1
min read

Proving Compliance at Runtime

Date:
May 28, 2026
Category:
General
Author:
Noah Simon
Page top

TL;DR

  • Traditional compliance relies on "build-time theory": static scans that guess at risk, leading to 90–99% noise.
  • Oligo Security provides runtime truth through Deep Application Inspection (DAI), observing actual execution behavior to identify actual critical vulnerabilities.
  • Proving which libraries actually execute in production allows organizations to extend FedRAMP SLAs from 72 hours to 180 days.
  • Customers like Sage and Cato Networks have used this runtime context to reduce vulnerability backlogs by up to 90% and 70%, respectively.

Leading compliance frameworks, such as FedRAMP, PCI DSS 4.0, and SOC 2, rest on the premise that organizations can see what is running in their environments. In dynamic IT setups, that premise is a build-time theory, not a runtime truth.

For most organizations, the vast majority of vulnerability findings are theoretical. They are assumptions, based on the mere presence of a library, rather than observable evidence of what is actually executing in production.

Many legacy compliance tools produce static artifacts that are often reviewed months later, by which time the information is outdated and irrelevant. From an auditing perspective, this is problematic because static compliance artifacts (e.g., a software bill of materials (SBOMs), scan reports, and patch tickets) reflect build-time theory, not what is actually running.

With compliance obligations mounting, how can organizations shift from an assumption-based to an evidence-based model? The answer is runtime truth. 

Oligo Security is a runtime application security platform that uses DAI to observe application execution behavior, prioritizing vulnerabilities that pose active risk.

The Problem with Static SBOMs

Runtime security is a compliance imperative, but understanding why begins with untangling the shortfalls of static SBOMs. Static SBOMs were useful in an era where vulnerability timelines were longer. Slower exploitation cycles meant that SBOMs were a fair reflection of what might be affected. In the AI era, that model has completely eroded.

The grace period between active exploitation and disclosure has significantly decreased. Adversaries leverage AI to analyze CVEs, generate exploits, and scan for targets faster than any human remediation cycle can respond. According to the Cloud Security Alliance, attackers are now able to produce working exploit code for a known vulnerability in 10–15 minutes, at roughly a dollar a run.

This velocity means even a 72-hour-old SBOM is a build-time theory unfit for critical security decision-making. From a compliance standpoint, such SBOMs are historical data: incomplete at best and irrelevant at worst. 

Static SBOMs are fossilized accounts of what was shipped. They don’t represent the current state or provide insights into exploitability. For auditors, it is extra paperwork based on guesses. 

Noise is another contributor to the compliance chasm: 90–99% of vulnerabilities flagged by static scanners involve libraries or functions that never execute at runtime. This is counterproductive to compliance. 

Point-in-time compliance is obsolete; organizations need a model centered around runtime observation.

Understanding Runtime Compliance Evidence

Unlike static SBOMs, runtime observation produces a living record of the current state and what is executed in production. It transcends “what was shipped” by replacing probabilistic assertions with runtime truth. 

Static scans might suggest a CVE applies because a library is in a dependency tree. However, runtime evidence produces auditable facts: for example, whether a function was or was not called during the last 30 days of production execution.

These are not theoretical or algorithmic approximations. They are observed behaviors recorded straight from live systems. Oligo Security leverages DAI to observe execution behavior and prioritize vulnerabilities posing material, exploitable risks. This approach answers three crucial questions:

  1. Is a vulnerable library loaded? This determines whether a CVE is in scope and relevant to regulatory adherence. 
  2. Is the vulnerable function executed? This offers insights into real-world exploitability versus build-time theory. 
  3. Is there anomalous behavior? This reveals if an attack is currently in progress or has already occurred.

The answers to these questions are defensible and auditable compliance evidence. Across compliance frameworks like FedRAMP, PCI DSS 4.0, and SOC 2, this data addresses the “reduced likelihood or impact” clause. Since runtime non-execution is explicit proof of reduced likelihood, the data that surfaces from runtime observation substantially improves auditability and compliance.

How Runtime Observability Satisfies Different Compliance Frameworks

Now that we have a bird’s-eye view of the compliance implications of runtime observation, let’s examine how it addresses specific frameworks.

FedRAMP

Under FedRAMP, remediation SLAs for critical CVEs can be as short as 72 hours. For engineering teams under pressure, this is often operationally overwhelming. If a finding involves a library that never went into production, teams waste precious resources on build-time theory.

FedRAMP permits risk adjustment when compensating controls reduce exploitation likelihood. To use this option, teams require runtime non-execution evidence. With this evidence, FedRAMP can extend remediation SLAs from 72 hours to up to 180 days.

Runtime evidence also helps eliminate false positives, which FedRAMP defines as any finding that “incorrectly indicates a given condition exists when it does not.” Runtime observability reveals if libraries were never executed, allowing teams to close the finding without unnecessary escalation. 

