Runtime Vulnerability Analytics

  • Latest Dynatrace
  • How-to guide

Dynatrace Runtime Vulnerability Analytics enables you to detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities, as well as the security vulnerabilities in libraries and first-party code in production and pre-production environments at runtime.

Capabilities

  • Automatic and continuous protection powered by Davis, the Dynatrace AI causation engine. Davis continuously watches production and pre-production environments to identify any changes in application environments (such as container dynamics, elastic scaling, multi-version deployments, runtime container updates, rollbacks, A/B tests, or blue/green deployments) and provide precise answers about the source, nature, and severity of vulnerabilities as they arise in real time. Davis automatically analyzes and prioritizes alerts.
  • Continuous analysis of attack vectors to automatically track if vulnerable libraries are called and used at runtime. Dynatrace Application Security is designed to allow you to identify the most relevant vulnerabilities and reduce false positives with Smartscape real-time topology mapping and distributed tracing with PurePath® code-level analysis.
  • Runtime introspection approach in combination with Snyk and NVD, for automatic vulnerability detection at runtime. Even if security checks aren't integrated into the pipelines across all teams, or if they're deliberately bypassed, Dynatrace can detect what’s running and pinpoint vulnerabilities instantly by automatically opening a vulnerability when one is detected, and close it when the root cause (for example, loading a vulnerable library) is no longer present.
  • Full coverage across production rollbacks and outdated releases, feature flags, and deployment patterns (canary, blue/green).
  • Efficient management of vulnerabilities where a fix hasn't been effective, such as if a vulnerability is accidentally reintroduced during a rollback, or if updates haven't been applied correctly.
  • Precise and automatic risk and impact assessment, with risks prioritized by data access path and actual production execution. From hundreds or thousands of open vulnerabilities, Dynatrace Application Security is designed to pinpoint those that need immediate investigation. It automatically analyzes data access paths and production execution to provide a more precise risk and impact assessment.

How it works

Runtime Vulnerability Analytics (RVA) detects and evaluates vulnerabilities in your environment based on what's actually running, not just what's deployed. Dynatrace OneAgent monitors loaded libraries, runtime components, and data flows in real time. Vulnerabilities are only reported when affected components are actively used, reducing noise and false positives.

  • For third-party vulnerabilities, Dynatrace:

    • Detects libraries and runtime components as they are loaded by processes.

    • Matches component names and versions against trusted vulnerability feeds.

    • Issues a vulnerability only when the component is in use.

  • For code-level vulnerabilities, Dynatrace:

    • Analyzes how user input flows through the application.

    • Identifies insecure code paths that could be exploited.

    • Assesses risk based on exposure to the public internet and access to sensitive data assets.

Vulnerabilities are automatically resolved when the root cause is no longer present; for example, if a vulnerable library is removed or a process is stopped. RVA continuously adapts to topology changes and dynamic environments.

For technical details, see Vulnerability evaluation. For a quick walkthrough, see Discover the new Dynatrace Runtime Vulnerability Analytics experience.

Prerequisites

Before you begin, ensure your environment meets the necessary requirements:

  • You're using a supported version of Dynatrace. Review the release notes for currently supported versions.

  • For Runtime Vulnerability Analytics to work properly, make sure deep monitoring is enabled in Settings > Processes and containers > Process group monitoring.

    For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Permissions

This permissions section refers to the classic Third-Party Vulnerabilities, Code-Level Vulnerabilities, and Security Overview apps, which are deprecated. If you're using the latest Dynatrace experience, refer to the Vulnerabilities Vulnerabilities requirements instead.

For details on transitioning, see Upgrade to the latest Dynatrace.

You need to assign specific permissions and optionally fine-tune them based on your access needs.

Assign the Security admin group to users who will be allowed to view and manage vulnerabilities.

