APP RUNTIME

Detect, block and explain attacks inside your running app

App Runtime is application detection and response that lives inside your app, not at the perimeter. It sees attacks the way they actually happen, with full execution context, across web services, mobile apps, APIs and AI endpoints, and it blocks them in real time.

Start free trial
Book a demo

Trial available. Connect your app and see real incidents in minutes.

ByteHide App Runtime dashboard showing live incidents, last incidences feed, sessions over 30 days and a world map of attack origins
  • 20,000+ developers protect their applications with ByteHide every month
  • Built for web, mobile, desktop, API and AI workloads
  • Behavior-based detection, no signatures to write
  • Detects and blocks at the point of execution

The runtime blind spot

You go blind exactly where it matters

Code scanners check your app before it ships. Perimeter firewalls watch the traffic around it. Neither one is inside the app when the attack actually runs, which is exactly where injection, tampering, jailbreaking and prompt injection do their damage, often through code no scanner ever flagged. The moment your app is live, you lose visibility right where the attack lands.

Pre-ship

Code scanner

Watching static code

Network edge

Perimeter WAF

Inspecting HTTP traffic

runtime.tsBlind
  • 01SELECT * FROM users WHERE id ='42'' OR 1=1 --SQL injection
  • 02$ exec --file=report.pdf; rm -rf /Command injection
  • 03prompt = "Summarise…"Ignore prior instructionsPrompt injection

In-app firewall

It sees the attack the way your code does

Unlike a traditional WAF that inspects traffic from the outside, App Runtime is an in-app firewall embedded in your application. It sees the full execution context: the actual SQL query being built, the command about to run, the file path being resolved, the prompt about to reach your model. When a request carries a real threat, it blocks it before it hits your database or executes on your server. It detects and stops, in real time:

Injection and web attacks

SQL and NoSQL injection, XSS, command injection, LDAP injection, path traversal, SSRF and XXE.

AI and LLM attacks

Prompt injection, with the matched pattern, model and provider.

App and device tampering

Debugger, emulator and VM detection, jailbreak and root, code tampering, memory dump and process injection.

See it in a demo

The next generation of RASP

RASP proved the idea. App Runtime is the platform it pointed to.

Protecting an application from the inside is the right instinct, and RASP established it. App Runtime takes that principle to another level: a complete detection-and-response platform that lives inside your app and understands, in real time, what is actually happening:

  • Behavior analysis, not signatures

    It flags patterns that fall outside normal, so new attacks are caught without waiting for a signature to exist.

  • Anomaly detection

    It catches what isn't generic: the issues tied to authentication, access and business logic, where signature-based tools see nothing.

  • Real-time monitoring and configuration

    Watch what is happening live and change protections on the fly, with no redeploy.

  • Custom response actions

    Decide exactly what happens on each threat, and write your own responses right inside the app.

  • Full context on every event

    Each detection carries the user, device, session, browser and IP behind it, not just "something happened."

No signatures to write, no rules to tune, no regex to maintain. Protection starts the moment it is installed.

Code-to-Runtime correlation

It tells you which vulnerabilities are actually being exploited

A scanner can tell you a vulnerability exists. App Runtime tells you it is being exploited, in production, right now. Sync it with ByteHide Code and the two correlate: the issues Code finds get confirmed by what App Runtime sees executing, so you fix what attackers actually reach and ignore the noise. Runtime intelligence flowing back into your scanning makes both sharper.

