ESC
Type to search guides, tutorials, and reference documentation.
Verified by Garnet Grid

Runtime Application Self-Protection

Protect applications at runtime by detecting and blocking attacks inside the application itself. Covers RASP architecture, real-time threat detection, virtual patching, behavioral analysis, and the trade-offs between WAF and RASP approaches.

Traditional security operates at the perimeter — firewalls, WAFs, and network security. Runtime Application Self-Protection (RASP) operates inside the application, with access to the full request context, application state, and data flow. This positions RASP to detect attacks that perimeter defenses miss, like SQL injection through JSON payloads, deserialization attacks, and logic-level vulnerabilities.

RASP vs WAF

FeatureWAF (Perimeter)RASP (In-App)
PositionNetwork edge, before applicationInside application runtime
ContextHTTP request/response onlyFull application context
False positivesHigh (no application context)Low (sees actual behavior)
SQL injection detectionPattern matching on requestMonitors actual SQL queries
Zero-day protectionLimited (signature-based)Better (behavioral analysis)
Performance impactMinimal (offloaded)Small (in-process)
Attack visibilityRequest-levelRequest + code path + data flow

Use both: WAF for volumetric attacks and known patterns. RASP for application-level protection and context-aware detection.

RASP Architecture

Incoming Request

WAF (perimeter defense)

Application Framework

RASP Agent (instrumented)
  ├── Monitor: SQL queries → Detect SQL injection
  ├── Monitor: File operations → Detect path traversal
  ├── Monitor: Command execution → Detect OS injection
  ├── Monitor: Deserialization → Detect RCE attempts
  └── Monitor: Outbound connections → Detect SSRF

Application Logic

Response

Detection Examples

SQL Injection

# Without RASP: WAF sees request parameter "1 OR 1=1"
# With false positive risk for legitimate data containing "OR"

# With RASP: Agent sees actual SQL query being constructed
# Application receives: user_input = "1 OR 1=1"
# RASP observes: query = "SELECT * FROM users WHERE id = 1 OR 1=1"
# RASP detects: Query structure changed by user input → BLOCK

Path Traversal

# Application receives: filename = "../../../etc/passwd"
# RASP observes: os.path.open("/var/app/uploads/../../../etc/passwd")
# RASP detects: File access outside application directory → BLOCK

Command Injection

# Application receives: hostname = "example.com; rm -rf /"
# RASP observes: os.system("ping example.com; rm -rf /")
# RASP detects: Shell metacharacters in command → BLOCK

Virtual Patching

When a vulnerability is disclosed but a code fix is not yet ready:

virtual_patch:
  name: "CVE-2026-XXXX Log4j variant"
  condition:
    - request_contains: "${jndi:"
    - header_contains: "${jndi:"
  action: block
  response: 403
  log: true
  alert: critical
  
  # Applied immediately, no code deployment needed
  # Buys time while engineering develops a proper fix

Behavioral Analysis

# Anomaly detection based on application behavior

behavioral_rules:
  # Normal: Application reads 10-50 rows per query
  # Anomaly: Query returns 10,000+ rows (data exfiltration?)
  data_exfiltration:
    condition: query_result_rows > 1000
    action: alert
    
  # Normal: Application makes 2-3 outbound HTTP calls per request
  # Anomaly: Application makes 50+ outbound calls (SSRF scanning)
  ssrf_scanning:
    condition: outbound_requests_per_request > 10
    action: block
    
  # Normal: Login attempt takes 100-500ms
  # Anomaly: Rapid sequential login attempts (credential stuffing)
  credential_stuffing:
    condition: login_attempts_per_ip_per_minute > 10
    action: rate_limit

Anti-Patterns

Anti-PatternConsequenceFix
RASP without WAFVolumetric attacks reach applicationLayer defenses, WAF + RASP
Block mode from day oneLegitimate requests blockedStart in monitor mode, tune, then block
No alert triage processAlert fatigue, real attacks missedSeverity levels, automated triage
RASP for compliance checkboxNot configured or monitoredActive monitoring with incident response
Ignoring performance impactApplication latency increasesProfile, optimize, use sampling

RASP provides the deepest level of application-level protection. It sees what the application sees, understands context that perimeter defenses cannot, and blocks attacks at the point of exploitation.

Jakub Dimitri Rezayev
Jakub Dimitri Rezayev
Founder & Chief Architect • Garnet Grid Consulting

Jakub holds an M.S. in Customer Intelligence & Analytics and a B.S. in Finance & Computer Science from Pace University. With deep expertise spanning D365 F&O, Azure, Power BI, and AI/ML systems, he architects enterprise solutions that bridge legacy systems and modern technology — and has led multi-million dollar ERP implementations for Fortune 500 supply chains.

View Full Profile →

More in Security & Compliance

API Key Management

Secure the lifecycle of API keys from generation to revocation. Covers key generation best practices, rotation policies, scope limiting, usage monitoring, and the patterns that prevent API key compromise from becoming a security incident.

Read guide →

Authentication Architecture Patterns

Design enterprise authentication. Covers OAuth 2.0, OIDC, JWTs, session management, passwordless auth, SSO, and choosing between authentication patterns for different application types.

Read guide →

API Security Hardening: OWASP Top 10 Implementation

Secure your APIs against the OWASP API Security Top 10. Covers authentication, authorization, rate limiting, input validation, and security testing with practical code examples.

Read guide →