Runtime application self-protection monitors application behavior from inside the running application and can help detect or block suspicious activity in context.
Runtime application self-protection, or RASP, is a security approach in which an application monitors its own behavior while running and can help detect or block suspicious activity in context. In plain language, it brings some security decision-making closer to the application itself rather than relying only on external scanning or filtering layers.
RASP matters because applications have direct awareness of their own code paths, requests, and execution context. That internal perspective can help identify suspicious behavior in ways that are difficult for purely external controls to see.
It also matters because organizations often want layered protection around live applications. Runtime-aware controls can complement secure coding, testing, and network filtering.
RASP appears in some application-protection platforms, high-sensitivity web applications, API protection discussions, and defense-in-depth strategies for runtime services. Teams use it when they want more context-aware protection inside the running application in addition to Web Application Firewall, SAST, and DAST.
Security teams evaluate RASP when they want stronger runtime visibility into suspicious application behavior, but they still treat it as one layer rather than a substitute for fixing insecure code or unsafe design.
A sensitive API service uses runtime-aware protections that observe how requests interact with internal application logic. When a request pattern behaves inconsistently with expected execution paths, the service can flag or interrupt the behavior instead of relying only on a perimeter control to notice it.
RASP is not the same as a Web Application Firewall. A WAF typically inspects traffic in front of the application, while RASP operates with more direct application runtime context.
It is also not a replacement for Secure Coding. Runtime protection can help reduce exposure, but the underlying code still needs to be designed safely.