Scanner findings12,847 open findings
  • CVE-2024-23897HIGH

    Use of broken cryptographic algorithm

    src/auth/session.ts
  • CVE-2024-41110CRITICAL

    SQL injection in users query

    api/users/query.ts
  • CVE-2024-50050HIGH

    Path traversal via untrusted input

    lib/files/read.ts
  • CVE-2023-44487HIGH

    HTTP/2 rapid reset denial of service

    package.json
  • CVE-2024-29154CRITICAL

    Hardcoded credentials in source

    .env.example
  • CVE-2024-39884HIGH

    Server-side request forgery in image proxy

    api/proxy/image.ts
Confirmed in prod3 actively exploited
  • CVE-2024-41110Actively exploited

    SQL injection in users query

    api/users/query.ts47 hits/hr · 91.108.x.x · 14:32
  • CVE-2024-39884Actively exploited

    Server-side request forgery in image proxy

    api/proxy/image.ts12 hits/hr · 203.0.x.x · 14:29
See it in a demo

One engine, two surfaces

Web threats and mobile threats are not the same, so neither is the defense

The attacks facing a web service are not the attacks facing a mobile app, so App Runtime changes both what it looks for and how it responds based on where it runs.

HTTP Request
Mobile App
Internal Service
3rd-party Library
App boundary
SQL Query
Command Exec
File Access
Network Call
Auth Check
Deserialization
Prompt Input
LLM Call
Model Response
Database
Filesystem
Internal APIs
Secrets
User Data
LLM

Web attack surface · 16+ threats covered

  • SQL Injection
  • XSS · Cross-site scripting
  • RCE · Remote code execution
  • Command Injection
  • SSRF · Server-side request forgery
  • XXE · XML external entity
  • Path Traversal
  • LDAP Injection
  • NoSQL Injection
  • Prompt Injection
  • Insecure Deserialization
  • CSRF · Cross-site request forgery
  • Zero-day vulnerabilities
  • App logic vulnerabilities
  • Auth & access flaws
  • + OWASP Top 10 covered

What it catches

SQL and NoSQL injection, XSS, command and LDAP injection, SSRF, XXE, path traversal, prompt injection.

How it responds

Block the request, the session or the IP, plus bot, country and threat-actor blocking.

Same engine, same dashboard, a defense that fits each app.

Virtual patching at runtime

Protected in production while you fix it properly

A CVE just dropped on a library your team ships across nine apps in production. Without runtime protection your options collapse to two impossible ones: patch nine apps in sixty seconds, or pull production and stop the business. Neither is real risk management. It is a fire drill.

App Runtime gives you the third option. It detects and blocks the live exploit on every one of those nine apps the moment the CVE is public, so your apps stay online and protected in production while your team fixes the root cause on its normal schedule and ships a proper patch, not a rushed one. You are not eating the exposure. You are absorbing it for exactly as long as a real fix takes. That is virtual patching, at runtime.

And it buys you time with context. Not "you have a vulnerability," but: this endpoint was hit with this payload, this many times, from this IP, by this actor, who also tried these other things. Enough to reproduce the attack and fix the real cause, fast.

Threat intelligence

Block the traffic that should never have reached you

App Runtime ships with threat intelligence and traffic control built in, with no separate product to buy:

Bot blocking

390+ known bot signatures across 21 categories, from scrapers to credential stuffers.

390+ signatures

IP threat intelligence

7 continuously updated threat lists covering 600M+ malicious IPs, so known threat actors are blocked before they reach your application logic.

Geo-blocking

Restrict access by country to meet compliance requirements or shrink your attack surface.

Route monitoring

Every API endpoint tracked, with request patterns and traffic anomalies surfaced in real time.

Response

Detection is half of it. Response is the other half.

Set automated rules: if this attack is detected, then log it, block the request, block the session or IP, or on a compromised device close the app or wipe its data. Route alerts to Slack, Teams, a webhook or email. And act manually any time from the dashboard, with no redeploy: block a device, wipe stored credentials, force-close an app, revoke sessions, or push new detection rules, all in real time.

AI Security Analysis

Context to act, not just a row in a log

An alert is only useful if you understand it. Every incident comes with an AI security analysis: what happened, why it matters, the attack vector, whether you are actually protected or only detecting, and a prioritized set of next steps. Your team gets the reasoning to act, immediately.

