Safeguard.sh Documentation Center

Runtime Protection (CWPP & CNAPP)

ATT&CK-mapped runtime threat detection and cloud-native risk correlation — surfacing findings that are running, reachable, exposed, and over-privileged all at once.

Runtime Protection (CWPP & CNAPP)

Runtime protection watches workloads as they execute and correlates runtime signals with the rest of your posture, so risk that is actually live rises above theoretical risk.

Runtime threat detection (CWPP)

Safeguard ships a Falco-style runtime rule engine that detects suspicious workload behavior — shells spawned in containers, sensitive file access, unexpected network activity, privilege changes — and maps each rule to the relevant MITRE ATT&CK technique so alerts arrive with adversary context.

Rollout note. Runtime protection is available, with the eBPF runtime collector rolling out. The collector is a Linux follow-on and sits behind an EventSource interface, so the rule engine consumes events independently of the collector's rollout. eBPF-based collection is not claimed as generally available yet.

Detection rule packs

Managed rule packs ship as data over the shipped engine, each mapped to an ATT&CK technique:

Rule packTriggers onATT&CK
Reverse shellA shell with stdin/stdout wired to a connected socketT1059
Crypto-minerConnection to a known stratum pool, or sustained high CPU with miner-class argumentsT1496
Container escapensenter, /proc/1/root access, privileged mount, release_agent writeT1611
Fileless / in-memorymemfd_create followed by execution of the memfdT1620
Privilege escalationSetuid-to-root transitions, anomalous sudo / pkexecT1548
LOLBin chaincurl/wget piped into a shell; cron/scheduled-task writes from a workloadT1105

Per-workload allow-lists suppress benign shells (for example in interactive dev containers), and tenants can add custom rules in the same schema, tenant-scoped and audited on load.

Runtime SCA / reachability

From library-load events, the engine records which packages actually load and which functions execute per workload, and feeds this to AutoTriage: a statically-reachable CVE gets upgraded to runtime-confirmed (priority up), and a never-loaded package is demoted (priority down). Reachability only re-ranks CVE/SCA findings — it never suppresses a malware finding.

Gated runtime response

Beyond detection, runtime protection can respond — always policy-gated and safe-fail:

ActionMechanismGate
AlertEmit event/finding onlyDefault, always allowed
BlockDrop the offending connectionPolicy
KillTerminate the offending process (by PID + start-time)Policy + approval
QuarantineCordon the pod and apply a deny-all network policyPolicy + approval
IsolateFull network isolation of the workloadPolicy + approval

The default policy is detect-and-alert only until a tenant explicitly opts in. Destructive actions require human approval unless a specific high-confidence rule is opted into auto-response. Responses are safe-fail — a failed action is recorded and never crashes the protected workload — rate-capped (a storm degrades to alert-only), and reversible where applicable. kill only ever targets the offending process, verified by PID and start-time.

Cloud-native risk correlation (CNAPP)

The CNAPP layer correlates findings across dimensions to identify the risks that matter most — a workload that is simultaneously:

  • Running — actually executing, not just defined,
  • Reachable — exposed on a network path,
  • Exposed — accessible from an untrusted boundary, and
  • Over-privileged — holding more permission than it needs.

A finding that lights up all four is prioritized far above one that lights up only one. This correlation flows into the unified findings model and shares correlation keys with SAST, DAST, and Red Team so a confirmed, reachable, exploitable issue is treated as such.

Findings

Runtime findings land in the unified findings view discriminated as runtime, tenant/org-scoped end to end, with the ATT&CK mapping and the correlation dimensions that fired.

Configuration

Runtime protection is admin-toggleable via a feature flag, enforced server-side. The rule engine is available today; deploy the runtime collector (rolling out for Linux) to feed it live events.

On this page