Runtime Protection (CWPP & CNAPP)
ATT&CK-mapped runtime threat detection and cloud-native risk correlation — surfacing findings that are running, reachable, exposed, and over-privileged all at once.
Runtime Protection (CWPP & CNAPP)
Runtime protection watches workloads as they execute and correlates runtime signals with the rest of your posture, so risk that is actually live rises above theoretical risk.
Runtime threat detection (CWPP)
Safeguard ships a Falco-style runtime rule engine that detects suspicious workload behavior — shells spawned in containers, sensitive file access, unexpected network activity, privilege changes — and maps each rule to the relevant MITRE ATT&CK technique so alerts arrive with adversary context.
Rollout note. Runtime protection is available, with the eBPF runtime collector rolling out. The collector is a Linux follow-on and sits behind an
EventSourceinterface, so the rule engine consumes events independently of the collector's rollout. eBPF-based collection is not claimed as generally available yet.
Detection rule packs
Managed rule packs ship as data over the shipped engine, each mapped to an ATT&CK technique:
| Rule pack | Triggers on | ATT&CK |
|---|---|---|
| Reverse shell | A shell with stdin/stdout wired to a connected socket | T1059 |
| Crypto-miner | Connection to a known stratum pool, or sustained high CPU with miner-class arguments | T1496 |
| Container escape | nsenter, /proc/1/root access, privileged mount, release_agent write | T1611 |
| Fileless / in-memory | memfd_create followed by execution of the memfd | T1620 |
| Privilege escalation | Setuid-to-root transitions, anomalous sudo / pkexec | T1548 |
| LOLBin chain | curl/wget piped into a shell; cron/scheduled-task writes from a workload | T1105 |
Per-workload allow-lists suppress benign shells (for example in interactive dev containers), and tenants can add custom rules in the same schema, tenant-scoped and audited on load.
Runtime SCA / reachability
From library-load events, the engine records which packages actually load and which functions execute per workload, and feeds this to AutoTriage: a statically-reachable CVE gets upgraded to runtime-confirmed (priority up), and a never-loaded package is demoted (priority down). Reachability only re-ranks CVE/SCA findings — it never suppresses a malware finding.
Gated runtime response
Beyond detection, runtime protection can respond — always policy-gated and safe-fail:
| Action | Mechanism | Gate |
|---|---|---|
| Alert | Emit event/finding only | Default, always allowed |
| Block | Drop the offending connection | Policy |
| Kill | Terminate the offending process (by PID + start-time) | Policy + approval |
| Quarantine | Cordon the pod and apply a deny-all network policy | Policy + approval |
| Isolate | Full network isolation of the workload | Policy + approval |
The default policy is detect-and-alert only until a tenant explicitly opts in. Destructive actions require human approval unless a specific high-confidence rule is opted into auto-response. Responses are safe-fail — a failed action is recorded and never crashes the protected workload — rate-capped (a storm degrades to alert-only), and reversible where applicable. kill only ever targets the offending process, verified by PID and start-time.
Cloud-native risk correlation (CNAPP)
The CNAPP layer correlates findings across dimensions to identify the risks that matter most — a workload that is simultaneously:
- Running — actually executing, not just defined,
- Reachable — exposed on a network path,
- Exposed — accessible from an untrusted boundary, and
- Over-privileged — holding more permission than it needs.
A finding that lights up all four is prioritized far above one that lights up only one. This correlation flows into the unified findings model and shares correlation keys with SAST, DAST, and Red Team so a confirmed, reachable, exploitable issue is treated as such.
Findings
Runtime findings land in the unified findings view discriminated as runtime, tenant/org-scoped end to end, with the ATT&CK mapping and the correlation dimensions that fired.
Configuration
Runtime protection is admin-toggleable via a feature flag, enforced server-side. The rule engine is available today; deploy the runtime collector (rolling out for Linux) to feed it live events.
Related
- Unified Findings & Feature Flags — where runtime findings land and how the engine is toggled.
- Reachability Analysis — the reachability dimension of the correlation.
- Red Team — emulation that validates whether runtime detections fire.
- SecOps (SIEM) — runtime events feed the SIEM event store.
- AutoTriage — consumes runtime reachability to re-rank findings.
Data Security Posture Management (DSPM)
Discover and classify sensitive data — PII, PHI, Luhn-validated payment data, and high-entropy secrets — with an enforced redaction mandate so raw sensitive data is never stored.
SecOps (SIEM)
OCSF-normalized security event ingestion, continuous detection with Sigma rules and IOC matching, and deduplicated alerts — the SIEM substrate, with SOAR, XDR, and an agentic SOC analyst on the roadmap.