PCI DSS 4.0

Runtime evidence directly addresses many PCI DSS 4.0 requirements. Requirement 6.3.1 calls for risk-ranked vulnerability management. While CVSS scores measure theoretical risk, they offer no insights into whether vulnerabilities have entered production. Runtime execution data provides that extra layer of context, revealing real-world exploitability rather than a theoretical assumption.

Similarly, Requirement 6.3.2 mandates a software inventory of bespoke and custom software. Unlike static SBOMs and manifests, runtime observability guarantees this information. Requirement 11.3.1 requires periodic scans and resolution of critical/high findings, and runtime evidence helps relegate non-executed vulnerabilities to lower-risk categories.

Requirement 6.4.2 mandates automated technical controls like firewalls to protect public-facing web applications. Runtime anomaly detection complements this by providing continuous behavioral visibility into what is actually executing against those applications in production.

SOC 2

Similar to FedRAMP and PCI DSS 4.0, runtime compliance evidence helps teams adhere to SOC 2, specifically its Common Criteria CC6 (Logical and Physical Access) and CC7 (System Operations). These criteria require organizations to monitor production environments to detect anomalies.

Going beyond static documentation, runtime observability offers continuous, timestamped evidence of what is actually executing. This supports change management and risk assessments by enriching them with live behavioral data instead of historical snapshots.

The Business Case for Runtime Compliance and Security 

For CISOs and GRC leaders, the compliance argument for runtime security is strong, and the benefits are far-ranging.

Under most existing models that hinge on build-time theory, audits create remediation sprints that interrupt product work. Security teams waste time chasing CVEs that will never be exploited because the vulnerable code never entered production. Considering the narrow SLA windows of most frameworks and already overburdened teams, security (and, by extension, compliance) becomes reactive, expensive, and disorganized.

Oligo Security, a runtime application security platform powered by DAI, provides the runtime truth needed to streamline these efforts. By focusing only on vulnerabilities that actually execute, organizations can reduce noise by 90–99%.

The runtime model flips the script. Compliance evidence is generated continuously as a byproduct of security operations. During an audit, organizations simply retrieve fresh data rather than create it. This shifts the compliance posture from reactive and expensive to proactive and organized.

Cost savings come from the bandwidth saved on low-risk vulnerabilities and meeting narrow SLA windows. However, runtime security is only sustainable if it avoids operational risk. Oligo addresses this with a non-intrusive sensor that maintains near-zero overhead (<0.5% CPU), ensuring that runtime compliance becomes a reality without impacting performance.

While the business case for runtime compliance is solid, it is only sustainable if it avoids the performance tax of traditional agents. Runtime security must be non-intrusive to be effective. Oligo Security solves this with a proprietary, kernel-safe sensor that operates with near-zero overhead (<0.5% CPU), ensuring that compliance evidence is gathered without introducing new operational risks.

How Oligo Security Reinforces Runtime Compliance 

Security and compliance teams face mounting pressure to adhere to standards like FedRAMP, SOC 2, and PCI DSS 4.0. However, static tools offer no meaningful solutions for these dynamic requirements. Real-time observability across runtime environments is imperative, and for that, organizations need a runtime protection platform that transcends the limitations of CNAPPs and infrastructure tools.

Oligo redefines runtime protection. By providing runtime truth, Oligo transforms the entire compliance strategy, zeroing in on real-world exploitability and ignoring vulnerabilities that never made it to production. 

Transcending traditional SCA, SBOM, and CSPM tools, Oligo answers the only question that matters: What is actually running?

Oligo’s key runtime security and compliance features include:

  • Automated Runtime SBOM & VEX: Generates real-time inventory and exploitability data based on actual runtime risks.
  • Deep Application Inspection: Detects runtime exploits and provides the technical context needed for incident response and forensics.
  • Near-Zero Overhead: Consumes <0.5% CPU and less than 500MB of RAM, allowing organizations to revamp compliance without sacrificing performance.

By replacing build-time theory with runtime truth, Oligo helps organizations cut costs, reduce vulnerability noise by 90–99%, and meet the rigorous evidence requirements of modern regulatory frameworks.

Interested in seeing how Oligo can help your organization improve FedRAMP, PCI DSS 4.0, and other compliance frameworks? Book a demo.

Stop modern attacks and keep your business moving

Request a demo
Request a demo
Platform
Overview
Cloud Application Detect and Response
Runtime Vulnerability Management
Runtime AI
Solutions
Who it's for
Security Leaders
SecOps Pros
AppSec Pros
CloudSec Pros
Use Cases
Runtime Exploit Blocking
Workload Protection
Real-time bom/vex
Application vulnerability management
AI security
Compliance and assurance
Attack detection and response
Supply chain security
Resources
Resource Hub
Blog
Events
Webinars
Company
About
News
Partners
Careers
Contact us
Copyright © Oligo Security | All Rights Reserved 2026
Terms of usePrivacy PolicyCookie policy
YOUTUBE
LINKEDIN
TWITTER