Try it free

Application Security

  • Latest Dynatrace
  • How-to guide
What you’ll find on this page
  • Explore Application Security capabilities
  • How monitoring modes shape data and analysis
  • Deepen your understanding: videos, tutorials, blogs

Dynatrace Application Security delivers real-time protection and deep visibility into your application landscape. By combining automated vulnerability detection, runtime application protection, and security posture management, it empowers teams to secure modern cloud-native environments with precision and scale. Explore the feature overviews, configuration steps, operational modes, and usage guidance.

Get started

Dynatrace provides the following integrated Application Security capabilities to help secure your applications. Select any to get started.

If you're using the Dynatrace classic licensing, contact a Dynatrace product expert via live chat to activate Application Security before you proceed.

  • Dynatrace Runtime Vulnerability Analytics (RVA): Identify critical vulnerabilities instantly with automated risk and impact assessments, thanks to in-depth analysis of data access paths and production execution.

  • Dynatrace Runtime Application Protection (RAP): Defend your applications in real time by detecting and blocking attacks through advanced code-level insights and transaction analysis.

  • Dynatrace Security Posture Management (SPM): Maintain robust security by assessing, prioritizing, and addressing misconfigurations and compliance violations efficiently.

Monitoring modes coverage

The effectiveness and depth of Application Security insights depend on the deployed monitoring mode. This section explains how each mode impacts data collection and analysis.

Dynatrace Security Posture Management (SPM) works independently of monitoring modes. For details, see FAQ.

Support overview

CapabilityFull-StackInfrastructureDiscovery
Third-party vulnerability detectionGreen background check marklimitedlimited
Code-level vulnerability detectionGreen background check marklimitedlimited
Runtime Application ProtectionGreen background check markGreen background check markGreen background check mark
Public internet exposure

On Linux hosts, if there's no information, which can happen in different monitoring modes or because something went wrong, public internet exposure is detected via eBPF. Potential states are Public network and Not detected. Dynatrace Security Score isn't influenced by either of these states.

Full-Stack Monitoring mode

Recommended

Full-Stack Monitoring mode provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).

Infrastructure Monitoring mode

Infrastructure Monitoring mode, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring, provides less complete monitoring than the Full-Stack Monitoring mode. The following functionalities are provided:

  • System metrics (CPU usage, memory usage, disk usage)
  • Third-party vulnerability detection
  • Code-level vulnerability detection
  • Runtime Application Protection

Characteristics

  • In an Infrastructure Monitoring deployment, Dynatrace Intelligence cannot adapt the Dynatrace Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.

  • Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

    • If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
    • If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

  • In Infrastructure Monitoring mode, vulnerable function information is supported.

Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

  • If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
  • If all related hosts are running in Full-Stack mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

Same capabilities as Full-Stack Monitoring mode.

Consumption

  • If you're using the Dynatrace Platform Subscription (DPS) licensing model, see Host monitoring (DPS): Infrastructure Monitoring.

  • If you're using the Dynatrace classic licensing, see Application and Infrastructure Monitoring (Host Units).

Discovery mode

Discovery mode is a lightweight monitoring mode that provides basic monitoring. The following functionalities are provided:

  • System metrics (CPU usage, memory usage, disk usage)

  • Third-party vulnerability detection

  • Code-level vulnerability detection

  • Runtime Application Protection

For Application Security to work in Discovery mode, after enabling Discovery mode, you also need to enable code-module injection.

Characteristics

  • In a Discovery mode deployment, Dynatrace Intelligence cannot adapt the Dynatrace Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.

  • Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

    • If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
    • If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
    Exception

    Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Dynatrace Security Score isn't influenced by either of these states.

  • In Discovery mode, vulnerable function information is supported.

Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

  • If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
  • If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception

Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Dynatrace Security Score isn't influenced by either of these states.

Same capabilities as Full-Stack Monitoring mode.

Consumption

Discovery mode is only available for the Dynatrace Platform Subscription (DPS) licensing model.

For monitoring consumption information, see Host monitoring (DPS): Foundation & Discovery.

Further resources

Explore additional documentation to deepen your understanding and make the most of Dynatrace Application Security.

  • What is Dynatrace and how to get started:

    What is Dynatrace and how to get started

  • Elevate security with Dynatrace Anomaly Detection - new Anomaly Detection:

    Elevating Security with Dynatrace Anomaly Detection

  • Unguard - An open source application security playground:

    Unguard: An open source application security playground

  • Vulnerability detection and automated risk assessment with Dynatrace Application Security:

    Vulnerability Detection and Automated Risk Assessment with Dynatrace AppSec

  • Remediate vulnerabilities like Log4Shell with Dynatrace:

    Remediate Vulnerabilities like Log4Shell with Dynatrace

  • Protect your applications against attacks:

    Protecting your applications against attacks

  • How to achieve cloud native hyperscale security with Dynatrace:

    How to achieve cloud native hyperscale security with Dynatrace

  • Introduction to Application Security concepts

  • Dynatrace Application Security overview

  • Activate Application Security

  • Enable Runtime Vulnerability Analytics

  • Automate and simplify Application Security with Dynatrace

  • Configure security notifications

  • Runtime Application Protection

  • Manage code-level vulnerabilities

  • Application Security case study: log4j

  • Introducing the Dynatrace Vulnerability feed: Accurate, transparent, and threat-aware

  • Remediating CVE-2025-3248: How Dynatrace Application Security protects Agentic AI applications

  • Supply chain security: How to detect malicious software packages with Dynatrace

  • Kubernetes security essentials: Container misconfigurations – From theory to exploitation

  • Dynatrace 3rd-generation platform: Built for the world of Autonomous Intelligence

  • Revolutionizing cloud security with observability context: Dynatrace Cloud Security addressing CADR

  • Empowering SREs with runtime vulnerability analytics and security posture management

  • Dynatrace launches Python Vulnerability Monitoring for enhanced customer security

  • Snyk integration for Dynatrace: Bridging development and runtime with actionable security notifications

  • Threat detection in cloud native environments: Detecting suspicious Kubernetes service account behavior

  • Threat detection in cloud native environments (part 2): How to automate threat management using workflows

  • Revisiting Spring4Shell: How Cloud Application Detection and Response (CADR) offers multi-layer protection

  • Kubernetes security essentials: Kubernetes misconfiguration attack paths and mitigation strategies

  • Kubernetes security essentials: Understanding Kubernetes security misconfigurations

  • Balancing security and performance with business goals through observability

  • Announcing Java SSRF protection in Dynatrace Application Security

  • NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace

  • Discover the new Dynatrace Runtime Vulnerability Analytics experience

  • New continuous compliance requirements drive the need to converge observability and security

  • What is application security monitoring

  • Security incident response with Dynatrace automations

  • DevSecOps automation improves application security in multicloud environments

  • Exposure management vs. vulnerability management: Preventing attacks with a robust cybersecurity strategy

  • Context-aware security incident response with Dynatrace Automations and Tetragon

  • Best practices for building a strong DevSecOps maturity model

  • Protect your organization from zero-day vulnerabilities

  • Find vulnerabilities in your code—don’t wait for someone to exploit them

  • Dynatrace DevSecOps Lifecycle Coverage with Snyk eliminates security coverage blind spots

  • What is application security? And why it needs a new approach

Application Security FAQ

For troubleshooting articles related to Application Security, visit Dynatrace Community.

Related topics

  • Application Security
  • Cloud Application Security eBook
Related tags
Application Security