diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc
index 524176ad52..c2ae391241 100644
--- a/docs/release-notes.asciidoc
+++ b/docs/release-notes.asciidoc
@@ -8,7 +8,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/kibana/issues/
 :pull: https://github.com/elastic/kibana/pull/
 
-
+include::release-notes/7.16.asciidoc[]
 include::release-notes/7.15.asciidoc[]
 include::release-notes/7.14.asciidoc[]
 include::release-notes/7.13.asciidoc[]
diff --git a/docs/release-notes/7.16.asciidoc b/docs/release-notes/7.16.asciidoc
new file mode 100644
index 0000000000..e9ab819425
--- /dev/null
+++ b/docs/release-notes/7.16.asciidoc
@@ -0,0 +1,70 @@
+[discrete]
+[[release-notes-7.16.0]]
+== 7.16.0
+
+[discrete]
+[[features-7.16.0]]
+==== Features
+* Adds the ability to configure trusted applications on a per-policy basis, allowing security administrators to target a set of hosts with specific configurations and settings. For example, trusted applications can be tailored to certain functions within an organization or for testing and troubleshooting purposes ({pull}112182[#112182], {pull}111051[#111051], {pull}110966[#110966]).
+* Adds memory threat protection for macOS and Linux systems  ({pull}114799[#114799]).
+* Provides certified applications for {sn} Security Operations (SecOps) and {sn} IT Service Management (ITSM), and introduces a new {sn} IT Operations Management (ITOM) connector ({pull}105440[#105440], {pull}114125[#114125]).
+* Updates logic for deciding whether a host's isolation or release status appears as `Pending` for endpoints added to {elastic-sec} in {stack} version 7.16.0 or later ({pull}115441[#115441]).
+* Adds {Fleet} actions and responses to the endpoint activity log; enriches the log by showing successful or failed action responses that were completed when the endpoint finished executing the action request ({pull}114905[#114905]).
+* Updates the resolution logic for ID-based links to cases ({pull}111984[#111984]).
+* Allows users to create host isolation exceptions ({pull}111253[#111253]).
+* Allows cases to be imported and exported as saved objects ({pull}110148[#110148]).
+* Highlights the top riskiest hosts in a user's environment, based on a normalized host risk score scale of 0 to 100.  ({pull}109553[#109553]).
+* Adds host risk metadata to alert details ({pull}113274[#113274]).
+* Switches the order of the *Count* table and the *Trend* histogram on the Alerts page ({pull}117878[#117878]).
+* Removes assigned policies from trusted applications when removing the {endpoint-sec} integration ({pull}108347[#108347]).
+
+[discrete]
+[[bug-fixes-7.16.0]]
+==== Bug fixes and enhancements
+* Moves the *Analyze event* option from the overflow menu to the *Actions* column within the Alerts and Events tables. It now only displays events that can be opened in the visual event analyzer ({pull}115478[#115478]).
+* Halts indicator match rule execution after the allotted time interval has passed ({pull}115288[#115288]).
+* Allows detection rule actions to be migrated to a centralized Kibana alerting framework. Users may receive notifications sooner after alerts have been generated, depending on rule configuration and actions frequency ({pull}115243[#115243], {pull}115101[#115101]).
+* Changes the prebuilt indicator match rule's interval and lookback time to one hour ({pull}115185[#115185]).
+* Allows exceptions to be exported with rules ({pull}115144[#115144]).
+* Improves the formatting of array values and JSON in the *Table* and *JSON* tabs ({pull}115141[#115141]).
+* Provides users with a new, simpler way to add data to their environments through the {agent} ({pull}115016[#115016], {pull}112142[#112142]).
+* Enables the Index connector and action for the Detection engine ({pull}111813[#111813]).
+* Hides building block rules on the Overview page ({pull}105611[#105611]).
+* Corrects the distorted view of the "Status" badge in the Alert details flyout ({pull}116237[#116237]).
+* Improves the display of rule status errors caused by user permissions to the source index ({pull}115114[#115114]).
+* Fixes the exceptions export route ({pull}114920[#114920]).
+* Restores local storage persistence for the Alerts table and the Remove Column action ({pull}114742[#114742]).
+* Fixes issues that occurred when adding the {endpoint-sec} integration to an {agent} policy in {fleet} ({pull}114467[#114467]).
+* Updates the Indexing Time and Query Time columns in the Rule Monitoring table to be SUM, instead of MAX ({pull}114023[#114023]).
+* Fixes a bug that prevented dialogs on the Overview page from opening when users clicked on the *Inspect* button ({pull}113161[#113161]).
+* Sets a new default indicator index query that checks indicator index patterns for matched indicators that have occurred in the past 30 days ({pull}112300[#112300]).
+* Decodes file names on uploaded value lists and fixes a bug that stopped value lists from being deleted ({pull}111838[#111838]).
+* Fixes a bug that allowed users to create a trusted application with an empty `name` field ({pull}111508[#111508]).
+* Removes duplicate exception lists on rule export when multiple rules reference the same list ({pull}116698[#116698]).
+* Disables scrolling when activity data isn't present in the endpoint activity log ({pull}118406[#118406]).
+* Updates the description in the import rules dialog ({pull}118216[#118216]).
+* Fixes a faulty status API call if the user selects the same status that's already selected ({pull}118115[#118115]).
+* Prevents autofocus from jumping to the wrong field ({pull}117950[#117950]).
+* Removes validation that required the action ID to be a UUID ({pull}116524[#116524]).
+* Changes the detections log level from info to debug within the detection engine ({pull}116518[#116518]).
+* Fixes truncated values in columns within the Rules table ({pull}115825[#115825]).
+
+[discrete]
+[[upcoming-breaking-changes-7.16.0]]
+==== Upcoming breaking changes
+*Changes to detection rule preview functionality:*
+
+To improve the detection engine's rule preview functionality in 8.0.0, preview alerts will be written to a new index called the signals preview index (`.siem-signals-preview*`). In order to view this index and use the updated rule preview functionality, roles must have `read` privileges to the new signals preview index. Also note that, other than their index lifecycle management policies, signal preview indices are nearly identical to existing signal indices ({pull}116374[#116374]).
+
+To give a role `read` privileges to the new signals preview index:
+
+. Open the main menu, then go to *Management -> Stack Management -> Security -> Roles*.
+. Select the custom role you want to update.
+. Modify the role's index privileges as follows:
+.. *Indices*: Enter the signals preview indices that correspond with the signals indices. For example, the `.siem-signals-preview*` index pattern corresponds with the `.siem-signals*` index pattern. Similarly, the `.siem-signals-preview-<KIBANA-SPACE>*` index pattern corresponds with the `.siem-signals-<KIBANA-SPACE>*` index pattern.
+.. *Privileges*: Enter `read`.
+. Click *Update role* to save your changes.
+
+*Upcoming changes to case feature privileges*
+
+In 8.0.0, case feature privileges will no longer be a sub-feature under {elastic-sec} ({pull}113172[#113172]).