How bifrost Works
bifrost works in the background so you can work on what matters. Here's what happens under the hood.
Deploy the Agent
Install the lightweight bifrost agent into Kubernetes clusters using Helm. No code changes. No sidecars. The agent runs as a daemonSet, ready to observe. Setup takes minutes.
Observe & Learn
Add a simple annotation to your deployments and bifrost starts learning. In pre-prod environments, every new build is observed — system calls, file access, network connections, process execution. Each build produces a precise behavioral fingerprint automatically.
Generate Runtime Profiles
For every build sent to production, bifrost automatically generates a tailored runtime profile. Each profile defines exactly what that container version is allowed to do — nothing more. Profiles are human-readable and fully reviewable.
Enforce & Protect
Profiles are enforced at the kernel level. Any action outside established behavior is blocked — zero-days, supply-chain attacks, ransomware, container escapes. When you deploy the next build, profiles update automatically. Your protection evolves with your application.
Correlate & Prioritize
bifrost ingests SBOMs for both application code and container images at each build across environments. CVEs are correlated against actual runtime behavior — unreachable vulnerabilities are deprioritized, blocked vectors marked as mitigated. You get only exposures that genuinely need attention.
Technical Deep-Dive
What happens under the hood at each stage of the bifrost pipeline.
Runtime Data Collection
The bifrost agent collects detailed behavioral data: system calls (execve, open, connect, bind, mmap), file I/O, network activity, process creation, environment variables, loaded libraries.
What is NOT collected:
Application data, PII, request payloads, database contents, API responses. The agent observes behavioral signals only, not information flows. Data is aggregated and anonymized.
Minimal performance impact (<1% CPU).
SBOM Integration
bifrost ingests SBOM data to understand the dependency landscape. Supported formats: CycloneDX (XML/JSON) and SPDX. Integration with SBOM generators happens automatically in CI/CD.
The SBOM provides precise information about every dependency, version, and known CVE. bifrost correlates this against runtime behavior to determine reachability.
Continuous re-evaluation:
As CVE databases update, bifrost continuously re-evaluates exposure without requiring new builds.
CVE Correlation Engine
The CVE correlation engine is the heart of Exposure Intelligence. It operates in three stages:
Static Mapping
Map CVEs to SBOM components. Determine which containers include vulnerable components and versions.
Reachability Analysis
Cross-reference vulnerable code paths with runtime behavior. If a vulnerable function is never called or a feature is never configured, the CVE is unreachable.
Mitigation Assessment
Determine if the runtime profile blocks the exploit vector. If a CVE requires binary execution but the profile doesn't allow it, it's marked as mitigated.
Result: vulnerabilities categorized as:
Reachable, not mitigated — requires attention
Mitigated by runtime profile
Code path never executed
Teams focus on the Actionable list — typically up to 90% smaller than the original scanner output.
Stop drowning in CVE noise.
Get runtime protection, intelligent CVE prioritization, and measurable security improvement. Free trial, no credit card required.