
Cloud Security
Oligo Cloud Application Detection & Response (CADR)
Runtime application security detecting exploits via eBPF library-level behavioral analysis.
Oligo Cloud Application Detection & Response (CADR) Overview
What it does
Oligo Security is a runtime application security company founded in January 2022 by three childhood friends and former Israeli Defense Forces elite cyber unit officers, CEO Nadav Czerninski, CTO Gal Elbaz, and CPO Avshalom Hilu, serving graduates from Unit 8200, Unit 81, and Matzov (Center of Encryption and Information Security) with headquarters in Tel Aviv and offices in New York and Palo Alto. The company emerged from stealth in February 2023 with $28 million in initial funding and has raised $78-86 million total including a $50 million Series B in January 2025 led by Greenfield Partners with participation from Lightspeed Venture Partners, Ballistic Ventures, and TLV Partners, serving Fortune 500 customers across financial services, healthcare, and technology sectors.
How it works
The Oligo Cloud Application Detection and Response (CADR) platform uses patent-pending eBPF technology to monitor live application behavior at the library level, profiling the legitimate behavior of each library to create a knowledge base and detecting deviations in real-time to identify zero-day exploits, malicious packages, and shadow vulnerabilities without relying on traditional signature-based detection methods. The platform provides unprecedented visibility across the entire software supply chain including third-party commercial software and open-source components, automatically correlating events and behaviors to surgically block attacks at the first exploit attempt while maintaining application performance and stability, reducing the threat exposure window from days to minutes and enabling security teams to focus on truly exploitable vulnerabilities rather than theoretical risks.
Credentials and traction
Oligo appears on the 2026 Fortune Cyber 60 list of top private cybersecurity companies, its second consecutive year, and on Fast Company's Most Innovative Companies of 2026 and the Rising in Cyber 2026 list. It was named a 2025 SINET16 Innovator, selected by more than 100 CISOs and risk executives, and recognized as both a Cloud Security Innovator and a CADR leader in the Latio 2025 Cloud Security Market Report; it also earned the SC Media Best Supply Chain Security Solution award in 2024. Customers include Salesforce, ServiceNow, Databricks, Instacart, and SoFi.
Key Capabilities
mapped to solution categoriesTriggers automated response actions (session revocation, account suspension, OAuth grant removal), in SaaS platforms in response to confirmed detections via platform APIs.
Detects misuse of OAuth access tokens granted to connected applications, including tokens being used outside expected scope, geographic anomalies, and post-compromise app persistence.
Monitors user, admin, and OAuth app activity within SaaS platforms (M365, Google Workspace, Salesforce, GitHub), for anomalies and policy violations using API-based log ingestion.
Detects attacks at the application and API layer at runtime using behavioral signals such as unexpected process behavior, suspicious API calls, unusual service-to-service communication, and exploit activity across cloud apps, containers, and Kubernetes.
Supports on-premises or air-gapped artifact and workload inspection under customer control, so regulated or sovereign data never leaves the customer boundary.
Instruments workload behavior at the kernel level via eBPF without a traditional user-space agent. Provides syscall-level visibility into process execution, network connections, and file access in running containers and VMs.
Enriches cloud misconfigurations, vulnerable workloads, and runtime detections with threat intelligence on active exploitation, prioritizing exposures attackers use over theoretical severity alone.
Analyzes container images and dependencies for CVEs, malicious or compromised packages, and SBOM generation across the build pipeline.
Monitors running pod and container behavior against policy, detecting unexpected process execution, network connections, and privilege escalation at runtime rather than at image scan time.
Delivers scan results inside developer IDEs and pipeline stages so developers receive findings before code merges, reducing the cost and cycle time of remediation.
Correlates individual misconfigurations and CVEs into chained attack scenarios showing lateral movement paths from exposed entry point to a target asset. Produces a prioritized list of attack paths rather than a flat CVE inventory.
Operate in monitor-only mode (log and alert), or active blocking mode (terminate request upon detection). Most deployments begin in monitor mode to establish a false positive baseline before enabling blocking.
Instruments runtimes to intercept database queries, command execution, and deserialization across Java, .NET, Python, Node.js, PHP, Ruby, and Go, with coverage depth varying by product.
Performs in-process interception and threat analysis with minimal latency impact, keeping the agent viable in production workloads with overhead varying by product.
Streams runtime attack evidence such as blocked exploit attempts and suspicious invocations to SIEM, SOAR, and APM platforms, commonly via OpenTelemetry.
Detects and blocks injection at the sink where untrusted input reaches dangerous operations, covering SQL and NoSQL injection, command injection, XXE, path traversal, and SSRF.
Detects exploitation of unknown vulnerabilities by analyzing runtime behavior rather than matching known attack signatures, protecting against vulnerabilities before CVE publication.
Verifies the integrity of application code, resources, and the execution environment at runtime, detecting repackaging, method hooking, and dynamic instrumentation such as Frida, and triggering a defensive response when tampering is detected.
Blocks exploitation of known vulnerabilities at runtime without source code changes, reducing exposure during the gap before a deployed fix, especially on legacy or hard-to-patch applications.
Integrations
compatible toolsImplementation & support
Info last updated on May 27, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.