# Alma Overview

Alma is an Application Detection & Response (ADR) platform.

It gives you runtime visibility, detection, and response without code changes.

It monitors live application traffic, data flows, and AI interactions at runtime.

### The Alma Sensor

The Alma Sensor is a lightweight, runtime-native sensor.

It uses eBPF to observe live Layer 7 behavior.

No proxy. No sidecar. No code change.

It observes application behavior in any environment:

* Cloud and on-prem
* Virtual machines, containers, and Kubernetes
* Windows and Linux
* Serverless and managed services

The sensor captures signals from live interactions:

* APIs
* Data stores
* Third-party services
* Internal services
* Queues and messaging
* LLM endpoints, MCP servers, and agent workflows

This builds a real-time view based on observed behavior.

<figure><img src="/files/hXph9cHijr0NpVYzYHLR" alt=""><figcaption></figcaption></figure>

### AI runtime coverage

Alma monitors AI-augmented applications in production.

It inventories AI components as they appear:

* LLM endpoints and MCP servers
* Agents, tool calls, embeddings, and vector stores
* Third-party AI providers and new integrations

It detects risky AI behavior in live Layer 7 traffic:

* Prompt injection and endpoint enumeration
* MCP tool exposure and excessive agency
* Scope drift across agentic workflows

It tracks sensitive data across AI workflows:

* PII, PCI, and PHI
* Secrets and credentials
* Prompt and response flows to external providers

AI findings use the same Alma finding model:

* Vulnerabilities
* Violations
* Incidents

#### Key Capabilities

**Holistic application view**\
See live dependencies, data flows, AI components, and service interactions.

**Runtime threat detection**\
Detect abuse, misuse, and logic attacks using behavioral analysis and profiling.

**AI runtime detection**\
Detect prompt abuse, MCP risk, agent drift, and unsafe tool exposure.

**Dynamic threat modeling**\
Adapt models to changing behavior and attack patterns.

**Sensitive data tracking**\
Detect regulated data, secrets, and credentials in live traffic and AI flows.

**ADR workflows**\
Correlate findings, prioritise risk, and drive response for SOC and DevSecOps.

### How Alma detects

Alma combines six runtime engines in one detection stack.

* **Behavioral Engine** baselines Layer 7 behavior and surfaces first-seen drift.
* **Application Intelligence** inspects APIs, auth exchanges, model calls, and data access.
* **AI Threat Intelligence** correlates AI signals and reconstructs incident context.
* **Offensive Validation** confirms exploitability and validates fixes.
* **Data Security Engine** detects sensitive data in live traffic, including AI workflows.
* **Exposure Context Engine** adds reachability, posture, and component context.

#### Built for Every Environment

* Cloud & Multi-Cloud
* On-Prem & Hybrid
* Virtual Machines & Bare Metal
* Containers & Kubernetes
* **Windows & Linux**
* **Serverless & Managed Services**

#### Zero-Friction Deployment

* Auto-instrumentation with **zero code changes**
* Up and running in minutes (typical)
* Supports **95%+ of common application protocols**
* Minimal overhead (\~2% CPU, \~0.5GB RAM per cluster)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.alma-security.com/about-alma/quickstart.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.