back to resources
Blog

Runtime Observability as an Emerging Capability in CNAPP

Joseph Feiman
Board Advisor
Posted:
April 29, 2026
read time:
0 mins
words by:
Joseph Feiman

Cloud-native application protection platforms (CNAPPs) have evolved to consolidate multiple security capabilities across cloud infrastructure and application environments. While CNAPPs provide broad coverage across the cloud's lifecycle, many implementations continue to rely on fragmented visibility models, particularly in the context of application security. This limitation reflects the heritage of traditional application security testing approaches, including static, composition, and dynamic analysis.  

An emerging trend is the introduction of runtime-driven observability within CNAPP architectures. This capability exceeds visibility by enabling continuous, contextual insight into application behavior and system interactions during execution.  

Limitations of Visibility-Centric Approaches

Traditional application security tools incorporated into CNAPP platforms — such as static application security testing (SAST), software composition analysis (SCA), and dynamic application security testing (DAST), as well as web application and API protection (WAAP) — provide domain-specific visibility:  

  • SAST and SCA analyze source code and third-party components prior to execution  
  • DAST evaluates externally observable application behavior through black-box testing  
  • WAAP/WAF technologies monitor and filter application-layer traffic  

These approaches deliver useful insights. However, they do not provide an understanding of how applications behave at runtime.  

Visibility Defined

  • Visibility is defined as: “quality or fact or degree of being visible; perceptible by the eye or obvious to the eye”.  
  • By definition, visibility is superficial—it focuses only on what is immediately apparent. It observes the surface of events, processes, and entities, without providing any real insight into their underlying nature or workings.
  • Therefore, traditional, non-runtime CNAPP approaches are limited in their perspective. SAST and SCA can only analyze the code and components of applications that are not yet running. DAST, as a “black-box” technology, probes only the external surface of a web application and cannot observe its internal workings. Similarly, WAAP/WAF solutions monitortraffic to and from applications, but do not provide deeper operational insight. As a result, these tools collectively miss the context and behaviors that occur during actual runtime.

Observability Defined  

  • A practical definition of observability is: While visibility offers only a surface-level perspective on objects and events, observability delivers deep, actionable insight into the underlying processes that drive and animate those objects and events. Observability focuses on understanding the inner workings, not just the exterior.

Emergence of Runtime Observability in CNAPP

A new generation of CNAPP capabilities is incorporating runtime observability, leveraging technologies such as kernel-level instrumentation and system telemetry (e.g., eBPF-based approaches). These capabilities provide inside-out visibility into the execution of workloads and application processes. Key characteristics include:  

  • Inside-Out Perspective

Runtime Observability provides insight not from the surface, but from the source. Observability technology is internal: located within the environment that hosts applications and APIs, thus enabling an inside-out view of the processes.  

  • Process-Level Insight

Observability allows detailed analysis of runtime entities, including processes, threads, system calls, and network interactions. This allows security teams to understand how applications behave under normal and anomalous conditions.  

  • Runtime Detection and Response

Observability enhances the ability to detect and respond to threats during both testing and production phases. In pre-production environments, it can help identify logic and security flaws. In production, it enables the detection of active exploits and anomalous behavior, with the potential for automated response actions.  

Implications for Security and Risk Management Leaders

Security leaders evaluating CNAPP solutions should consider the following:  

  • Assess depth of runtime capabilities: Not all CNAPP offerings provide equivalent levels of runtime insight or observability.  
  • Prioritize context over volume: High volumes of findings without runtime context may reduce prioritization effectiveness.  
  • Evaluate integration across lifecycle stages: Effective CNAPP implementations should correlate insights from development, deployment, and runtime environments.  
  • Consider operational impact: Observability-driven approaches may improve detection accuracy and reduce mean time to remediation (MTTR).  
  • Runtime CNAPP, equipped with runtime observability, enables the next generation of detection and protection.  

Conclusion

CNAPP platforms continue to evolve from visibility-centric architectures toward observability-driven models. This transition reflects the growing complexity of cloud-native applications and the need for deeper, context-aware security insights. Runtime observability does not replace existing application security techniques; rather, it augments them, enabling organizations to move from isolated findings toward a more integrated understanding of application risk and behavior.

Related Articles

view all
Blog
April 15, 2026

From Traditional to Runtime CNAPP: The Next Evolution in Cloud Security

Joseph Feiman
Board Advisor
Blog
April 7, 2026

CNAPP Application Security Is Deficient. Is There a Solution?