To assign Security admin permission

  1. Go to Account Management > Identity & access management > People. You have the following options.

To add an existing user to the group

  1. Under Actions, select > Edit user for the user you want to add.
  2. Select Security admin, then select Save.

For more information on user permissions, see Manage user groups and permissions.

optional

By default, once you enable the Security admin group, users can both view and manage vulnerabilities. To restrict the access level to view-only for specific users, so they can view vulnerabilities but not manage them (cannot change their status), you have two options:

To restrict the access of an existing group at the environment or management zone level

  1. Go to Account Management > Identity & access management > Group management.
  2. Filter for Security admin and then, under Actions, select > View group.
  3. For the Permissions section, select Edit. You have the following options.
  1. Select Environment permissions.
  2. Select your environment, then clear Manage security problems and select View security problems.
  3. Select Save.
  1. Select Management zone permissions.
  2. Filter for and select the management zone you want.
  3. Clear Manage security problems and select View security problems.
  4. Select Save.

Supported technologies

Dynatrace detects third-party vulnerabilities in the following technologies.

TechnologyMinimum OneAgent version
Go11.245
Java21.221
Java runtimes1.253
Kubernetes1.219
.NET11.233
.NET runtimes1.255
Node.js31.231
Node.js runtimes1.253
PHP1.231
Python1'41.309
Python runtimes1.309
1

For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

2

Java on z/OS is currently not supported.

3

Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.

4

For Python vulnerabilities, Dynatrace currently supports only two states for reachable data assets: Within range and Not available.

Get started

  • Third-party vulnerability detection helps you identify open-source and third-party vulnerabilities in production and pre-production environments at runtime. To monitor third-party vulnerabilities, enable third-party vulnerability detection.

  • Code-level vulnerability detection leverages code inspection at runtime to identify vulnerabilities in libraries and first-party code. To monitor code-level vulnerabilities, enable code-level vulnerability detection.

OneAgent version 1.239+

  1. Go to Settings and select Application Security > Vulnerability Analytics > General settings.
  2. Under Third-party Vulnerability Analytics, select Enable Third-party Vulnerability Analytics.

To define the default third-party vulnerability detection control for all processes and Kubernetes nodes

  1. Go to Settings and select Application Security > Vulnerability Analytics > General settings.
  2. Under Third-party vulnerability Analytics, select one of the Global third-party vulnerability detection control modes:
    • Monitor—Third-party vulnerabilities are reported.
    • Do not monitor—Third-party vulnerabilities are ignored.

You can also define custom monitoring rules based on certain criteria. In this case, the default monitoring mode applies to all processes and Kubernetes nodes that are not matched by a rule.

optional

After you enable Third-party Vulnerability Analytics, Dynatrace starts generating vulnerabilities for all supported technologies by default. To control which of these technologies should receive vulnerabilities

  1. Go to Settings and select Application Security > Vulnerability Analytics > General settings.

  2. Under Third-party Vulnerability Analytics, enable or disable technologies as needed.

    Runtime technologies (for example, Java, Node.js, and .NET runtimes) are tied to the corresponding main technology (for example, Java and Node.js). If the main technology is disabled, the corresponding runtime technology is automatically disabled. If you enable the main technology, enabling the corresponding runtime technology is optional.

  3. Select Save changes.

This step is required only to monitor vulnerabilities in Python technology.

  1. Enable Dynatrace monitoring for Python: In Monitoring > Monitoring technologies, find Python and enable Monitor Python.
  2. Enable OneAgent monitoring: In Preferences > OneAgent features, find and enable Python software component reporting, then restart your processes.

optional

To enable OneAgent monitoring for Java vulnerable functions

  1. Go to Settings and select Preferences > OneAgent features.
  2. Find and enable Java vulnerable function reporting.
  3. Select Save changes.
  4. Restart your processes.

For more information about function usage, see Vulnerable functions.

What's next

After you enable third-party and code-level vulnerability detection, you can

For details on how Dynatrace evaluates third-party and code-level vulnerabilities, see Vulnerability evaluation.

Consumption

Runtime Vulnerability Analytics is licensed based on the consumption of GiB-hours if you're using the Dynatrace Platform Subscription (DPS) licensing model, or Application Security units (ASUs) if you're using the Dynatrace classic licensing.

Related tags
Application Security