# User Guide 68362

Alma is a runtime-native **Application Detection & Response (ADR)** platform.

It uses runtime signals to discover applications, APIs, and data flows.

It helps you prioritize risk based on real exposure across cloud, on‑prem, and hybrid.

You’ll use Alma to move from **visibility → prioritization → detection → investigation → response**.

### What you’ll do here

* Learn the Alma object model (apps, components, flows, findings).
* Get runtime visibility into services, endpoints, and reachability.
* Prioritize **Violations**, **Incidents**, and **CVEs** using exploitability context.
* Investigate changes over time with **Activity Pulse**.

### Product demo

{% embed url="<https://www.youtube.com/watch?v=oWXNJpSCUTA>" %}

### Guided tour (wizard)

Follow these steps in order. Each step builds on the last.

{% stepper %}
{% step %}

#### 1) Learn the Alma object model

You’ll work with:

* **Applications** built from what Alma observes at runtime.
* **Components** like services, APIs, databases, and third-party integrations.
* **Data flows** showing real communication paths and reachability.
* **Findings**:
  * **Violations** (before exploitation).
  * **Incidents** (confirmed malicious activity).
  * **CVE prioritization** (based on runtime exploitability).

{% hint style="info" %}
If something looks “missing”, Alma probably hasn’t observed traffic yet.
{% endhint %}
{% endstep %}

{% step %}

#### 2) Get application visibility (runtime context)

Alma builds a single view of each application from live signals.

You’ll use four views the most:

* **Holistic application view** for “what is this app in production?”
* **Runtime inventory** for “what services and endpoints exist?”
* **Data flow mapping** for “what talks to what, and how?”
* **Component indicators** for “what’s normal vs suspicious?”

![Application view with runtime context](/files/A7zdHavSpq6uSM1VAlRD)

![Runtime inventory and components](/files/k8qRD1Cf6CPaX8I72aV1)
{% endstep %}

{% step %}

#### 3) Understand the application profile

Alma aggregates runtime signals into an evolving application profile.

Use it to learn what “normal” looks like for this app.

![Application profile view](/files/NECU6qTKSUO8VPTFaDrh)
{% endstep %}

{% step %}

#### 4) Threat detection (what to fix first)

Alma prioritizes based on real runtime behavior.

**Violations (before exploited)** highlight unsafe or unexpected behavior early.

Examples: abnormal API usage, unexpected access paths, or policy breaks in sensitive areas.

**Incidents (after exploited)** are high-confidence detections of malicious activity.

They include runtime evidence and app context for fast response.

![Finding details and exploitability context](/files/VPJvoDvuznOSug1hHd3H)
{% endstep %}

{% step %}

#### 5) Use CVE prioritization (runtime exploitability)

Focus on vulnerabilities that are actually exploitable in production.

Alma answers:

* Is the vulnerable component running?
* Is it reachable?
* Is it exposed to untrusted input?
* Is it in an active data flow?

![Triage and prioritization workflow](/files/WkGKDtbrPvkpOj4ELqKL)
{% endstep %}

{% step %}

#### 6) Hunt and investigate (connect signals to behavior)

Use **Activity Pulse** to track how the application changes over time.

Use spikes and anomalies to connect detections to real behavior changes.

Then pivot into hunting with runtime filters and historical context.

![Activity Pulse overview](/files/pSd0HiuB1QkOOWn8FjzW)

![Application mapping for investigation pivots](/files/KR4kh703uh54F6imfnnp)
{% endstep %}
{% endstepper %}

### Next steps

* Read the fundamentals in [Alma Overview](/about-alma/quickstart.md).
* Set up a deployment in [Kubernetes](/integrations/kubernetes-aws-azure-gcp-and-on-prem.md).
* Connect workflows via [Slack](/integrations/slack.md) or [Jira](/integrations/jira.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.alma-security.com/guides-customers/user-guide-68362.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.