Skip to content
RASP

5 Best RASP / ADR Tools for 2026

Independent ranking — no vendor pays to appear here. See methodology.

Compare every active RASP tool, including the ADR-evolved platforms from Contrast, Datadog, and Dynatrace. Feature matrix, language coverage, no vendor bias.

Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated February 5, 2026
4 min read

At a glance

The best RASP tools in 2026: Contrast Protect, Datadog ASM, Imperva RASP, OpenRASP, and Waratek.

  • Best established commercial RASP: Contrast Protect — in-process agent, part of the Contrast platform alongside its IAST product
  • Best if you already run Datadog: Datadog ASM — built on acquired Sqreen technology, integrated with APM
  • Best free option: OpenRASP — Baidu’s open-source project, the only mature no-cost RASP
  • Best WAF and RASP pairing: Imperva RASP — true in-process protection that pairs with Imperva’s WAF
  • Best for JVM workloads: Waratek — applies virtual patches inside the JVM at runtime

I evaluated 5 runtime application self-protection tools using publicly verifiable evidence — vendor docs, runtime language coverage, and deployment model. No vendor paid to appear on this page.

What is RASP?

RASP (Runtime Application Self-Protection) is a security technology that embeds a lightweight agent directly inside an application to detect and block attacks in real time during code execution.

Unlike perimeter-based defenses such as WAFs that inspect HTTP traffic externally, a RASP agent hooks into the application runtime itself, watches how each request gets processed, and can stop an attack mid-execution before it causes damage.

Traditional WAF sits outside and only sees HTTP traffic with pattern matching and high false positives. RASP agent is embedded inside the app, sees code execution context, blocks attacks at the exact vulnerability with zero false positives.

RASP does not find vulnerabilities for you to fix later. It blocks attacks as they happen — functioning as the last line of defense in a broader application security program when static analysis, code reviews, and perimeter controls all miss something.

Note: RASP does not find vulnerabilities for you to fix. It is the last line of defense when SAST, code review, and perimeter controls have all missed something — not a replacement for them.

The category is also rebranding. Contrast Security renamed Contrast Protect to Contrast ADR — Application Detection and Response — and Datadog and Dynatrace are pushing the same framing.

RASP is the blocking engine, ADR is the broader story wrapped around it: SOC-ready telemetry, MITRE ATT&CK mapping, and incident response workflows that plug into a SIEM or XDR.

Under the hood it is still runtime instrumentation — the ADR pitch just aligns the category with how modern security operations teams actually work.

The market is estimated at $2.59 billion in 2026 and is projected to reach $8.88 billion by 2031 at a 27.96% CAGR, according to Mordor Intelligence.

Mordor Intelligence RASP market report page showing the Runtime Application Self Protection Market Size and Share chart with projected growth, confirming the market forecast data

That growth reflects increasing adoption as organizations realize that external-only defenses leave gaps that attackers routinely exploit.

If you’re evaluating RASP, start in monitor mode and only flip to blocking once you trust the tool’s decisions. Java and .NET have the broadest agent coverage across vendors.

Pro tip: Start every RASP rollout in monitor mode. Only flip to blocking once the tool's decisions have been validated for your workload — blocking a legitimate request in production is worse than missing an attack.

Go has limited but growing support from Contrast, Datadog, and Dynatrace. Rust has almost no RASP options, because compiled languages make the runtime instrumentation that RASP depends on significantly harder to implement.

Pick your next step

I want RASP vs WAF

Side-by-side breakdown — perimeter pattern matching versus in-process code execution context. When each one wins and when you need both.

I'm picking between the leaders

Contrast Protect (now ADR) versus Imperva RASP. Language coverage, ATT&CK mapping, deployment model, and SOC fit.

I want runtime testing too

IAST runs in pre-production with the same agent technology. Pair it with RASP to catch bugs in test and block them in prod.

Quick Comparison of RASP Tools

ToolUSPLicense
Free / Open Source
ModSecurityOpen-source WAF engine for Apache, IIS, and NginxApache License 2.0
Commercial
Contrast ProtectNow Contrast ADR; 6-language coverageCommercial
Datadog ASMRASP engine from Sqreen, APM integrationCommercial
Dynatrace Application SecurityRASP module in Dynatrace platformCommercial
Imperva RASPCombines well with Imperva WAF; now under Thales (acquired Dec 2023)Commercial
WaratekJVM-embedded, virtual patchingCommercial
Discontinued / Acquired (4)
Hdiv Protection AcquiredAcquired by Datadog (2022); integrated into Datadog ASMCommercial
K2 Cyber Security AcquiredAcquired by New Relic (2022)Commercial
OpenRASP UnmaintainedOpen-source RASP by Baidu; inactive since Jan 2022Open Source
Signal Sciences AcquiredAcquired by Fastly → Next-Gen WAFCommercial

Here is what each active RASP tool looks like in production:

Contrast Security platform dashboard showing 8,825 tracked vulnerabilities, 16 attacks detected, a Vulnerability Trend chart, and an Attacks Seen graph across 100 applications
Datadog Application Security Management dashboard showing Security Posture with open vulnerabilities filtered by risk, exposed-to-attacks count, and vulnerabilities grouped by service
Dynatrace Application Security vulnerability prioritization view showing 374 vulnerabilities detected with Davis Security Score, risk level, and open/muted status per CVE
Imperva Attack Analytics dashboard showing 3.2M events, 3.2K incidents over 30 days, top violations by Bad Bots and SQL Injection, and attack origins map
Waratek API Security dashboard showing HTTP Events count and Top 5 HTTP Events by Endpoint over a 24-hour window from official Waratek documentation

How Do You Choose the Right RASP Tool?