Why do I have this vulnerability?

Click the arrow to ask the AI — demo prompt

Forensics and analytics

Every blocked attack, captured with full context

App Runtime keeps the whole picture: each incident with its stacktrace, the payload, line-of-code attribution, a confidence score and device metadata, plus the API routes under pressure, every device and session on a world map, and per-session timelines. Filter, search and trace exactly what happened, where and how. It all flows into Audit for long-term forensics and compliance.

Standard log4 fields
incident.log
{
  "request": "POST /api/users/12",
  "payload": "' OR 1=1 --",
  "time": "14:32:08",
  "status": "blocked"
}

Knowing this is fine.

Incident detailApp Runtime

SQL Injection Attempt

High severityBlocked

Endpoint

POST /api/users/:id

Attack type

SQL Injection · CWE-89

Payload

' OR 1=1 --

Intercepted at

getUser(id) {
SELECT * WHERE id='1' OR 1=1 --
}

services/users.ts:15

Source IP

91.108.x.xRU

Attacker fingerprint

u_7f93x · Anonymous
Hits last hour47Confidence98%Stacktrace

But this is much better.

Explore Audit

Install

Two ways in, no rewrite either way

App Runtime installs in seconds and protects from the inside, two ways:

  1. 01

    SDK

    Add it to your app with no code changes. When you want more control, write custom response functions right inside your application.

  2. 02

    Agent, at the host level

    Drop it into Docker, your Linux server or your VM with no SDK in the app at all. It attaches automatically to the running process and protects from within.

It is polyglot and runs across server, mobile, desktop, API and AI workloads:

Server and web

  • .NET
  • Java
  • Node.js
  • Python

Mobile and desktop

  • Kotlin (Android)
  • Swift (iOS)
  • React Native
  • Flutter
  • .NET desktop (WPF, WinForms, MAUI)
  • IoT

vs Traditional WAF

Why in-app protection beats a traditional WAF

Traditional WAFs sit outside your app and guess what is dangerous from traffic patterns. App Runtime runs inside your code and knows.

ByteHide App Runtime

In-App Runtime Protection

Detection
ByteHide App RuntimeFull code context: the actual query, command and path
Traditional WAFPattern matching on HTTP traffic
False positives
ByteHide App RuntimeMinimal, only blocks real threats at execution
Traditional WAFHigh, blocks legitimate traffic
Performance
ByteHide App RuntimeNegligible, runs in-process
Traditional WAF+50 to 200 ms per request (external proxy)
Installation
ByteHide App Runtimenpm installInstalled in seconds
Traditional WAFDNS changes, SSL certs, complex setup
Maintenance
ByteHide App RuntimeBehavior-based, no rule configuration
Traditional WAFConstant rule updates
Privacy
ByteHide App RuntimeNo key sharing, inspects after decryption inside your app
Traditional WAFNeeds access to your private SSL keys
Rate limiting
ByteHide App RuntimeUser and route-aware
Traditional WAFIP-based only
Mobile and desktop
ByteHide App RuntimeCloud, mobile, desktop and IoT
Traditional WAFWeb traffic only
LLM protection
ByteHide App RuntimePrompt injection detection
Traditional WAFNot designed for it
Threat intelligence
ByteHide App RuntimeBuilt in: 600M+ IPs, 390+ bots
Traditional WAFSeparate product, extra cost

WAFs handle DDoS and network filtering. App Runtime protects everything they can't see. Use both, or start where attacks actually execute.

Use cases

One SDK, every type of application

One SDK adapts to your runtime environment, from cloud APIs handling millions of requests to mobile apps on devices you don't control.

SQL injection blockedpayload: 1' OR 1=1

CLOUD & API

Cloud APIs and web apps

Stop injection attacks inside your code, not at the network edge. App Runtime intercepts SQL injection, XSS, command injection, SSRF and more at the exact point of execution, and combines it with bot blocking, IP threat intelligence and route monitoring.

