/

Getting started with Monitor in .NET

An autonomous security agent that lives inside your .NET application, with full visibility into code execution, memory, and system state. Real-time threat detection and response across Desktop, Mobile, Web, and IoT.

An autonomous security agent that lives inside your .NET application, detecting and responding to threats in real-time with full visibility into code execution, memory, and system state.

What is ByteHide Monitor?

Static analysis tools find vulnerabilities before deployment. Perimeter WAFs block suspicious HTTP traffic in production. Both are valuable. But between them is a gap: the runtime, where vulnerabilities become real exploits and where theoretical risk becomes actual damage.

ByteHide Monitor closes that gap. It is an autonomous security agent that runs inside your application as a parallel process, sharing its memory, permissions, and system access. From inside, it has full visibility into code execution, database interactions, network calls, operating system state, and user sessions.

Because Monitor operates inside the application, it does not rely on pattern matching against HTTP traffic. It intercepts operations at the execution layer. When your code builds a SQL query, Monitor sees the query. When your code resolves a file path, Monitor validates the path. When a process is about to start, Monitor checks the command. This means it can detect zero-day attacks that no signature database has seen yet, because it understands your application's behavior, not just its traffic patterns.

How It Works

Monitor adapts to the environment where your application runs:

Cloud and Web Applications (In-App WAF): For APIs and web applications, the attack surface is the network. Monitor intercepts malicious operations before they execute: SQL queries, file system access, HTTP requests, XML parsing, and more. It operates at the execution layer, not the perimeter, which means encoding tricks and obfuscation techniques that bypass traditional WAFs are ineffective.

Desktop, Mobile, and IoT (RASP Agent): For distributed applications running on devices, the attack surface is the device itself. Attackers decompile, debug, hook, and manipulate your application directly. Monitor detects reverse engineering attempts, compromised devices, memory dumping, process injection, network tampering, and integrity violations.

Same agent. Same dashboard. Same configuration. Different focus.

Choose Your Application Type

Desktop Applications

Console, WPF, WinForms applications with standalone configuration API

Mobile Applications

MAUI and Xamarin applications with mobile-specific protections

Web Applications

ASP.NET Core and ASP.NET Framework with middleware integration

IoT / On-Premise

IoT devices and on-premise applications with offline-first architecture

Quick Start

Get started in minutes:

C#
using Bytehide.Monitor.Core.Actions;
using Bytehide.Monitor.Core.Protection;

// Standalone applications (Console, Desktop, Mobile, IoT)
await Bytehide.Monitor.Payload.ConfigureAsync(config =>
{
    config.UseToken("your-api-token");
    config.EnableAllProtections(ActionType.Close, intervalMs: 60000);
});
C#
// ASP.NET Core applications
builder.Services.AddByteHideMonitor(options =>
{
    options.ApiToken = "your-api-token";
    options.EnableSqlInjectionProtection();
    options.EnableXssProtection();
});

app.UseByteHideMonitor();

Protection Capabilities

Desktop and Mobile Protections

Detection modules that run at configurable intervals, monitoring the runtime environment:

ModuleWhat It Detects
Debugger DetectionAttached debuggers, profilers, instrumentation tools
Virtual Machine DetectionVMware, VirtualBox, Hyper-V, Parallels, QEMU
Emulator DetectionEmulators and sandboxes (Wine, Android Emulator)
Jailbreak DetectionRooted/jailbroken devices (Magisk, Cydia, checkra1n)
Tampering DetectionModified assemblies, broken signatures, code injection
Memory Dump DetectionMemory scanning tools, credential extraction
Process InjectionDLL injection, hooking frameworks (Frida, Xposed)
Network TamperingMITM proxies (Charles, Burp Suite), SSL pinning bypass
Clock TamperingSystem time manipulation to bypass trial/license logic
Remote DesktopRemote control sessions and screen sharing
License BindingDevice-bound license circumvention
Container DetectionDocker, Kubernetes, containerized execution
Cloud MetadataCloud infrastructure execution (AWS, Azure, GCP)

Web and Cloud Protections

Active interceptors that validate operations at the execution layer in real-time:

ModuleWhat It Intercepts
SQL InjectionSQL queries before execution against the database
NoSQL InjectionNoSQL operations (MongoDB, Cosmos DB)
Cross-Site ScriptingUser input and output before rendering
Path TraversalFile I/O operations and directory access
Command InjectionOS command execution and process spawning
SSRFOutbound HTTP requests targeting internal services
LDAP InjectionLDAP queries and directory operations
XXEXML parsing with external entity references
LLM Prompt InjectionLLM API calls for prompt manipulation

Anomaly Detection (Built-in)

Active by default in every project. Learns your application's normal behavior and flags deviations: authentication anomalies, abnormal request rates, unexpected payload structures, and suspicious session activity. Learn more.

