TL;DR: Static scanners and posture tools struggle to keep pace with short-lived containers, serverless, and multi-cloud environments, leaving a runtime gap that Frost & Sullivan says is now driving demand for Cloud Detection & Response and Application Detection & Response. The real issue is not coverage volume but whether controls can see what is actually executing in production.
NHIMG editorial — based on content published by Oligo Security: Bridging the Runtime Gap: Insights from Frost & Sullivan’s 2025 Cloud / Application Runtime Security Report
Questions worth separating out
Q: How should security teams reduce cloud-native risk when static scanning misses live exploitation?
A: They should add runtime detection that confirms whether a weakness is actually executing, then use that signal to prioritise response.
Q: Why do IAM missteps become more dangerous in cloud-native runtime environments?
A: Because identity abuse often becomes an execution problem once a token, role, or service credential is used inside a live workload.
Q: What should teams measure to know whether runtime security is working?
A: They should measure whether detections identify active exploitability, not just whether assets are flagged as vulnerable.
Practitioner guidance
- Prioritise runtime-confirmed exploitability Tune triage so vulnerabilities matter only when the function, container, or process is actually executing in production, then route those cases into response workflows immediately.
- Correlate IAM misuse with live workload behaviour Join identity telemetry, API access, and runtime detection so a compromised token or mis-scoped workload account is visible as an active attack path rather than a configuration issue.
- Map detection coverage across Kubernetes and serverless Verify that your monitoring can follow ephemeral pods, serverless functions, and short-lived jobs from start to finish, including the handoff into SIEM and SOAR.
What's in the full article
Oligo Security's full post covers the operational detail this post intentionally leaves for the source: the report framing, product-level positioning, and vendor-specific explanation of how its runtime approach fits into ADR.
- How the Frost & Sullivan report positions runtime detection across application, workload, and cloud infrastructure layers
- The vendor's detailed explanation of how it reduces noise by checking whether a vulnerable function actually loads and runs
- The implementation context for SIEM, SOAR, Jira, and DevOps integrations that this analysis only references at a high level
- The report-level claims about market growth and vendor positioning that practitioners may want for internal briefing material
👉 Read Oligo Security's analysis of cloud-native runtime security and ADR →
Runtime security for cloud-native workloads: what teams are missing?
Explore further
Runtime visibility is now an identity problem, not only an application security problem. The article shows that attacks in cloud-native environments often begin with IAM missteps, exposed APIs, or workload access that becomes dangerous only when it is exercised live. That means the control question is not just whether an entitlement exists, but whether the entitlement is being used in a way that reflects actual runtime behaviour. The implication is that identity governance and runtime security can no longer be separated cleanly.
A few things that frame the scale:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which is why runtime-aware governance is becoming a baseline requirement rather than a niche capability.
A question worth separating out:
Q: How do CDR and ADR change incident response in cloud-native environments?
A: They shorten the time between exploitation and containment by showing what is happening inside running applications and workloads. That gives SOC teams context on which process, credential, or service was involved, which is more actionable than a static alert after the fact.
👉 Read our full editorial: Runtime security gaps in cloud-native environments are widening