Runtime Correlation

Radar correlates static analysis findings with real-time exploit data from ByteHide Monitor (RASP) to eliminate false positives, discover zero-day vulnerabilities, and reprioritize findings based on actual exploitability, not just theoretical severity.

The Problem with Static Analysis Alone

Static analysis scans source code and identifies potential vulnerabilities. A typical scan produces dozens or hundreds of findings, all ranked by severity score. But severity alone does not tell your team what to fix first.

Problem	What Happens
False positives	A finding flagged as High severity turns out to be unreachable in practice. Your team wastes hours triaging code that is not actually vulnerable in context
Severity is not exploitability	A Critical SSRF on an internal endpoint that external traffic never reaches is less urgent than a Medium SQL injection that attackers are targeting right now
No zero-day coverage	Static analysis only detects known vulnerability patterns. New attack techniques that have no published CWE or signature are invisible to SAST
Flat priority	Without runtime context, all High findings look equally important. Teams fix in arbitrary order instead of focusing on active threats

Runtime correlation solves all four problems by connecting what Radar sees in your code with what Monitor sees in production.

How Runtime Correlation Works

When both Radar (SAST/SCA/Secrets) and Monitor (RASP) are active on the same project, they share data bidirectionally through the ByteHide platform. No additional configuration is needed.

SAST: Code Vulnerabilities Meet Real Attacks

Escalation: theoretical to actively exploited.

Radar flags a SQL injection in /api/users and assigns it Medium severity based on static analysis
Monitor detects 47 SQL injection attempts targeting that exact endpoint this week in production
Radar receives the runtime signal and automatically escalates the finding to Critical
The finding shows a "Runtime Confirmed" indicator with a link to the Monitor incidents

The vulnerability is no longer theoretical. Your team knows it is actively under attack.

De-escalation: flagged but unreachable.

Radar flags an SSRF vulnerability with Critical severity (CVSS 9.1)
Monitor has runtime visibility into how that endpoint is accessed
Monitor confirms the endpoint is internal-only, behind authentication, and unreachable from external traffic
Radar adjusts the priority downward to Medium

Your team stops spending time on vulnerabilities that cannot be exploited in the current deployment.

Zero-day discovery: unknown patterns detected at runtime.

Monitor detects a new attack pattern that exploits a code path no static rule covers
Monitor classifies it as a potential zero-day and reports the incident with full context: payload, source, method, and the code path executed
Radar receives the signal and creates a new finding for that code location, without needing a new code scan
The finding is automatically assigned Critical severity because it represents an actively exploited, previously unknown vulnerability

Static analysis alone would never have found it. The runtime detected the attack, and Radar now tracks the remediation.

SCA: Vulnerable Dependencies in Real Environments

Static SCA analysis tells you which repositories contain a vulnerable library. Runtime correlation tells you which applications in production are actively loading and executing that library right now.

Real-time impact mapping.

A new CVE is published for a library (e.g., a critical prototype pollution in minimist)
Radar's SCA scan identifies 12 repositories that include the vulnerable version in their dependencies
Monitor reports that only 3 of those 12 applications are actually loading minimist in production at this moment
Radar reprioritizes: those 3 applications are Critical, the remaining 9 are Medium (the dependency exists but is not actively in use)

Your team fixes the 3 active applications first, instead of treating all 12 equally.

Runtime protection while you patch.

When a vulnerable library is detected in a running application, Monitor can block exploit attempts targeting that specific vulnerability in real time. This gives your team a protection window:

Monitor detects and blocks attacks targeting the vulnerable library
Your application stays protected while you prepare the fix
You use AutoFix to generate the dependency upgrade PR
You review, test, and merge on your schedule, not under emergency pressure

The combination of runtime blocking and automated remediation turns a zero-day emergency into a managed process.

Impact on Prioritization

Without runtime correlation, priority is based on severity score alone:

Finding	CVSS	Priority
SQL Injection in `/api/users`	8.6	High
XSS in `/admin/reports`	6.1	Medium
Path Traversal in `/api/files`	7.5	High
SSRF in `/internal/webhook`	9.1	Critical

With runtime correlation from Monitor:

Finding	CVSS	Runtime Signal	Adjusted Priority
SQL Injection in `/api/users`	8.6	47 exploit attempts this week	Critical (actively exploited)
XSS in `/admin/reports`	6.1	No attempts observed	Medium (unchanged)
Path Traversal in `/api/files`	7.5	Endpoint is internal only	Low (unreachable)
SSRF in `/internal/webhook`	9.1	Endpoint is internal only	Medium (deprioritized)

The SSRF had the highest CVSS score, but runtime data shows it is on an internal endpoint that external traffic never reaches. The SQL injection had a lower score, but it is actively under attack. Without runtime correlation, your team fixes the SSRF first. With it, they fix the SQL injection first.

False Positive Reduction

Runtime correlation reduces false positives by up to 90% through three mechanisms:

Mechanism	How It Works
Reachability confirmation	Monitor observes actual traffic patterns and confirms which code paths are reachable from external requests. Findings in unreachable code are deprioritized or reclassified
Exploit validation	When Monitor detects a real attack matching a Radar finding, the finding is confirmed as a true positive with high confidence
Context enrichment	Monitor provides deployment context (internal vs. external endpoints, authentication requirements, network segmentation) that eliminates findings that are valid in code but not exploitable in context

Instead of triaging 200 findings manually, your team focuses on the findings that runtime data confirms are real, reachable, and actively targeted.

AutoFix on What Matters

Runtime correlation directly improves AutoFix effectiveness:

Fix actively exploited vulnerabilities first. AutoFix generates PRs for runtime-confirmed findings, so your first merges address real attacks
Skip false positives. Findings deprioritized by runtime data move to the bottom of the queue, so AutoFix is not wasted on unreachable code
Prioritize SCA upgrades by runtime impact. When a CVE affects multiple repositories, AutoFix targets the applications that are actually running the vulnerable code in production

The result is a remediation workflow driven by real-world risk, not theoretical severity scores.

What You See in the Dashboard

Findings enriched with runtime data display additional context in Radar:

Indicator	Description
Runtime Status	Whether Monitor has observed exploit attempts against this vulnerability
Last Exploit Attempt	Timestamp of the most recent attack targeting this finding
Attack Frequency	How often this vulnerability is being targeted in production
Reachability	Whether Monitor confirms the vulnerable code path is reachable from external traffic
Runtime Protection	Whether Monitor is actively blocking attacks targeting this vulnerability while you prepare a fix

Setup

Runtime correlation activates automatically when both products are connected:

Create a Radar project and connect your repository
Set up Monitor on the same application
Both products share data through the ByteHide platform automatically

No additional configuration is needed. When Monitor detects an attack that matches a Radar finding, the correlation appears in both dashboards within seconds.