How bifrost Works
bifrost works in the background so you can work on what matters. Here's what happens under the hood.
Deploy the Agent
Install the lightweight bifrost agent into Kubernetes clusters using Helm. No code changes. No sidecars. The agent runs as a daemonSet, ready to observe. Setup takes minutes.
Observe & Learn
Add a simple annotation to your deployments and bifrost starts learning. In pre-prod environments, every new build is observed: system calls, file access, network connections, process execution. Each build automatically produces a precise behavioural fingerprint.
Generate Runtime Profiles
For every build sent to production, bifrost automatically generates a tailored runtime profile. Each profile defines exactly what that container version is allowed to do, and nothing more. Profiles are human-readable and fully reviewable.
Enforce & Protect
Profiles are enforced at the kernel level. Any action outside established behaviour is blocked, from zero-days and supply-chain attacks to ransomware and container escapes. When you deploy the next build, profiles update automatically. Your protection evolves with your application.
Correlate & Prioritise
bifrost ingests SBOMs for application code and container images at each build. CVEs are correlated against actual runtime behaviour. Unreachable vulnerabilities are deprioritised, and blocked vectors are marked as mitigated. You see only the exposures that genuinely need attention.
Technical Deep-Dive
A closer look at each stage of the bifrost pipeline.
Runtime Data Collection
The bifrost agent collects detailed behavioural data: system calls (execve, open, connect, bind, mmap), file I/O, network activity, process creation, environment variables, loaded libraries.
What is NOT collected:
Application data, PII, request payloads, database contents, API responses. The agent observes behavioural signals only, not information flows. Data is aggregated and anonymised.
Minimal performance impact (<1% CPU).
SBOM Integration
bifrost ingests SBOM data to understand the dependency landscape. Supported formats: CycloneDX (XML/JSON) and SPDX. Integration with SBOM generators happens automatically in CI/CD.
The SBOM provides precise information about every dependency, version, and known CVE. bifrost correlates this against runtime behaviour to determine reachability.
Continuous re-evaluation:
As CVE databases update, bifrost continuously re-evaluates exposure without requiring new builds.
CVE Correlation Engine
The CVE correlation engine is the heart of Exposure Intelligence. It operates in three stages:
Scan SBOM
Periodically scan SBOMs to surface CVEs from Image and Code to get initial exposure in each environment.
Reachability Analysis
Cross-reference vulnerable code paths with runtime behaviour. If a vulnerable library is never called or a feature is never configured, the CVE is unreachable.
Mitigation Assessment
Determine if the runtime profile blocks the exploit vector. If a CVE requires binary execution but the profile doesn't allow it, it's marked as mitigated.
Result: vulnerabilities categorised as:
Reachable and not mitigated, requires attention
Mitigated by runtime profile
Code path never executed
Teams focus on the Actionable list, typically up to 90% smaller than the original scanner output.
Stop drowning in CVE noise.
Get runtime protection, intelligent CVE prioritisation, and measurable security improvement. Free trial, no credit card required.