Container security has two moments: before deployment, when you scan the image, and after, when it is live. Pre-deployment scanning catches known-vulnerable packages baked into the image, but it misses what only becomes visible at runtime — the vulnerable code path that is actually exercised, the dependency loaded dynamically.
Twistlock, Ltd.'s US10915628B2, “Runtime detection of vulnerabilities in an application layer of software containers” (issued February 9, 2021; CPC G06F 21/554 — detecting malicious behavior, and G06F 21/52 — monitoring program execution), describes detecting application-layer vulnerabilities in containers at runtime. Read it at US10915628B2.
Mechanically, this means watching the running container's application behavior — what code executes, what is loaded — to surface vulnerabilities that a static image scan cannot see. It complements pre-deployment scanning rather than replacing it: shift-left scanning and runtime detection together are what “cloud-workload protection” actually means.
Why this is a business story: this pairs with Twistlock's process-profiling IP as the technical foundation of Palo Alto's Prisma Cloud, acquired in the $410 million Twistlock deal. The runtime-versus-static distinction is also the competitive battleground in cloud security — agentless scanners (Wiz, Orca) sell on scan coverage, while runtime vendors sell on catching what only appears when code runs. This grant stakes the runtime side of that argument.
The grounded read: runtime container vulnerability detection catches flaws that static image scanning misses by watching the application as it executes. Twistlock's 2021 grant names that runtime-layer detection — a pillar of the cloud-workload-protection thesis Palo Alto bought into.