Next-generation runtime supply chain understanding, alerting, and zero-trust protection. Close entire classes of vulnerabilities automatically without patching. Rapidly understand your deployed suppy chain risk. Almost zero overhead and complete compatibility.
Track the complete list of 3rd-party libraries at runtime. Current SBOM tools can miss libraries, Lucien sees everything. Also, Lucien knows the sensitive operations of each library.
Lucien provides the list of reachable and loaded vulnerabilities in your running instances, so you can reason about your exposure and prioritize vulnerability remediation.
Lucien employs advanced AI to learn and enforce zero trust privileges on your 3rd-party libraries. Then Lucien enforces privileges to close known and zero day vulnerabilities.
Lucien alerts for library behavior indicative of an attack or embedded malice in your context. Advanced AI and runtime instrumentation prioritize these alerts, reducing alert fatigue.
Fine-tuned LLMs with custom reasoning provide intuitive reasoning for how an alert was prioritized. You want to know when a parsing library is trying to execute shell commands!
Developed with research funding from DARPA and commercialization funding from In-Q-Tel, Lucien fundamentally changes the power balance between defender and attacker. Lucien defines a novel and powerful in-application, zero-trust privilege model to protect your application against threats in 3rd-party libraries. Think of it as compartmentalization for the libraries within your application. Lucien learns and controls what each library should be doing with respect to your application.
In the past, RASP tools have suffered from issues with incomplete protection, high overhead, and lack of compatibility. Lucien eschews these issues through the enforcement of zero trust privileges at a granularity that enables near-zero overhead with complete compatibility, leveraging programming language features available in any language.
Lucien was developed for organizations with high-security requirements that rely on 3rd party applications and libraries. Developers sick of constantly patching vulnerabilities in their dependencies will find Lucien reduces the time spent on patching through intelligent vulnerability prioritization and protections.
Lucien was built for scalable cloud architectures. It is easy to deploy and includes a scalable, industrial-strength dashboard. Also, its data can be incorporated into your existing DevSecOps pipeline. Currently, Lucien supports Java, Python and Javascript, but can be extended to support your environment.
Lucien's core architecture is open-source and we are working on a detailed research paper for publication. We are strong proponents of complete transparency. Lucien's core was developed by Aarno Labs, with commercialization development handed off to our spin-off, Require Security, Inc.
Please email us if you are interested in Lucien:
We all love zero-trust, and for the first time, automatically implement a zero-trust model between components of a single application to catch and block malice.
Lucien improves upon standard, static SBOM tools by capturing ground-truth runtime data with essential details on the sensitive behaviors of dependencies, not just versions.
Gain actionable insights into your application’s supply chain vulnerabilities, prioritizing risks based your environment and Lucien's protections.
Reduce the endless dependency patching cycle by automatically mitigating vulnerabilities at runtime with Lucien's protections.
Limit the scope of potential exploits by enforcing strict privilege boundaries, isolating compromised components, and receiving compromise alerts.
Lucien's proactive privilege enforcement does not require knowing a vulnerability exists in order to mitigate it. Enforce authorized behaviors and report or block violations; zero-trust!
Leverage fine-tuned AI models to automatically learn precise privileges for your application, streamlining deployment and reducing false positive and false negatives.
Utilize AI-driven prioritization to highlight critical security alerts, minimizing noise and ensuring rapid response.
Monitor and analyze privilege usage across your software supply chain to detect anomalies and identify potential threats in real time.
Lucien’s privilege model provides precise, context-sensitive control over library behavior. Unlike traditional per-program privileges, Lucien defines privileges at the library level, on components of a single application, and how the components interact with sensitive resources (e.g., databases, disk, and network). So Lucien can allow your trusted in-house code to access your database, but any third-party library included in your application cannot access your database. This is a unique, game-changing capability.
At runtime, Lucien learns and validates the authorized privileges of each library. The model distinguishes the context in which a library performs a sensitive action to differentiate normal library behavior from an attacker’s hijacked control. So then, when enforcing privileges it can block attacks directly, for example, block an exploited library from executing shell commands. It can also block embedded malice, i.e., a library’s source or build has been hijacked. The protections are not limited to known vulnerabilities; that is the power of zero trust privileges within an application.
