> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/runtime-security/runtime-signals.md). # Runtime Signals Runtime Signals are the real-time data inputs that power effective runtime security in Delivery Shield — representing continuously collected data from applications, containers, infrastructure, and user interactions. These signals provide visibility into how systems actually behave under operating conditions, enabling the detection of anomalies that indicate potential threats. Runtime Signals include process activity, network traffic patterns, API call volumes, system logs, access patterns, file system events, and resource consumption metrics. ## **How Runtime Signals Work in OpsMx** Delivery Shield correlates signals across multiple sources to establish a **behavioral baseline** for each workload, service, and environment. Deviations from this baseline are flagged as potential risks. | Signal Type | Examples | What It Detects | | -------------------- | ---------------------------------------------------- | ----------------------------------------- | | **Process Activity** | Unexpected process execution inside containers | Container breakout, malware execution | | **Network Traffic** | Unusual outbound connections, port scanning | Data exfiltration, C2 communication | | **API Calls** | Abnormal call volumes, unexpected endpoints accessed | API abuse, unauthorized access | | **System Logs** | Authentication failures, privilege use | Credential attacks, insider threats | | **Resource Usage** | CPU/memory spikes, storage anomalies | Cryptomining, resource abuse | | **Access Patterns** | Unusual user or service account behavior | Compromised credentials, lateral movement | ### **Key Characteristics** * **Contextual** — tied to specific workloads, services, or users for precise attribution * **Continuous** — collected in real time across all connected environments * **Correlated** — combined across multiple signal sources for deeper, more accurate insights * **Actionable** — linked directly to remediation workflows, not just alert dashboards ## **Benefits for the User** * Security teams gain real-time visibility into production behavior without requiring agents or code instrumentation changes * Signals feed directly into analytics and trend analysis — enabling proactive risk identification before incidents occur * Runtime findings are linked back to code versions and deployment records for root-cause tracing --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/runtime-security/runtime-signals.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.