About

Why Protet exists

A CI/CD runner routinely holds registry credentials, cloud IAM roles, and signing keys — real, usable privilege, often broader than the production workloads it builds ever get. Almost none of that surface is watched.

Security tooling for the software supply chain has mostly stopped at what's declared: a lockfile, an SBOM, a lint rule against a manifest. That catches a real class of problems, but it structurally can't see a postinstall script that only turns malicious once a build actually runs it, a hijacked runner executing commands as your CI, or a dependency-confusion payload that looks identical to a legitimate package until it's installed and running.

Protet watches what a build actually executes — not what it declares — and applies a detection model trained specifically on real execve command sequences to flag the sessions that don't belong. It's built to run wherever a build already runs: fully on your own infrastructure and air-gapped if that's what your environment requires, or hosted, if it isn't.

We think the deeper problem isn't any single supply-chain attack technique — it's a whole class of infrastructure that's privileged, ephemeral, and unmonitored by default. That includes CI/CD runners today, and increasingly includes autonomous coding agents with shell access, which have exactly the same profile.

Get in touch

Questions, feedback, or just want to talk through your environment before you commit to anything: hello@protet.io.