RuntimeGuard is a focused Linux runtime security platform that detects ransomware behaviour in real time. It combines lightweight kernel-level telemetry with behavioural detection and practical containment — built for modern server environments.
Every process execution on your Linux hosts is observed at kernel level via eBPF tracepoints. No agent per process. No performance overhead. Everything from exec calls to short-lived scripts.
File write and rename activity is continuously monitored. When a process starts writing or renaming files at abnormal rates — a hallmark of ransomware encryption — RuntimeGuard catches it immediately.
Behavioural detection rules run against a sliding time window. File write bursts, rename storms, and process execution anomalies all trigger incidents — catching ransomware before it completes.
Every incident is recorded with a full timeline: which process triggered it, which files were affected, when it started. Your team has everything needed to investigate and respond.
When detection confidence is high, RuntimeGuard can automatically terminate the offending process — stopping encryption mid-flight. Available in Growth and Business tiers.
Built for MSPs and multi-environment teams. Manage multiple customers or environments from a single control plane with full data isolation between tenants.
Every outbound connection and executed binary is checked against a cascade of threat intelligence sources: Feodo Tracker, Emerging Threats, MalwareBazaar, VirusTotal and AlienVault OTX. Matches generate critical incidents automatically.
Raw DNS traffic is captured via AF_PACKET and analysed using Shannon entropy. High-entropy subdomains and abnormal query rates indicate DNS tunnelling — the covert channel most security tools miss entirely.
Write your own detection rules in Sigma YAML alongside the 26 built-in rules. Rules are validated on save, support field modifiers and compound conditions, and run against every event in real time.
Every incident links to an interactive process tree showing the full parent–child ancestry of the offending process in the ±5-minute window. Follow the chain from a suspicious shell back to root cause without touching the host.
Admin, analyst and viewer roles are enforced at the API key level. Assign the right access to every team member — operations, security analysts and read-only stakeholders — with full audit logging of every action.
Enterprise teams can log in with their existing Google Workspace or Microsoft Entra identity — no separate credentials to manage. RBAC roles apply to SSO identities and sessions are tenant-scoped.
Managed service providers get a cross-tenant SOC feed, unified admin panel and per-tenant drill-down — all from a single login. Volume pricing available for MSPs with more than five tenants.
| Capability | RuntimeGuard | Wazuh (OSS) | Falco (OSS) | Crowdstrike |
|---|---|---|---|---|
| Linux runtime monitoring | ✓ | ✓ | ✓ | ✓ |
| eBPF kernel-level telemetry | ✓ | — | ✓ | ✓ |
| Ransomware-specific detection | ✓ | partial | partial | ✓ |
| Managed SaaS (no self-hosting) | ✓ | — | — | ✓ |
| Sliding window detection | ✓ | — | — | ✓ |
| Multi-tenant (MSP-ready) | ✓ | complex | — | ✓ |
| Deploy in < 5 minutes | ✓ | — | partial | — |
| SMB-friendly pricing | ✓ | free | free | — |
| Threat intelligence (VT + OTX) | ✓ | partial | — | ✓ |
| DNS exfiltration detection | ✓ | — | — | partial |
| Custom Sigma rules | ✓ | ✓ | ✓ | partial |
| Process tree / attack graph | ✓ | — | — | ✓ |
| RBAC roles | ✓ | complex | — | ✓ |
| SSO / OIDC login | ✓ | — | — | ✓ |
Start a 14-day free trial. No credit card required. Deploy in minutes.