Static Software Bill of Materials (SBOM) collection is the absolute least you should be doing to understand the risk of your software supply chain. However, current SBOMs suffer from significant limitations. First, they are often incomplete, providing only a static list of dependencies. We found that using a popular SBOM tool for Javascript, on a popular blogging platform, misses over 2% of packages loaded at runtime (and captured by Lucien). Furthermore, current SBOMs do not attempt to capture each library's sensitive actions. Does a library access your database or the underlying file system? If so, it should be scrutizinzed more than a library that does not interact with those resources. Finally, current SBOM tools cannot enforce constraints at runtime, so a running application can load whatever dependences it wants without limit. SBOMs have no teeth.
Lucien transforms the concept of SBOMs by capturing all dependencies loaded at runtime with behavioral component that captures ground-truth runtime data, detailing exactly how libraries interact with sensitive system calls and resources. With Lucien, you can run your application in test or a production environment, and export an SBOM (in popular formats) and then deeply understand its risks, while using this SBOM to limit other instances of the application to exactly the behaviors you have approved. Our behavioral SBOMs enables precise visibility into what each library is doing, helping prioritize risks based on actual usage rather than only known vulnerabilities. Lucien enables enforceable SBOMs, restricting the loaded libraries to those specified in the SBOM and limiting each library to only the privileges that are declared, ensuring both operational safety and security. This paradigm shift makes SBOMs not only a tool for documentation but also a cornerstone of active application protection.
Lucien includes advanced reasoning about the formal properties of its protections that can save your organization time when mitigating and prioritizing vulnerabilities. Lucien will tell you if a known vulnerability in a library is mitigated by the privileges enforced on the library. If so, you are fully protected, and you can delay patching the library until convenient. For example, if a library has a new command injection vulnerability reported, Lucien will let you know if the library has a privilege for running commands, if not, you are done, and the newly disclosed vulnerability is completely blocked. If so, we can tell you the type of commands the privilege allows. And yes, we even learn patterns of arguments for shell commands, file operations, and other actions, which are incorporated into a privilege.
Using this information, you can decide the priority of each reachable known vulnerability, delaying patching of protected vulnerabilities, knowing you are safe.
Lucien’s effectiveness was tested using the SecBench.js JavaScript security benchmark suite, targeting real-world vulnerabilities. It achieved 100% mitigation for 166 path traversal, 97 command injection, and 35 code injection exploits that successfully ran uninstrumented. By enforcing precise, context-sensitive privileges, Lucien demonstrated complete protection against these attack vectors, significantly enhancing application security without false positives. You show us another RASP tool that demonstrates its effectiveness on an accepted, third-party test suite.
Lucien’s instrumentation seamlessly integrates into applications, intercepting system-affecting operations to enforce or learn privileges with minimal overhead. By automatically embedding lightweight hooks within supported languages, such as JavaScript, Python, and Java, Lucien efficiently tracks privileges and their context. The instrumentation operates within the application process to ensure compatibility and accuracy while maintaining near-zero performance impact. This approach enables precise privilege enforcement without disrupting existing workflows or application stability. Importantly, deployments of the Lucien protections are seamless, either use a new argument for the interpreter or use our aliased interpreter executable. Either way, a one-line change to your deployment.
Lucien delivers robust security with near-zero real-world performance impact. Unlike other RASP systems, we are upfront with our potential overhead. In tests across 28 Node.js server configurations, when not under full load, there was no measurable performance impact. Under high request loads (saturated), Lucien showed an average throughput overhead of just 6%, with many cases incurring no noticeable latency. Its memory footprint remains minimal, adding at most 35 MB. Lucien ensures strong protections without compromising application performance.
Lucien achieves near-universal compatibility with existing applications. For example, for Node.js, we tested it across the top 1,000 npm libraries with built-in test suites, achieving a 99.7% pass rate. Failures were limited to cases involving hardcoded stack trace expectations. Additionally, Lucien passed 97.8% of the Node.js core test suite, demonstrating exceptional compatibility with edge cases and intricate runtime behaviors, with failures limited to cases where tests introspect platform-dependent behavior. This demonstrates that Lucien integrates seamlessly into virtually any environment.
Lucien includes comprehensive captured library metadata, including detailed information about versions, ancestors, and descendants. All intuitively and beautifully presented. Understand how a library is included, and what it depends on, all with ground truth runtime data.
Understand summary and detailed information about privileges and privilege events. What libraries have privileges? What are the categories of sensitive operations for a library or the entire application? What is the throughput and history of privilege events?
Lucien’s alerting and protection behaviors have sensible defaults but also allow you to have control. You can block (and report) violations or just allow (and report) them. You can control and understand the privilege learning process. And control the sensitivity of surfaced alerts based on action or the AI assessment.