X
February 18, 2026
Contrast Security and Google Cloud have announced the availability of a new integration between Contrast Application Detection and Response (ADR) and Google Security Operations (Google SecOps). This collaboration provides Security Operations Centers (SOCs) with high-fidelity runtime application intelligence and purpose-built detection rules to accelerate detection and response to sophisticated application-layer threats.
As organizations modernize, the application layer has become the primary source of initial compromise. According to the Mandiant M-Trends 2026 report, exploitation of vulnerabilities is the leading initial infection vector for the sixth consecutive year, accounting for 32% of observed intrusions. Global median dwell time has risen to 14 days, meaning attackers are spending more time inside environments than they were a year ago, expanding their foothold before defenders even know they are there. Defending this surface requires a shift in perspective. Defenders must move from observing traffic at the perimeter to observing execution within the runtime.
To understand the necessity of runtime visibility within Google SecOps, it is helpful to examine logic attacks. These exploits abuse the legitimate functionality of an application rather than sending a known malicious signature. A prime example is unsafe deserialization.
Serialization is a standard process in which an application converts data objects into a stream of bytes for storage or transmission over a network. Deserialization is the reverse, rebuilding the object from the byte stream. In an unsafe deserialization attack, a threat actor manipulates the serialized data. When the application rebuilds this data innocently, it inadvertently instantiates a malicious object or executes an unauthorized command.
For traditional security tools, detecting this activity is exceptionally difficult. The malicious payload is often encoded, binary and unique to the application's internal logic. To an external observer, the traffic appears valid. There is no standard signature to match because the danger lies not in the data itself, but in how the application processes it. A WAF sees a request. Contrast sees what the application does with it.
The Contrast ADR integration is now generally available for all Google Security Operations customers. To activate the feed, users navigate to the Integrations page of their Organization Settings in the Contrast console. Configuration is completed by providing the following Google SecOps credentials:
Within the Contrast console, customers can further filter the data sent based on environments, specific applications or attack outcome. This granular control allows teams to calibrate the depth of telemetry that best suits their operational needs.
Because Contrast operates from within the application, it monitors code execution directly. For deserialization, the platform observes the application attempting to instantiate an unauthorized class or trigger a command shell from a serialized stream.
The integration maps this runtime telemetry directly to Google's Unified Data Model (UDM), transforming abstract application events into structured security evidence. No custom parsers or regex maintenance are required — runtime events are pre-mapped to UDM entities, ensuring events are populated with verified context the moment the integration is enabled.
Beyond operational ease, this normalization maps critical runtime context deterministically to structured security fields:
Event categorization: The exact vulnerability type — for example, Deserialization of Untrusted Data — is mapped to security_result fields. This allows analysts to distinguish between a generic probe and a specific logic exploit without writing custom logic.
Target identification: The specific application and asset under attack are clearly identified within target UDM entities, reducing the time analysts spend correlating IP addresses to business services.
Outcome verification: Runtime instrumentation determines whether an attack was successful or blocked. This status feeds directly into Google SecOps, so the SOC is not distracted by attacks that never reached a vulnerable line of code.
As shown in the screenshot below, Contrast confirms whether the exploit reached vulnerable code and whether abnormal behavior was observed in the runtime. This verified status eliminates the need to investigate every exploit attempt — analysts can ignore thousands of harmless probes and focus exclusively on confirmed threats.
Because Contrast telemetry arrives pre-structured in UDM, it is immediately available to Google SecOps' Gemini-powered AI features — providing the verified, high-fidelity data that AI-driven investigation and triage requires. The quality of an AI-assisted investigation is only as good as the signal it works from. Runtime-verified context sets a higher floor.
Streaming verified runtime telemetry into Google SecOps is the foundation. What it enables on top of that foundation is where the integration becomes operationally significant.
The Contrast and Google SecOps integration ships with a library of purpose-built YARA-L detection rules designed to translate application runtime events into high-fidelity SecOps alerts and cases — without requiring security teams to write detection logic from scratch.
Two categories of rules are included at launch.
Incident-to-case rules take confirmed Contrast ADR incidents and evidence and automatically create structured cases in Google SecOps. When Contrast confirms that a payload reached and executed against vulnerable code, a case surfaces in the SOC immediately - grounded in runtime-verified evidence, not probabilistic scoring.
Cross-source correlation rules extend that detection capability to the broader security stack. These rules correlate Contrast application-layer findings with signals from Web Application Firewalls (WAFs), Endpoint Detection and Response (EDR) tools and database and Data Loss Prevention (DB/DLP) sensors. This matters because application-layer attacks rarely exist in isolation. An injection attack against an application often leaves a simultaneous trace in an EDR alert or a WAF log.
By correlating Contrast's inside-out view with those perimeter and endpoint signals, security teams can build a complete picture of an attack chain. Furthermore, Contrast’s privileged viewpoint from within the application runtime acts as a high-fidelity filter for perimeter tools that are typically too noisy to use for standalone alerts. By anchoring these existing signals to Contrast's confirmed exploits, organizations extract significantly more value from their current security stack effectively neutralizing the shortcomings of a WAF by transforming its noisy logs into highly useful forensic evidence.
This is the practical realization of the detect-to-respond story. Analysts receive fewer, higher-confidence alerts. The cases that do surface come pre-loaded with application context, exploit outcome, affected asset and correlated signals from the rest of the stack.
Detection inside Google SecOps is the front half of the story. The back half runs in parallel inside the Contrast platform itself.
When Contrast ADR confirms an attack, the same runtime event that streams into Google SecOps also feeds the Contrast Graph — the intelligence engine that connects live attack telemetry to the specific vulnerability in code. The Graph elevates that vulnerability's priority automatically based on an attacker reaching it in production. From that point, security and engineering teams have the precise, verified context required to act — including AI-assisted remediation through the broader Contrast platform. The SOC knows what happened. Engineering knows exactly where to fix it.
By integrating Contrast's runtime intelligence with Google Security Operations, organizations can unify application-layer defense across the SOC and the development workflow. The combination of verified runtime telemetry, pre-built detection rules and cross-source correlation gives security teams the evidence they need to act.
Application-layer attacks are not slowing down. Attackers are inside environments for longer. The tools to detect and respond to them must operate from inside the application. This integration makes that possible, at the speed and scale the modern SOC requires.
Maarten Buis serves as Sr. Product Marketing Manager at Contrast Security. He translates complex application security capabilities into clear advantages for SecOps professionals, helping them fortify their defenses and honor their commitment to upholding that trust.
