Runtime Agents

Protect running workloads, APIs, and production applications.

Runtime Agents protect running workloads, containers, APIs, Kubernetes, services, and production applications. They monitor runtime behavior, anomalous execution, dependency risk, privilege misuse, workload drift, and active exploitation.

Request early access →

The Ollandi defense loop

Every agent follows the same cycle, producing auditable, coordinated response.

01

Observe

Ingest domain-specific signals in real time with full telemetry fidelity.

02

Reason

Correlate local evidence with the shared threat model and adjacent agents.

03

Validate

Check policy boundaries, blast radius, and consensus before acting.

04

Act

Execute bounded, reversible actions through approved control interfaces.

05

Evidence

Record every observation, decision, and action in an auditable bundle.

What it protects

  • Kubernetes clusters and pods
  • Containerized microservices
  • APIs and service meshes
  • Serverless functions
  • Production databases and data paths

What it monitors

  • Container and pod lifecycle events
  • API request and response patterns
  • Runtime process and syscall behavior
  • Workload configuration and image drift
  • Dependency and supply-chain events

What it detects

  • Container escape and privilege misuse
  • API abuse and unauthorized data access
  • Runtime exploitation and RCE
  • Workload drift from approved image
  • Supply-chain and dependency attacks

What it can do

  • Restart or isolate compromised workloads
  • Block malicious API calls at the gateway
  • Enforce approved image and policy baseline
  • Correlate with Cloud and Endpoint agents
  • Capture runtime trace and evidence bundle

What evidence it generates

  • Container and pod state timeline
  • API call trace with request context
  • Runtime behavior baseline deviation
  • Image drift and policy violation record
  • Cross-agent incident narrative

One working agent experience

See how an runtime agent moves through the defense loop on a real incident.

1

Observe

Pod auth-service-7c9a4 spawned a shell and attempted to access the secrets store.

2

Reason

No legitimate reason for runtime shell; secrets access outside service role.

3

Validate

Cloud Agent confirms no deployment event; Identity Agent flags service account misuse.

4

Act

Terminate pod, rotate affected secrets, alert team.

5

Evidence

Pod event timeline, secrets access log, and remediation steps recorded.

Part of a coordinated defense

Runtime Agents close the loop between cloud control planes and endpoint behavior, protecting the layer where applications actually execute.

Identity
Cloud
Endpoint
Network
Runtime