Joseph Feiman
Board Advisor
Blog
March 19, 2026

Why Securing AI Workloads Requires Runtime Visibility

Bret Settle
Co-Founder, Chief Product Officer
we're online

We’re ready for you! Schedule a demo

Request A Demo
Runtime security should be exactly how it sounds - always active and everywhere within your organization.
About
Our CompanyCareersSupport
Our Product
OverviewWhat is eBPFRuntime ObservabilityManaged ServicesSecurity Graph And Visualization
Legal
Privacy PolicyTerms & ConditionsSecurity
© All Rights Reserved
back to top
Blog

Runtime Observability as an Emerging Capability in CNAPP

Words by:
Joseph Feiman
read time:
This is some text inside of a div block.
This is some text inside of a div block.

Cloud-native application protection platforms (CNAPPs) have evolved to consolidate multiple security capabilities across cloud infrastructure and application environments. While CNAPPs provide broad coverage across the cloud's lifecycle, many implementations continue to rely on fragmented visibility models, particularly in the context of application security. This limitation reflects the heritage of traditional application security testing approaches, including static, composition, and dynamic analysis.  

An emerging trend is the introduction of runtime-driven observability within CNAPP architectures. This capability exceeds visibility by enabling continuous, contextual insight into application behavior and system interactions during execution.  

Limitations of Visibility-Centric Approaches

Traditional application security tools incorporated into CNAPP platforms — such as static application security testing (SAST), software composition analysis (SCA), and dynamic application security testing (DAST), as well as web application and API protection (WAAP) — provide domain-specific visibility:  

  • SAST and SCA analyze source code and third-party components prior to execution  
  • DAST evaluates externally observable application behavior through black-box testing  
  • WAAP/WAF technologies monitor and filter application-layer traffic  

These approaches deliver useful insights. However, they do not provide an understanding of how applications behave at runtime.  

Visibility Defined

  • Visibility is defined as: “quality or fact or degree of being visible; perceptible by the eye or obvious to the eye”.  
  • By definition, visibility is superficial—it focuses only on what is immediately apparent. It observes the surface of events, processes, and entities, without providing any real insight into their underlying nature or workings.
  • Therefore, traditional, non-runtime CNAPP approaches are limited in their perspective. SAST and SCA can only analyze the code and components of applications that are not yet running. DAST, as a “black-box” technology, probes only the external surface of a web application and cannot observe its internal workings. Similarly, WAAP/WAF solutions monitortraffic to and from applications, but do not provide deeper operational insight. As a result, these tools collectively miss the context and behaviors that occur during actual runtime.

Observability Defined  

  • A practical definition of observability is: While visibility offers only a surface-level perspective on objects and events, observability delivers deep, actionable insight into the underlying processes that drive and animate those objects and events. Observability focuses on understanding the inner workings, not just the exterior.

Emergence of Runtime Observability in CNAPP

A new generation of CNAPP capabilities is incorporating runtime observability, leveraging technologies such as kernel-level instrumentation and system telemetry (e.g., eBPF-based approaches). These capabilities provide inside-out visibility into the execution of workloads and application processes. Key characteristics include:  

  • Inside-Out Perspective

Runtime Observability provides insight not from the surface, but from the source. Observability technology is internal: located within the environment that hosts applications and APIs, thus enabling an inside-out view of the processes.  

  • Process-Level Insight

Observability allows detailed analysis of runtime entities, including processes, threads, system calls, and network interactions. This allows security teams to understand how applications behave under normal and anomalous conditions.  

  • Runtime Detection and Response

Observability enhances the ability to detect and respond to threats during both testing and production phases. In pre-production environments, it can help identify logic and security flaws. In production, it enables the detection of active exploits and anomalous behavior, with the potential for automated response actions.  

Implications for Security and Risk Management Leaders

Security leaders evaluating CNAPP solutions should consider the following:  

  • Assess depth of runtime capabilities: Not all CNAPP offerings provide equivalent levels of runtime insight or observability.  
  • Prioritize context over volume: High volumes of findings without runtime context may reduce prioritization effectiveness.  
  • Evaluate integration across lifecycle stages: Effective CNAPP implementations should correlate insights from development, deployment, and runtime environments.  
  • Consider operational impact: Observability-driven approaches may improve detection accuracy and reduce mean time to remediation (MTTR).  
  • Runtime CNAPP, equipped with runtime observability, enables the next generation of detection and protection.  

Conclusion

CNAPP platforms continue to evolve from visibility-centric architectures toward observability-driven models. This transition reflects the growing complexity of cloud-native applications and the need for deeper, context-aware security insights. Runtime observability does not replace existing application security techniques; rather, it augments them, enabling organizations to move from isolated findings toward a more integrated understanding of application risk and behavior.

Register now:
we're online

We’re ready for you! Schedule a demo

Request A Demo
Runtime security should be exactly how it sounds - always active and everywhere within your organization.
About
Our CompanyCareersSupport
Our Product
OverviewWhat is eBPFRuntime ObservabilityManaged ServicesSecurity Graph And Visualization
Legal
Privacy PolicyTerms & ConditionsSecurity
© All Rights Reserved
back to top