/

Understand how Monitor protections work

Monitor protection modules are runtime detectors that identify threats, attacks, and security violations as they happen inside your application.

Each module operates independently and can be enabled, disabled, and configured with its own response action. Modules are organized into two categories based on how they operate:

  • Passive Detectors (Desktop and Mobile): Run at configurable intervals to monitor the runtime environment for threats like debuggers, virtual machines, jailbreaks, and tampering.
  • Active Interceptors (Web and Cloud): Hook into operations at the execution layer and validate them in real-time before they complete. SQL queries, file access, HTTP requests, XML parsing, and process execution are all intercepted and analyzed.

Desktop & Mobile Protections

Passive detectors that run at configurable intervals (intervalMs) to monitor the runtime environment. These modules detect reverse engineering, device compromise, and integrity violations on devices where your application runs.

Debugger Detection

Detects attached debuggers (Visual Studio, GDB, WinDbg, LLDB)

Virtual Machine Detection

Detects VM environments (VMware, VirtualBox, Hyper-V, KVM)

Emulator Detection

Detects emulators (Wine, Android emulators, iOS Simulator)

Jailbreak Detection

Detects rooted Android or jailbroken iOS devices

Clock Tampering

Detects system time manipulation to bypass time-based restrictions

Memory Dump Detection

Detects memory dumping attempts (Cheat Engine, Process Hacker)

Tampering Detection

Detects code or resource modifications to assemblies

Process Injection

Detects DLL injection, code injection, and API hooking

Network Tampering

Detects proxies, MITM tools, and certificate issues

License Binding

Detects hardware fingerprint changes for license enforcement

Container Detection

Detects Docker, Kubernetes, and LXC containers

Remote Desktop

Detects RDP, VNC, TeamViewer, and remote access sessions

Cloud Metadata

Detects cloud environment (AWS, Azure, GCP)

Web & Cloud Protections

Active interceptors that hook into operations at the execution layer and validate them before they complete. These modules protect APIs and web applications against injection attacks, request forgery, and other OWASP Top 10 threats.

SQL Injection

Intercepts SQL queries (.NET database libraries)

NoSQL Injection

Intercepts NoSQL queries (MongoDB, Redis, CosmosDB)

Cross-Site Scripting

Validates user input and output encoding to prevent XSS

Path Traversal

Intercepts file I/O operations to prevent directory traversal

Command Injection

Validates process execution calls to prevent OS command injection

SSRF

Validates outgoing HTTP requests to prevent server-side request forgery

LDAP Injection

Intercepts LDAP queries to prevent directory injection

XXE

Intercepts XML parsing to prevent external entity attacks

LLM Prompt Injection

Validates AI/LLM API calls (OpenAI, Azure OpenAI)

Anomaly Detection

Active by default in every project. Anomaly Detection learns your application's normal behavior patterns and flags deviations without requiring predefined rules. It operates across all application types (desktop, mobile, web).

Anomaly Detection

Automatic detection of authentication anomalies, abnormal request rates, unexpected payloads, and suspicious session activity

Configuring Protections

Each module can be enabled individually with its own response action. You can configure protections from the Cloud Dashboard, a JSON configuration file, or the Configuration API.

Use presets to enable a group of protections at once, or configure each module individually:

JSON
{
  "preset": "cloud",
  "protections": {
    "SqlInjection": { "enabled": true, "action": "block" },
    "LlmPromptInjection": { "enabled": true, "action": "log" }
  }
}

See JSON Configuration for the full list of presets and configuration options.

Next Steps

Actions

All response action types and when to use each one

Cloud Configuration

Configure protections from the web dashboard

JSON Configuration

Full schema reference with presets and per-module configuration

Custom Actions

Create custom response handlers for specific threat types

Previous
Offline Mode
Next
Debugger Detection