Best for: SaaS platforms, REST and GraphQL APIs, microservices, server-rendered web apps.

!
Frida hook blockeddevice.tampered = true
Device verifiedNo root, no hook

MOBILE & FINTECH

Mobile banking and fintech

Secure transactions on devices you don't control. Detect rooted and jailbroken devices before they touch sensitive flows, block hooking frameworks that extract credentials at runtime, and identify emulators, debuggers and tampered binaries used for payment forgery and account takeover. On a confirmed threat, wipe stored tokens and block the device remotely.

Best for: Banking apps, payment platforms, crypto wallets, trading apps.

DESKTOP & IOT

Desktop and IoT

Runtime protection without a server dependency. .NET desktop apps (WPF, WinForms, MAUI), console apps and IoT devices get the same detection as cloud workloads: debugging, reverse engineering, memory dumps and process injection on the device itself, with responses configurable remotely, no redeploy.

Best for: Enterprise desktop software, kiosk apps, IoT firmware, industrial control.

OWASP LLM Top 10#1 — Prompt injection

AI & LLM

AI and LLM applications

Protect your models from prompt injection — OWASP LLM Top 10's #1 risk. App Runtime detects and blocks attempts to override system prompts, bypass guardrails or exfiltrate training data, with the protection running inside your application process. Covers any LLM provider: OpenAI, Anthropic, Cohere, Gemini, or self-hosted models.

Best for: AI assistants, RAG pipelines, AI-powered SaaS, LLM API gateways.

Audiences

One platform, three jobs

The same engine pays off differently for each person who touches it.

Developers

security that doesn't land on your backlog.

Security shouldn't turn your team into the security team. App Runtime keeps it off your plate: no complex setup in development, nothing to instrument by hand. When there is a real vulnerability to fix, it arrives served ready, with the exact payload, endpoint and request that triggered it, so you reproduce it and fix it fast. And if something does slip through, it is already blocked in production while you ship the patch. A mistake doesn't turn into an incident.

Security

real attacks, full context, one place to respond.

Stop guessing from traffic patterns. App Runtime shows the real attacks as they happen, with the full context behind each one, and lets you respond from a single place across every app. It deploys without a development project, through the SDK or a host-level agent, and its runtime intelligence confirms which scanner findings are actually being exploited, so the team works on what matters.

Leadership

continuous protection, audits covered.

Every application defended at runtime, continuously, across the whole portfolio. A newly disclosed vulnerability is contained in production while teams fix it properly, so it never becomes a fire drill. Forensics and evidence are ready for audits and compliance, and it is one platform across your apps and your agents, instead of a stack of tools that don't talk to each other.

One engine. Apps and agents.

App Runtime is the runtime core of the ByteHide platform. Code finds the issues, App Runtime confirms and blocks the ones that are real in production, Vault keeps secrets out of reach, and Audit keeps the record. The same engine protects your AI agents through Agentic Runtime. One engine across your apps and your agents.

Code

Find and fix

SAST, SCA, DAST, secret scanning and AI application security. Findings come into App Runtime for confirmation and prioritization.

App Runtime

Detect and respond

You are here

The runtime engine that detects and blocks attacks in production. The module on this page.

ByteHide application security platform

Code

SCA · SAST

Secrets

Vault

Shield

Code shielding

Active

ADR

Runtime

Agentic

AI agents

Logs

Audit

Shared dashboard

One platform, one account

Code, App Runtime, Shield, Vault and Audit share the same account, the same console, and the same engine.

Start with App Runtime. Grow into the platform.

Explore the ByteHide platform
Trial available, used by 20,000+ developers every month

See what's really
hitting your app

Start protecting your app at runtime. One SDK or one agent, every type of application, real attacks blocked and explained from the first hit.

Start free trial
Book a demo
ByteHide App Runtime dashboard showing live incidents and a world map of attack origins