Platform Documentation
Platform Documentation
Breadcrumbs

Threat Intelligence Process

Purpose

RunWhen maintains a lightweight but active Threat Intelligence (TI) process focused on early detection of credential exposure, software vulnerabilities, and ecosystem risks relevant to our cloud-native platform. This policy outlines how threat intelligence is collected, reviewed, and used to protect RunWhen systems and customer environments.

Ownership and Governance

The Threat Intelligence process is overseen jointly by the Head of Security and the Head of Engineering. Operational responsibilities are embedded into RunWhen’s secure software development lifecycle (SSDLC), with escalation paths defined in our Security Incident Response Procedures. The formal policy governing this process is referred to internally as the Threat Monitoring and Intelligence Response Policy and is reviewed annually or following any major incident.

Sources of Threat Intelligence

RunWhen aggregates threat intelligence through a combination of automated tools and curated sources. These include:

  • Google Cloud Security Command Center, which continuously monitors our cloud security posture, threats, misconfigurations and vulnerabilities for all of our infrastructure

  • GitHub Dependabot alerts, which continuously monitor our code repositories and open-source dependencies for known vulnerabilities, with automatic PRs for critical patches

  • Trivy vulnerability scans integrated into our container build pipelines, detecting issues in OS packages, language-specific dependencies, and Kubernetes configuration

  • Community and vendor-driven CVE feeds, integrated in to the Trivy scanning pipelines

  • Security mailing lists relevant to our technology stack, including feeds for Google Cloud and Kubernetes

  • Credential exposure for our principals (notably the CEO) using best-in-class dark web monitoring tools

This layered approach ensures that RunWhen is alerted promptly to newly disclosed vulnerabilities that could affect our systems or those of our users, and enables rapid triage and remediation.

Use of Threat Intelligence in Operations

Threat intelligence is operationalized in the following ways:

  • CVEs impacting our stack are triaged as part of our release cadence and patched based on severity and exploitability.

  • New threat patterns are communicated to developers via internal advisories, and mitigations are added to baseline project templates.

  • Findings are integrated into tooling such as dependency scanners and container hardening baselines to prevent reintroduction of known issues.

Integration into Software Development

Threat intelligence is a component of our secure-by-design model. Key touchpoints include:

  • Trivy scans for known vulnerabilities in container images run in every build RunWhen Local agent

  • Trivy scans for known vulnerabilities in containers images throughout our entire stack. Note: work in progress.

  • Automated penetration testing of all internet-facing ingress points (here). Note: work in progress.

  • Awareness and patch planning for vulnerabilities for our hardened ingress controllers (hardened NGINX), and service mesh (Linkerd)

Coordination with Incident Response

Relevant threat intelligence findings are shared with the response team and considered part of proactive defense. Potential incidents identified via TI channels follow the triage and escalation process defined in the Security Incident Response Procedures.

Justification for Scope

While RunWhen does not maintain a formal in-house threat research team, we do not consider this necessary given the scale and nature of our platform. Our threat intelligence program is tailored to the risks inherent in operating a secure, automated SaaS platform for infrastructure operations. Focus is placed on actionable signals over speculative ones.

Contact and Questions

For questions related to threat intelligence or to report a potential vulnerability, please visit our Security Contact page or email security@runwhen.com.