The most important factor when choosing a RASP tool is language support — if the agent does not support your application’s runtime, nothing else matters.

RASP market 2026: still active tools include Contrast Protect (ADR leader), Datadog ASM, Dynatrace Application Security, Imperva RASP, and Waratek; acquired or sunset: Signal Sciences by Fastly 2020, Sqreen by Datadog 2021, K2 Cyber by New Relic 2022, Hdiv by Datadog 2022

After the acquisition wave that reshaped this market (Sqreen, K2, Hdiv, and Signal Sciences all got bought between 2020 and 2022), you’re left with roughly six active tools.

That makes the decision simpler, but the tradeoffs around performance overhead, stack integration, and deployment mode still matter.

1

Language Support

This is the first filter. Java and .NET have broad coverage from most vendors. Node.js and Python are supported by Contrast Protect and Datadog ASM. Go has a few options (Contrast, Datadog, Dynatrace) but they're less mature. Rust? Basically nothing.

2

Performance Overhead

Run benchmarks in your own environment. The range is wide: some tools add 2% latency, others hit 10%. If you're running latency-sensitive services, that gap matters a lot. Waratek claims minimal overhead thanks to its virtualization-based approach.

3

Existing Security Stack

Already using Contrast for SAST/IAST? Contrast Protect is the obvious pick. Running Imperva WAF? Their RASP plugs right in. On Datadog for APM? The RASP module is already baked into their agent.

4

Open-source vs Commercial

OpenRASP is free and Baidu ran it at scale, but the project has been dead since January 2022. If you need active maintenance, vendor support, and a proper dashboard, you're looking at a commercial tool.

5

Block vs Monitor Mode

I cannot stress this enough: start in monitor mode. Watch what the tool flags for a few weeks. Only flip to blocking once you're confident it won't kill legitimate requests. Every major RASP tool supports this two-stage rollout.

Frequently Asked Questions

What is RASP?
RASP (Runtime Application Self-Protection) is a security technology that runs inside an application to detect and block attacks in real time. The category is evolving into Application Detection and Response (ADR) — vendors like Contrast, Datadog, and Dynatrace now layer SOC-grade telemetry, MITRE ATT&CK mapping, and incident response workflows on top of the classic RASP blocking engine. Unlike WAFs that inspect traffic externally, RASP and ADR agents see how the application processes each request and can make more accurate blocking decisions.
What is Application Detection and Response (ADR)?
ADR is the newer framing for runtime application security. It uses the same in-process instrumentation as RASP to block attacks, but extends the story with SOC-friendly features: attack timelines, MITRE ATT&CK mapping, incident response workflows, and integration with SIEM/XDR platforms. Contrast rebranded Contrast Protect as Contrast ADR in 2024, and Datadog and Dynatrace have pushed similar positioning. Under the hood it is still runtime instrumentation — ADR is the SOC-friendly pitch for the same technology.
How is RASP different from a WAF?
WAFs sit in front of the application and inspect HTTP traffic patterns. RASP runs inside the application and sees actual code execution. This means RASP has far fewer false positives because it knows whether a suspicious input will actually trigger a vulnerability.
Does RASP cause performance overhead?
Yes, RASP agents add some latency since they intercept function calls within the application. Typical overhead ranges from 2-10% depending on the tool and configuration. Most production deployments accept this tradeoff for the improved protection accuracy.
Which languages do RASP tools support?
RASP support varies by tool. Java and .NET have the broadest coverage. Node.js and Python support is common but less mature. Go and Rust have limited RASP options due to their compiled nature. Check each tool’s documentation for current language support.
What is the best RASP tool?
Contrast Protect is the most established commercial RASP, part of the Contrast Security platform alongside their IAST product. Datadog ASM (built on acquired Sqreen technology) is a strong option if you already use Datadog for APM. For open-source, OpenRASP by Baidu is the only mature free option. Imperva RASP (now under Thales) pairs well with Imperva WAF.
Is there a free RASP tool?
Yes. OpenRASP is an open-source RASP tool maintained by Baidu. It supports Java and PHP, and has been used in production at scale. It is the only mature free option currently available.

Explore Other Categories

RASP covers one aspect of application security tools. Browse other categories below.

AI Security API Security ASPM Container Security DAST IaC Security IAST Mobile Security SAST SCA Secrets
Suphi Cankurt

Written & maintained by

Suphi Cankurt

Eight years on the vendor side of application-security sales — thousands of evaluations and demos. I started AppSec Santa in 2022 to put that insider view to work for buyers. Independent of any vendor, paid by none, and honest about what fits whom.

Methodology Contact LinkedIn