Security Stack Logo
Sweet Runtime CNAPP logo

Cloud SecurityApplication Security

Sweet Runtime CNAPP

Runtime CNAPP unifying cloud, workload, and Layer 7 detection and response via an eBPF sensor.

Cloud Application Detection and Response (CADR)Cloud-Native Application Protection Platform (CNAPP)

Sweet Runtime CNAPP Overview

What it does

Sweet Runtime CNAPP is a cloud-native application protection platform that secures cloud infrastructure, workloads, and the application layer from one runtime view. It deploys an eBPF-based sensor that observes live process, network, and system-call activity, building a behavioral baseline for each environment so it can surface confirmed attacks rather than theoretical posture findings. The platform spans both traditional and AI-driven applications.

How it works

The sensor profiles applications and cloud identities at runtime, then detects anomalous behavior across cloud, workload, container, Kubernetes, and Layer 7 application and API activity. A patented detection engine driven by a large language model correlates related events into a single attack storyline, scores impact and severity, and cuts alert noise to a fraction of a percent. Identity threat detection and response flags account takeover and anomalous identity behavior, and guided response playbooks can terminate malicious processes while keeping production stable.

Credentials and traction

The platform protects Fortune 1000 organizations and customers including Fireblocks, Kaltura, and ShipStation. Sweet Security reports sixfold annual recurring revenue growth and a tenfold increase in enterprise customers over the past year.

Key Capabilities

mapped to solution categories
Cloud-Native Application Protection Platform (CNAPP)

Discovers and classifies sensitive data in IaaS and PaaS stores such as object storage, databases, and data warehouses, surfacing data exposure risk alongside infrastructure findings.

Instruments workload behavior at the kernel level via eBPF without a traditional user-space agent. Provides syscall-level visibility into process execution, network connections, and file access in running containers and VMs.

Exports compliance evidence pre-mapped to framework control requirements (SOC 2, ISO 27001, PCI DSS), in formats auditors can consume directly: not raw CSV exports requiring manual assembly.

Monitors running pod and container behavior against policy, detecting unexpected process execution, network connections, and privilege escalation at runtime rather than at image scan time.

Analyzes IAM policies across AWS, Azure, and GCP to surface over-permissioned roles, unused permissions, and cross-account trust relationships that create lateral movement opportunities.

Continuously audits cloud and Kubernetes configuration across AWS, Azure, and GCP against security benchmarks, flagging misconfigurations and identity-permission gaps that create exploitable exposures.

Delivers scan results inside developer IDEs and pipeline stages so developers receive findings before code merges, reducing the cost and cycle time of remediation.

Cloud Application Detection and Response (CADR)

Detects attacks at the application and API layer at runtime using behavioral signals such as unexpected process behavior, suspicious API calls, unusual service-to-service communication, and exploit activity across cloud apps, containers, and Kubernetes.

Correlates SaaS activity with identity events (MFA changes, session token replay, impossible travel) to detect account takeover within cloud application environments.

Integrations

compatible tools
AWS Security HubChronicleCyberArkGitHubGitLabIllustriaIntezerJiraJitMicrosoft SentinelMicrosoft TeamsOpsgeniePantherServiceNowSiemplifySlackSplunkSumo LogicTorq

Implementation & support

Deployment model
CloudSaaS
Pricing structure
Custom / EnterpriseSubscription
Support channels
Customer Success TeamDocumentationSlack (Customer Channel)

Info last updated on June 30, 2026