Runtime Application Self-Protection (RASP)
Runtime Application Self-Protection (RASP) is a security technology that runs inside a production application, monitoring its own execution in real time and automatically detecting and blocking attacks — such as injection attempts or…
Definition
Runtime Application Self-Protection (RASP) is a security technology that runs inside a production application, monitoring its own execution in real time and automatically detecting and blocking attacks — such as injection attempts or malicious payloads — as they occur, without relying solely on external network-layer defenses.
Overview
RASP takes the instrumentation approach pioneered by IAST and applies it to production, shifting from observe-and-report during testing to detect-and-block during live operation. A RASP agent is embedded within the application runtime (via language-specific hooks, similar to how an IAST agent instruments code, or via runtime library interception), giving it visibility into the application's actual internal state — the code executing, the data flowing through it, and the context of each operation — that external, network-layer defenses like a traditional Web Application Firewall (WAF) simply don't have access to. Because a WAF inspects only the raw HTTP request and response traffic from outside the application, it must rely on pattern matching against known attack signatures, which can be evaded by novel encodings or produce false positives on legitimate traffic that happens to resemble an attack pattern. RASP, by contrast, can make blocking decisions based on what's actually happening inside the application: for example, rather than trying to guess from an HTTP request whether a string might be a SQL injection attempt, a RASP agent can observe that tainted, request-derived data is about to reach a raw SQL execution call within the application's own code and block that specific database call in real time, regardless of how the malicious payload was encoded or obfuscated in transit. This contextual awareness generally gives RASP lower false-positive rates than perimeter-based defenses for the attack classes it covers, and it protects the application even when deployed behind infrastructure a WAF might not cover, or against attacks that originate from within the network rather than over the public internet. RASP is not a replacement for earlier-stage practices like SAST, DAST, and secure coding — it is a last line of defense that mitigates the impact of vulnerabilities that made it into production despite those earlier controls, rather than eliminating the vulnerabilities themselves. It also introduces runtime performance overhead and, like any automated protection, can occasionally interfere with legitimate application behavior if not carefully tuned. RASP is commonly deployed alongside a WAF and other runtime monitoring as part of a defense-in-depth strategy, with commercial offerings from vendors like Contrast Security, Signal Sciences (now part of Fastly), and Imperva.
Key Concepts
- Runs embedded within the production application runtime, not at the network perimeter
- Monitors and blocks attacks in real time based on internal application context
- Can detect malicious data flow (e.g., tainted data reaching a raw SQL call) directly
- Generally lower false-positive rate than perimeter defenses like a WAF for covered attack classes
- Protects against attacks a WAF might miss due to encoding, obfuscation, or internal origin
- Acts as a last line of defense, not a substitute for fixing root-cause vulnerabilities
- Introduces some runtime performance overhead from instrumentation
- Typically deployed alongside a WAF as part of defense-in-depth
Use Cases
Frequently Asked Questions
From the Blog
What Is Computer Vision? Real-World Examples
Computer vision lets machines interpret images — from medical scans to self-driving cars, explained simply.
Read More Success StoriesFrom Cricket Fan to Python Developer: An Illustrative Learning Journey
This is a composite illustrative journey — based on the real paths taken by many self- taught developers — showing how a passionate cricket fan used IPL data to learn Python, pandas, and data visualisation, and landed a data analyst role in 8 months.
Read More Success StoriesFrom Finance to Full-Stack Developer: An Illustrative 10-Month Journey
This composite illustrative story follows how a chartered accountant used financial modelling skills and systematic self-study to transition into full-stack development, landing a junior developer role in 10 months without a coding bootcamp.
Read More