-protector` npm CLI

Run JSO from package scripts, Vite/Webpack/Rollup/esbuild/Bun/Next.js/Metro/Parcel integrations, presets, dynamic config, identifier-map persistence.

2026-Q1 · npm guide ›

Compatibility analyzer

Static-analysis pass that flags identifiers escaping the bundle (DOM hooks, framework lifecycle names, public APIs) before protection runs. Reduces "it broke after obfuscation" support volume.

2026-Q1 · Docs ›

VS Code extension

Right-click obfuscate file or selection from any JS/TS editor. Three preset levels. Credentials read from env vars first, settings second.

2026-Q2 · Marketplace listing

GitHub Action

Composite action that tags every build with the commit SHA, surfaces build-id and polymorphism-fingerprint as step outputs, and writes the API report for later symbolication.

2026-Q2 · Marketplace listing

Stack-trace symbolication (`jso-symbolicate`)

Local demangler with first-class integrations for eight error reporters: Sentry, Bugsnag, Rollbar, Datadog, Honeybadger, Raygun, Airbrake, AppSignal. Stacks never leave the customer machine. Docs › · Interactive demo ›

2026-Q2 · npm package

JetBrains IDE plugin

Right-click Obfuscate File or Obfuscate Selection from WebStorm, IDEA Ultimate, PhpStorm, PyCharm Professional, RubyMine, GoLand, or Rider. Same three presets and wire format as the VS Code extension and the npm CLI.

2026-Q2 · Plugin marketplace

CI templates for twelve systems

Ready-to-drop templates for GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure Pipelines, Bitbucket Pipelines, Drone CI, Buildkite, Woodpecker, Tekton, TeamCity, and GoCD. Each tags the run with the commit SHA via --label and archives the API report for later symbolication. Smoke-validated by a verify:ci npm script that enforces the same convention across all twelve.

2026-Q2 · npm package ci/ folder

Six non-Node language clients

Same protect() shape in Python (PyPI, stdlib urllib), Go (net/http), .NET (NuGet, HttpClient-injectable, .NET Standard 2.0), Ruby (RubyGems, net/http), PHP (Composer, ext-curl/stream fallback), and Rust (Cargo, ureq). Identical preset table, identical Result shape, identical env-var-first credential pattern. Reference doc ›

2026-Q2 · PyPI / Maven / NuGet / RubyGems / Packagist / crates.io

pre-commit hooks

jso-release-check and jso-dry-run catch config drift in git commit before it reaches CI. Deliberately don't POST source on every commit — that's CI's job.

2026-Q2 · .pre-commit-hooks.yaml

Eight error-reporter integrations

One-line jso-symbolicate wire-up for Sentry, Bugsnag, Rollbar, Datadog, Honeybadger, Raygun, Airbrake, AppSignal. Each integration is covered by an offline unit test that asserts field rewrites and verifies that a broken lookup never blocks the crash report.

2026-Q2 · jso-symbolicate subpath exports

Migration guides for Jscrambler and the OSS package

Opinionated, one-page-each migration paths: feature mapping tables, honest gap lists (PCI v4 third-party tags, hosted threat-monitoring dashboard for Jscrambler; what JSO adds on top for the OSS), and step-by-step checklists.

2026-Q2 · Jscrambler · OSS

Build-integrations hub + interactive symbolicate demo

build-integrations.aspx surfaces every integration in one grid; symbolicate-demo.aspx runs the demangler entirely client-side — pasted stack and map never leave the browser.

2026-Q2 · Public site

BuildId + PolymorphismFingerprint in API response

Auditor evidence that builds genuinely diverge between requests. Two consecutive obfuscations of identical input MUST produce different fingerprints when polymorphism is engaged.

2026-Q2 · All paid tiers

Beta Opt-in for Corporate+

Beta features are gated by an Account.BetaFeatures flag. Email support if you want early access.

VM bytecode protection

True virtualization — source compiles to a custom bytecode and ships alongside a per-build polymorphic VM interpreter. Substantively different protection class from the static transforms. Real overhead, real anti-LLM gain. Docs ›

2026-Q2 beta · Corporate+ with UseVMProtection beta flag

Signed release envelopes

RSA-signed envelopes binding a release to a buildId, workspace, and environment. Runtime refuses to execute if the envelope signature doesn't verify. Pairs with the integrity heartbeat.

2026-Q2 beta · Corporate+

Next In flight for the upcoming release

Active development. Dates target end of 2026-Q3; we move them on this page whenever scope or priority shifts.

