Runtime Vulnerability Analytics

Latest Dynatrace
How-to guide

What you’ll find on this page

Explore Runtime Vulnerability Analytics capabilities
How RVA detects and evaluates vulnerabilities at runtime
Review prerequisites
Check supported technologies
How to enable and configure RVA
What you can do with RVA next
Understand how RVA is licensed

Dynatrace Runtime Vulnerability Analytics enables you to detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities, as well as the security vulnerabilities in libraries and first-party code in production and pre-production environments at runtime.

Capabilities

Automatic and continuous protection. Dynatrace continuously watches production and pre-production environments to identify any changes in application environments (such as container dynamics, elastic scaling, multi-version deployments, runtime container updates, rollbacks, A/B tests, or blue/green deployments) and provide precise answers about the source, nature, and severity of vulnerabilities as they arise in real time. Dynatrace automatically analyzes and prioritizes alerts.
Continuous analysis of attack vectors to automatically track if vulnerable libraries are called and used at runtime. Dynatrace Application Security is designed to allow you to identify the most relevant vulnerabilities and reduce false positives with Smartscape real-time topology mapping and distributed tracing with PurePath® code-level analysis.
Runtime introspection approach in combination with Snyk and NVD, for automatic vulnerability detection at runtime. Even if security checks aren't integrated into the pipelines across all teams, or if they're deliberately bypassed, Dynatrace can detect what’s running and pinpoint vulnerabilities instantly by automatically opening a vulnerability when one is detected, and close it when the root cause (for example, loading a vulnerable library) is no longer present.
Full coverage across production rollbacks and outdated releases, feature flags, and deployment patterns (canary, blue/green).
Efficient management of vulnerabilities where a fix hasn't been effective, such as if a vulnerability is accidentally reintroduced during a rollback, or if updates haven't been applied correctly.
Precise and automatic risk and impact assessment, with risks prioritized by data access path and actual production execution. From hundreds or thousands of open vulnerabilities, Dynatrace Application Security is designed to pinpoint those that need immediate investigation. It automatically analyzes data access paths and production execution to provide a more precise risk and impact assessment.

How it works

Runtime Vulnerability Analytics (RVA) detects and evaluates vulnerabilities in your environment based on what's actually running, not just what's deployed. Dynatrace OneAgent monitors loaded libraries, runtime components, and data flows in real time. Vulnerabilities are only reported when affected components are actively used, reducing noise and false positives.

For third-party vulnerabilities, Dynatrace:
- Detects libraries and runtime components as they are loaded by processes.
- Matches component names and versions against trusted vulnerability feeds.
- Issues a vulnerability only when the component is in use.
For code-level vulnerabilities, Dynatrace:
- Analyzes how user input flows through the application.
- Identifies insecure code paths that could be exploited.
- Assesses risk based on exposure to the public internet and access to sensitive data assets.

Vulnerabilities are automatically resolved when the root cause is no longer present; for example, if a vulnerable library is removed or a process is stopped. RVA continuously adapts to topology changes and dynamic environments.

For technical details, see Vulnerability evaluation. For a quick walkthrough, see Discover the new Dynatrace Runtime Vulnerability Analytics experience.

Prerequisites

Before you begin, ensure your environment meets the necessary requirements:

You're using a supported version of Dynatrace. Review the release notes for currently supported versions.
For Runtime Vulnerability Analytics to work properly, make sure deep monitoring is enabled in Settings > Process and contextualize > Process groups > Process group monitoring.

For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Supported technologies

Dynatrace detects third-party vulnerabilities in the following technologies.

Technology	Minimum OneAgent version
Go¹	1.245
Java²	1.221
Java runtimes	1.253
Kubernetes	1.219
.NET¹	1.233
.NET runtimes	1.255
Node.js³	1.231
Node.js runtimes	1.253
PHP	1.231
Python¹'⁴	1.309
Python runtimes	1.309

For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Java on z/OS is currently not supported.

Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.

⁴

For Python vulnerabilities, Dynatrace currently supports only two states for reachable data assets: Within range and Not available.

Technology	Minimum OneAgent version
Java 8 or higher¹	1.259
.NET²'³	1.289
Go³	1.311

Get started

Third-party vulnerability detection helps you identify open-source and third-party vulnerabilities in production and pre-production environments at runtime. To monitor third-party vulnerabilities, enable third-party vulnerability detection.
Code-level vulnerability detection leverages code inspection at runtime to identify vulnerabilities in libraries and first-party code. To monitor code-level vulnerabilities, enable code-level vulnerability detection.

OneAgent version 1.239+

1. Enable Third-party Vulnerability Analytics

Go to Settings > Analyze and alert > Application security > General settings > Third-party Vulnerability Analytics and select Enable Third-party Vulnerability Analytics.

2. Configure the global third-party vulnerability detection control

To define the default third-party vulnerability detection control for all processes and Kubernetes nodes

Go to Settings > Analyze and alert > Application security > General settings > Third-party vulnerability Analytics and select one of the Global third-party vulnerability detection control modes:

Monitor—Third-party vulnerabilities are reported.
Do not monitor—Third-party vulnerabilities are ignored.

You can also define custom monitoring rules based on certain criteria. In this case, the default monitoring mode applies to all processes and Kubernetes nodes that are not matched by a rule.

3. Control by technology

Optional

After you enable Third-party Vulnerability Analytics, Dynatrace starts generating vulnerabilities for all supported technologies by default. To control which of these technologies should receive vulnerabilities

Go to Settings > Analyze and alert > Application security > General settings > Third-party Vulnerability Analytics and enable or disable technologies as needed.

Runtime technologies (for example, Java, Node.js, and .NET runtimes) are tied to the corresponding main technology (for example, Java and Node.js). If the main technology is disabled, the corresponding runtime technology is automatically disabled. If you enable the main technology, enabling the corresponding runtime technology is optional.
Select Save changes.

4. Enable monitoring for Python

This step is required only to monitor vulnerabilities in Python technology.

Enable Dynatrace monitoring for Python: In Settings > Collect and capture > General monitoring settings > Monitoring technologies, find Python and enable Monitor Python.
Enable OneAgent monitoring: In Settings > Collect and capture > General monitoring settings > OneAgent features, find and enable Python software component reporting, then restart your processes.

5. Enable OneAgent monitoring for Java vulnerable functions

Optional

To enable OneAgent monitoring for Java vulnerable functions

In Settings > Collect and capture > General monitoring settings > OneAgent features, find and enable Java vulnerable function reporting.
Select Save changes.
Restart your processes.

For more information about function usage, see Vulnerable functions.

What's next

After you enable third-party and code-level vulnerability detection, you can

Improve your environment's security by quickly addressing vulnerabilities and remediation actions with Vulnerabilities.
Set up monitoring rules for third-party vulnerabilities and monitoring rules for code-level vulnerabilities.
Verify monitoring scope and exposure trends with the Vulnerability coverage dashboard.

For details on how Dynatrace evaluates third-party and code-level vulnerabilities, see Vulnerability evaluation.

Consumption

Runtime Vulnerability Analytics consumption depends on your Dynatrace licensing model:

Dynatrace Platform Subscription (DPS): measured in GiB‑hours. For details, see Calculate your consumption of Runtime Vulnerability Analytics (RVA) (DPS).
Dynatrace classic licensing: measured in Application Security units (ASUs). For details, see Application Security monitoring (ASUs).

Application Security FAQ