Application Security
- Latest Dynatrace
- How-to guide
Dynatrace Application Security delivers real-time protection and deep visibility into your application landscape. By combining automated vulnerability detection, runtime threat prevention, and posture management, it empowers teams to secure modern cloud-native environments with precision and scale. Explore the feature overviews, configuration steps, operational modes, and usage guidance.
Get started
Dynatrace provides the following integrated Application Security capabilities to help secure your applications. Select any to get started.
If you're using the Dynatrace classic licensing, contact a Dynatrace product expert via live chat to activate Application Security before you proceed.
-
Dynatrace Runtime Vulnerability Analytics (RVA): Identify critical vulnerabilities instantly with automated risk and impact assessments, thanks to in-depth analysis of data access paths and production execution.
-
Dynatrace Runtime Application Protection (RAP): Defend your applications in real time by detecting and blocking attacks through advanced code-level insights and transaction analysis.
-
Dynatrace Security Posture Management (SPM): Maintain robust security by assessing, prioritizing, and addressing misconfigurations and compliance violations efficiently.
Monitoring modes coverage
The effectiveness and depth of Application Security insights depend on the deployed monitoring mode. This section explains how each mode impacts data collection and analysis.
Dynatrace Security Posture Management (SPM) works independently of monitoring modes. For details, see FAQ.
Support overview
| Capability | Full-Stack | Infrastructure | Discovery |
|---|---|---|---|
| Third-party vulnerability detection |  | limited | limited |
| Code-level vulnerability detection | | limited | limited |
| Runtime Application Protection | | | |
On Linux hosts, if there's no information, which can happen in different monitoring modes or because something went wrong, public internet exposure is detected via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
Full-Stack Monitoring mode
recommended
Full-Stack Monitoring mode provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).
Infrastructure Monitoring mode
Infrastructure Monitoring mode, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring, provides less complete monitoring than the Full-Stack Monitoring mode. The following functionalities are provided:
- System metrics (CPU usage, memory usage, disk usage)
- Third-party vulnerability detection
- Code-level vulnerability detection
- Runtime Application Protection
Characteristics
-
In an Infrastructure Monitoring deployment, Davis® AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
-
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
- If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to
Not available. - If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to
Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
- If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to
-
In Infrastructure Monitoring mode, vulnerable function information is supported.
Consumption
-
If you're using the Dynatrace Platform Subscription (DPS) licensing model, see Host monitoring (DPS): Infrastructure Monitoring.
-
If you're using the Dynatrace classic licensing, see Application and Infrastructure Monitoring (Host Units).
Discovery mode
Discovery mode is a lightweight monitoring mode that provides basic monitoring. The following functionalities are provided:
-
System metrics (CPU usage, memory usage, disk usage)
For Application Security to work in Discovery mode, after enabling Discovery mode, you also need to enable code-module injection.
Characteristics
-
In a Discovery mode deployment, Davis AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
-
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
- If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to
Not available. - If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to
Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
ExceptionPublic internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are
Public networkandNot detected. Davis Security Score isn't influenced by either of these states. - If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to
-
In Discovery mode, vulnerable function information is supported.
Consumption
Discovery mode is only available for the Dynatrace Platform Subscription (DPS) licensing model.
For monitoring consumption information, see Host monitoring (DPS): Foundation & Discovery.
Further resources
Explore additional documentation to deepen your understanding and make the most of Dynatrace Application Security.
-
What is Dynatrace and how to get started:
What is Dynatrace and how to get started -
Elevate security with Dynatrace Davis Anomaly Detection:
Elevating Security with Dynatrace Davis Anomaly Detection -
Unguard - An open source application security playground:
Unguard: An open source application security playground -
Vulnerability detection and automated risk assessment with Dynatrace Application Security:
Vulnerability Detection and Automated Risk Assessment with Dynatrace AppSec -
Remediate vulnerabilities like Log4Shell with Dynatrace:
Remediate Vulnerabilities like Log4Shell with Dynatrace -
Protect your applications against attacks:
Protecting your applications against attacks -
How to achieve cloud native hyperscale security with Dynatrace:
How to achieve cloud native hyperscale security with Dynatrace