JSO AI Phase 1 — UX foundations

Separate add-on subscription. Preset assistant (natural language → jso.config.json), compatibility checker (flags risky patterns before protection), config-help chat (paste an error, get the transform that caused it). Three tiers: AI Basic $19, AI Corporate $79, AI Enterprise $299 — preview pricing. Strategic plan ›

2026-Q3 · AI add-on, all obfuscation tiers

JSO AI Phase 2 — Resistance Score + Selective Obfuscation

CASCADE-style adversarial probe runs against every protected build and reports a recovery score. AI scans the input and recommends which functions get Maximum mode vs VM virtualization vs left alone, so customers don't pay the Maximum-mode cost on code that doesn't need it. Honest "we think this is the license-validation function" UI; user confirms before any setting changes.

2026-Q4 · AI Corporate+

JSO AI Phase 3 — Deobfuscation Benchmark + Anti-LLM Evolution

AI Enterprise gets a "run the published deobfuscators against my protected build" report — honest customer-specific numbers showing how much CASCADE / JSIMPLIFIER / GPT-class models recovered. Internal continuous-evolution harness gates transforms against multiple LLMs on every release. Full AI variant generation under safety constraints.

2027-Q1 · AI Enterprise

Threat-monitoring dashboard

Persistent UI for the beacon events that Runtime Defense already emits. Filterable by buildId, fingerprint hit, or session lock failure. Closes the "we can't see attacks" objection that comes up in every enterprise eval.

2026-Q3 · Corporate+

Source Map v3 with positions

Capture line/column for every renamed identifier so Sentry / Datadog / Bugsnag can auto-symbolicate without the in-band event processor. Replaces the current "name-only" map shape.

2026-Q3 · All paid tiers

Asynchronous-function support in VM mode

The current VM beta runs synchronous functions only. Async/await transformation is in design.

2026-Q3 design · VM beta participants

Interactive playground per transform

Move transforms-side-by-side from static examples to live API calls so visitors can paste their own snippet and see polymorphism in action.

2026-Q3 · Public site

Threat-monitoring dashboard polish

UX iteration on the beacon dashboard: filter chains, saved views, webhook escalation rules, anomaly alerts when a buildId's beacon volume spikes.

2026-Q4 · Corporate+

Research Investigating, no commit yet

We're researching these but haven't committed scope. Customer voice on this page weights priority; tell us if one of these would unblock a deal.

Prelude-interleaving transform (CASCADE counter)

Google's CASCADE paper showed LLM+IR deobfuscators can identify and invert clean prelude functions (string-array decoder, flat-control-flow dispatcher). Researching a transform that interleaves prelude work with surrounding business logic so the prelude-vs-body boundary is fuzzy and the LLM-identification step has nothing clean to label. Threat-model write-up ›

Non-extractable decoder pattern (CASCADE counter)

Decoders that read from a runtime-fingerprint or server-issued nonce can't be symbolically executed offline. Existing Runtime Defense building blocks (RuntimeFingerprint, RuntimeChallengeSecret, RuntimeSessionToken) already enable this; researching a one-flag option that wires them into the string-array decoder automatically.

Symbolic-execution detection at runtime

Adjacent to DetectHeadlessBrowser: detect when the protected code is being run inside an offline symbolic-evaluator context (incomplete DOM, deterministic timing, no real network) and refuse to decode. Defeats CASCADE-style offline analysis even when the decoder itself is extractable.

Native-binary obfuscation for Electron mains

Several customers ship Electron with the main process unprotected. Investigating a path that delegates the main-process JS through the same pipeline.

Server-side persistence of identifier maps

Optional hosted map storage keyed by buildId, so customers can retrieve the demangling dictionary by buildId without keeping their own artifact store. Privacy trade-off — we'd be holding identifier maps; some customers will explicitly not want this.

Browser-side WASM runtime for the VM

Compile the VM interpreter to WASM at protect-time. Smaller runtime footprint, harder to attach a debugger to. Cost: WASM toolchain in the obfuscator pipeline.

Tiered "Startup" plan at $19/month

Most JShaman and obfuscator.io Pro defectors come in below the current $29 Basic tier. Investigating a usage-capped Startup plan that captures the price-shopper segment without cannibalizing Basic.

Things we deliberately won't do

Worth being explicit about. If procurement asks for one of these, the honest answer is "no, by design."

Send protected output back through a third-party CDN

Some competitors host the obfuscated output behind a per-customer subdomain. We don't — you keep the output, we keep neither the input nor the output beyond the API request lifetime.

Single-vendor lock-in via proprietary runtime

Protected JS runs in a vanilla browser or Node runtime. No required SDK, no required CDN script, no required server-side proxy. If you leave JSO, your shipped builds keep running.

Send your code to a third-party LLM for analysis

The Compatibility Analyzer and other static-analysis paths are deterministic. We don't ship your source to a third-party LLM for "AI-powered" suggestions.

Got a feature ask not on this page? Tell us ›