Skip to content


Contrast Protect your RASP solution

Detecting zero days and protecting applications in production


The application protection problem


Untrustworthy software hurts business...

lost revenue, reputation, potential legal liability

  • New zero-day attacks are wreaking havoc (log4shell, spring4shell)
  • US Executive order and OMB-22-18 requires AppSec “attestation statement”
  • Custom code and libraries are full of vulnerabilities (avg: 30+ serious vulns)

Traditional remediation is untrustworthy

Too much trust in...


You trust your people... but they can’t afford the time to conduct exhaustive security testing and remediate all the problems


Web Application Firewalls (WAFs) and API Gateways don’t have enough context to accurately defend 100% of attacks and prevent exploitation

How can we put the right defenses in the right places?

What would ideal defenses look like?

  • Very fast

  • Simple and verifiable

  • Highly accurate

  • Automatic without tailoring or tuning

  • Safe to use

  • Not intrusive to your teams

What should defenses do?

  • Prevent exploits

  • Detect attacks and snapshot context

  • Enable incident response


The application protection agent

A zero friction agent

For production applications:

  • Automatically hardens the runtime, libraries, open source software, the appserver
  • Integrates with your SIEM and SOC

  • Mitigates top vulnerability classes & zero-days

  • Supports attestation reporting & compliance

Not fixing your code, fixing security at the underlying language environment

  • Make exploits not possible

Logos for Application Protection Agent



Runtime protection

Uses instrumentation to inject automated trust boundaries into software as it loads

Eliminate time-consuming and ineffective manual effort

  • Eliminate impact on developers

  • No code changes

  • No configuration needed

  • Fixing security at the root



Your App/API Stack

Your AppAPI Stack


Untrusted data boundary

Deserialization attacks exploit a fundamental process within many applications. Applications often serialize data – converting objects into a format suitable for storage or transmission. Later, this data is deserialized back into objects for use by the application. Attackers can craft malicious payloads that, when deserialized, trigger unexpected or harmful actions within the application.

Simply prevents untrusted data from reaching a potentially dangerous module

  • Completely prevented Log4Shell attacks

  • Impossible to do accurately at the perimeter



Untrusted Data Boundary


Surrounding dangerous functions with trust boundaries

Surrounding Dangerous Functions with Trust Boundaries


The digital vaccine for vulnerabilities

Contrast Protect

The digital vaccine for vulnerabilities

  • Zero Trust for the application layer

  • Extremely high performance, no bottlenecks

  • Broad vulnerability remediation for libraries AND custom code

  • One time install. No change to how you build, test, deploy apps

  • You’ll never know it’s there unless you’re an attacker


Contrast Protect helps organizations comply with mainstream industry standards such as the National Institute of Standards and Technology (NIST) and the Payment Card Industry Software Security Standard (PCI-SSS). NIST standards are used for things such as measuring equipment and procedures and quality control. PCI-SSS are new requirements for the secure design and development of modern payment software.

RASP technology is already a requirement in NIST 800-53—which covers recommended security-control selection—and already a requirement in PCI-SSS 9.1, 10.2a, and 10.2b which defines security requirements to ensure payment software protection.


Contrast Protect – enterprise deployment

Deploy automatically via:

  • Kubernetes operator
  • Gold server
  • Container build
  • Ansible
  • CI/CD pipeline
  • Platform engineering and more

Contrast Protect – Enterprise Deployment


Reduce App/ API risk
  • Legacy applications might not have a test harness maintained – IAST won't be enough.
  • SAST will still have visibility gaps
  • Protect implements a "defense-in-depth" strategy  that  boundaries protect against exploits in production where a standard application security testing falls short. 
Unlock Dev productivity
  • Developers are required to get value to production - but are on the hook for remediating vulnerabilities as well. 
  • Enterprises require resolution or mitigation of vulnerabilities backlog before apps go to production.
  • Protect enables the mitigation - allowing developers to go to production and buy time before remediating the vulnerability.
  • Protect enhances security posture without trading off developer time to value. 
Strengthen the SOC
  • Enhanced Logging
  • Port useful exploit metadata and IP information in to the SIEM for SOC analysis.
  • Augment WAF use cases with attack metadata
  • Defend the perimeter more effectively


Zero days blocked before discovery hall of fame

Contrast detects & prevents exploitation against entire classes of vulnerabilities via embedded detection rules

Examples of zero days that Contrast mitigated before they were discovered (before CVEs were issued):

Contrast studies new exploits and CVEs to enhance/harden the Protect rules for real-time protection (e.g., improved JDNI rules and added ClassLoader Manipulation detection).


Large insurance company
  • Implemented Contrast Protect across all externally facing Apps/APIs
  • Used Assess (IAST) to identify 1,600 high/critical vulnerabilities in production
  • Eliminated ~95% of high/critical vulnerabilities from being exploited
  • Apps enabled with Contrast Protect, provided a longer SLA to remediate vulnerabilities and easily fit into normal sprint cycles
Affinity membership group
  • Explored 5 RASP vendors, chose Contrast Protect (and replacing Imperva)
  • Integrated Contrast Platform was key selling point
  • Same agent for IAST and SCA was very compelling
  • Strong engineering/technical partnership with other companies was essential for this deal
$120B global medical devise company
  • Choose Contrast Protect to solve their open-source challenges (log4shell & spring4shell), with Open-Source Security/Runtime Protection
  • 148,810 Vulnerabilities remediated since Q3, 2017
  • 100% Protection against Log4j before being disclosed as a CVE
  • +1,000 Servers with Contrast Agents



Secure your apps and APIs from within

Schedule a one-to-one demo to see what Contrast Runtime Security can do for you