Ctrlk

User Guide 68362

Alma is a runtime-native Application Detection & Response (ADR) platform.

It uses runtime signals to discover applications, APIs, and data flows.

It helps you prioritize risk based on real exposure across cloud, on‑prem, and hybrid.

You’ll use Alma to move from visibility → prioritization → detection → investigation → response.

What you’ll do here

  • Learn the Alma object model (apps, components, flows, findings).

  • Get runtime visibility into services, endpoints, and reachability.

  • Prioritize Violations, Incidents, and CVEs using exploitability context.

  • Investigate changes over time with Activity Pulse.

Product demo

Guided tour (wizard)

Follow these steps in order. Each step builds on the last.

1

1) Learn the Alma object model

You’ll work with:

  • Applications built from what Alma observes at runtime.

  • Components like services, APIs, databases, and third-party integrations.

  • Data flows showing real communication paths and reachability.

  • Findings:

    • Violations (before exploitation).

    • Incidents (confirmed malicious activity).

    • CVE prioritization (based on runtime exploitability).

If something looks “missing”, Alma probably hasn’t observed traffic yet.

2

2) Get application visibility (runtime context)

Alma builds a single view of each application from live signals.

You’ll use four views the most:

  • Holistic application view for “what is this app in production?”

  • Runtime inventory for “what services and endpoints exist?”

  • Data flow mapping for “what talks to what, and how?”

  • Component indicators for “what’s normal vs suspicious?”

Application view with runtime context
Runtime inventory and components
3

3) Understand the application profile

Alma aggregates runtime signals into an evolving application profile.

Use it to learn what “normal” looks like for this app.

Application profile view
4

4) Threat detection (what to fix first)

Alma prioritizes based on real runtime behavior.

Violations (before exploited) highlight unsafe or unexpected behavior early.

Examples: abnormal API usage, unexpected access paths, or policy breaks in sensitive areas.

Incidents (after exploited) are high-confidence detections of malicious activity.

They include runtime evidence and app context for fast response.

Finding details and exploitability context
5

5) Use CVE prioritization (runtime exploitability)

Focus on vulnerabilities that are actually exploitable in production.

Alma answers:

  • Is the vulnerable component running?

  • Is it reachable?

  • Is it exposed to untrusted input?

  • Is it in an active data flow?

Triage and prioritization workflow
6

6) Hunt and investigate (connect signals to behavior)

Use Activity Pulse to track how the application changes over time.

Use spikes and anomalies to connect detections to real behavior changes.

Then pivot into hunting with runtime filters and historical context.

Activity Pulse overview
Application mapping for investigation pivots

Next steps

Last updated