Frequently Asked Questions
Cloud and Application Detection and Response (CADR): The Essentials
Let's ChatARMO CADR is the first Cloud Application Detection and Response platform that automatically classifies runtime incidents into actionable tiers so your team responds to threats, not noise.
See ARMO in Action →
Modern cloud attacks don't happen in one place. They start in a dependency, move through a container, pivot across your network, and exfiltrate through a cloud API — all in minutes.
Your tools alert on signals. But they don't understand them. By the time you correlate them manually, the attacker is already gone.
ARMO's AI analyzes the complete attack story — not isolated alerts — and assigns every runtime incident to one of four tiers. Before anyone on your team spends a minute on it.
A real attack is in progress. Top of the queue, full attack story attached.
Someone tried — and failed. Logged with full context, no fire drill.
Suspicious but inconclusive. Flagged for an analyst's judgment.
Anomalous but benign. Recorded, searchable, out of your way.
Your attack surface doesn't stop at the container. Neither do we.
Code-to-cloud explainability
Traces every attack signal from the exploited code line to the cloud API — as a graphic and textual narrative across containers, clusters, and cloud resources.
Supply chain security
Continuously profiles applications and flags behavioral changes — new processes, DNS endpoints, data access patterns — consistent with supply chain attacks.
AI-powered incident classification NEW
Every runtime incident automatically classified with AI-generated reasoning. Four tiers: Active Threat / Attempted Attack / Review Required / Informational.
Function-level anomaly detection
Real-time call stack analysis correlated with network traffic and infrastructure events. Identifies known and novel threats without relying on static rules.
Prevention
Auto-generates seccomp profiles and network policies that limit what an attacker can do — even after they're in. Reduces blast radius by 50%.
Blast radius analysis
Visual mapping of every affected and at-risk resource. When classification says Active Threat, blast radius tells you how bad it could get — instantly.
Advanced response
Policy-driven workflows route every incident by classification tier. Active Threat pages your team in Slack or Teams with the full attack story. Ticket opens in Jira, pre-filled.
AI-generated attack story
At the end of every incident — a complete natural language narrative. What happened, where it started, how it moved, what was done, and what you should do next.
Cloud and Application Detection and Response (CADR): The Essentials
Let's ChatARMO CADR is a behavioral security solution designed to protect cloud applications. It records a baseline of applications’ expected behavior and uses automated behavioral analysis to detect and respond to known aND UNKNOWN anomalies, providing a comprehensive view of threats across cloud environments.
ARMO CADR focuses on runtime behavioral analysis, which allows it to detect and respond to zero-day and everyday threats without relying solely on known signatures or rules. This approach enables proactive security measures that can identify threats early. It provides policy-based automatic responses so that attacks can be halted even if the root cause is not immediately addressed.
Since modern cyberattacks are rarely single-dimensional, ARMO CADR is designed to provide visibility from code-to-cloud, including Kubernetes and application level APIs, to name a few, providing runtime security insights across the entire cloud stack. This integration helps secure containerized environments and supports the evolving security needs of cloud-native applications and the infrastructure they depend on.
ARMO CADR improves cloud security cost savings and ROI by streamlining key processes. Automated learning of application behavior reduces configuration and maintenance costs. Once configured, it quickly analyzes security events, minimizing the time and resources needed to address threats. Its ability to detect zero-day vulnerabilities prevents costly attacks, eliminating the need for expensive remediation and potential financial losses. CADR also enables flexible vulnerability patching, due pinpointing the threats and providing immediate remediation. Thus, allowing organizations to schedule updates efficiently and minimize disruptions to production.
As a whole ARMO provides protection for on-prem and even air-gapped environments running cloud-native architecture. In this case ARMO CADR does not require a cloud account and the attack graph and related information will not include the cloud layer. It will focus on the VMs, containers, workloads and application layers.
A: When ARMO CADR detects a runtime event, it doesn’t just alert — it reasons. The AI model analyzes the full behavioral context: the call stack, network activity, historical application profile, and known attack patterns from MITRE ATT&CK.
Based on that analysis, every incident is classified into one of four tiers:
– Active Threat: a confirmed attack in progress — automated response triggered
– Attempted Attack: an attack that was detected and blocked — investigate the vector
– Review Required: anomalous behavior that needs human judgment
– Informational: a low-risk signal worth logging, no action needed
Each classification comes with an AI-generated explanation — not just a verdict, but the reasoning behind it. So your team understands exactly why an incident was flagged and what to do next.
Most security tools see one layer of your stack. Your code scanner sees the repository. Your container runtime sees the pod. Your SIEM sees the logs. None of them see how an attack moves between layers.
Code-to-cloud means ARMO CADR traces the full attack path — from the specific line of code that was exploited, through the container runtime, across the cluster network, to the cloud API where data was accessed.
In practice, when an incident fires, you get a complete attack narrative — not a list of disconnected alerts — showing exactly how the threat moved through your environment, which resources were affected, and what the blast radius looks like.
ARMO CADR deploys in under 10 minutes. There are no agents to install, no kernel modules to configure, and no changes required to your application code. Deployment is a single Helm chart for Kubernetes environments.
Once deployed, CADR begins building behavioral baselines for your workloads immediately. Anomaly detection and incident classification are active from the first day.
Yes. ARMO CADR is designed to complement your existing security infrastructure, not replace it. Current integrations include:
– Alerting: PagerDuty, Slack, Microsoft Teams
– SIEM: Splunk, Datadog, AWS Security Hub
– Ticketing: Jira, ServiceNow
– CI/CD: GitHub Actions, GitLab CI
For teams using SIEM or SOAR platforms, CADR enriches your existing alerts with code-to-cloud context and AI classification — so you get more signal from the infrastructure you already have.
Sarrah Bang
Global Head of Security, Alter Domus
Sarrah Bang
Global Head of Security, Alter Domus
“Whatever is happening in runtime is always what matters to us the most. That’s our number one visibility gap we were trying to resolve.”
“I was able to connect the cluster and start getting real-time security insights within 20–30 minutes. The attack path visualization helped us understand potential lateral movement risks.”
“ARMO results in concise, to-the-point, actionable vulnerabilities – without having to filter through 1,500+ false alarms or irrelevant findings because the faulty component is not in your runtime.”