Response System

Monitor does not just detect threats. Because it runs inside your application, it can respond at the point of execution.

ActionDescriptionUse Case
CloseTerminates the applicationCritical threats (debuggers, VM detection)
LogRecords the incident with full contextMonitoring and analytics
BlockBlocks the specific operationWeb interceptors (SQL injection, XSS)
EraseWipes sensitive data before closingData protection on compromised devices
CustomExecutes your own handlerSIEM integration, Slack alerts, custom workflows
NoneDetects but takes no actionTesting and development

Every action is configurable per protection module and per confidence threshold. Low confidence logs. Medium confidence blocks. High confidence terminates and notifies.

C#
config.RegisterCustomAction("secure-shutdown", async (threat) =>
{
    await LogIncidentAsync(threat);
    await NotifySecurityTeamAsync(threat);
    await SecureShutdownAsync();
});

config.AddProtection(
    ProtectionModuleType.DebuggerDetection,
    ActionType.Custom,
    intervalMs: 30000,
    customActionName: "secure-shutdown"
);

Configuration

Monitor provides three configuration paths:

Cloud Dashboard

Configure protections from the web panel. Changes sync instantly, no redeployment needed.

JSON Configuration

Load configuration from bytehide.monitor.json files for version-controlled setup.

Configuration API

Code-based configuration with the fluent API for full programmatic control.

Custom Actions

Create custom response handlers for enterprise security workflows.

Deployment Options

SDK Integration

Install the NuGet package in your project. The agent lives inside your application binary. Wherever the application goes (a new server, a container, a different cloud region), the agent goes with it. You install once, and every deployment is protected automatically.

Bash
dotnet add package ByteHide.Monitor

No code changes beyond adding the package. The agent initializes at startup, reads its configuration from the cloud dashboard, and begins protection.

Server-Side Deployment

Coming Soon

Server-side deployment documentation is being written. This deployment option allows security teams to attach Monitor to running applications without modifying the codebase or build pipeline.

Platform Support

Target Frameworks

  • .NET Framework: 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1
  • .NET Core/5+: 3.1, 5.0, 6.0, 7.0, 8.0, 9.0
  • .NET Standard: 2.0, 2.1 (for library projects)

Supported Platforms

  • Desktop: Windows (x64, x86, ARM64), macOS (x64, ARM64), Linux (x64, ARM64)
  • Mobile: Android (MAUI/Xamarin), iOS (MAUI/Xamarin)
  • Web: ASP.NET Core, ASP.NET Framework, Blazor Server, Blazor WASM
  • IoT: Raspberry Pi, embedded devices, edge computing

ByteHide Platform Integration

Monitor does not work in isolation. It feeds and improves every other layer of the ByteHide platform.

Monitor and Radar

Radar flags 200 vulnerabilities in your codebase. Monitor detects that one of them is being actively exploited in production. Radar automatically reprioritizes it from medium to critical, because it is no longer theoretical. Conversely, Monitor confirms that an endpoint Radar flagged is internal and unreachable from the outside. Radar downgrades the priority. Your team fixes what matters first.

Monitor and Shield

Shield protects your code statically through obfuscation and virtualization. Monitor defends at runtime. When an attacker attempts to hook a method that Shield has virtualized, Monitor detects the hooking attempt, blocks it, and reports the full incident. Static fortification and runtime defense, working together.

Monitor and Logs

Every incident Monitor detects is recorded in Logs with full context: timestamp, detection type, payload, affected code, device fingerprint, confidence score, and response action taken. Cryptographically secured, immutable forensic evidence for compliance and audit.

ByteHide Radar

Static analysis that reprioritizes vulnerabilities based on real runtime exploit data from Monitor

ByteHide Shield

Code obfuscation and virtualization that makes reverse engineering exponentially harder

ByteHide Logs

Immutable forensic logging for every security incident Monitor detects

Next Steps

Quick Start

Get Monitor running in under 5 minutes

Create a Project

Set up your Monitor project in the ByteHide Cloud

Protection Modules

Complete reference of all available protection modules

Cloud Panel

Real-time dashboard for incidents, devices, and configuration

Next
Quick Start