Toward a Unified Application Data Model for Agentic AppSec
As security researchers and engineers, we’ve long understood that the behavior of modern applications cannot be fully understood through static code alone. Yet nearly every security system we’ve built over the last two decades has been predicated on that static assumption.
We scan source code, run containers through signature checks, and layer runtime agents to observe production behavior, but none of these systems talk to each other in a way that gives us a coherent understanding of the application itself. What’s missing is a unified application data model: a foundational representation that spans the full lifecycle of the app, across development, testing, and production, and across the different layers in which that app is expressed, code, container, and operating system.
Such a model is not only foundational for reasoning about real-world security posture, but essential for building the next generation of autonomous security agents: systems that don’t just scan for bugs, but reason about behavior, prioritize based on impact, and take intelligent action. These agents need more than logs. They need understanding. And understanding requires context.
The Case for a Unified Context Model
Imagine trying to secure a system based only on its source code, with no knowledge of how it behaves under load, what data flows through it, or what third-party dependencies it dynamically pulls in. Or conversely, trying to triage a production vulnerability with no access to the underlying function or logic responsible.
Both of these are the norm today.
What we lack is a data model that binds:
- Lifecycle stage — insights from development, testing, staging, and production
- System layers — observability and traceability across code, container, and OS layers
- Execution semantics — real-world runtime context that distinguishes theoretical vulnerabilities from exploit paths
Without a model that ties these dimensions together, any security insight is necessarily partial. But if we build one, we unlock the ability to ask and answer a fundamentally richer set of questions:
- Is this vulnerability reachable from an external input path in production?
- Does this exploit path require environment-specific conditions to succeed?
- What memory behavior accompanies this API usage pattern under real-world load?
These are the questions that matter for both security triage and autonomous decision-making.
Design Goals of the Model
To be useful, a unified application data model must satisfy three key properties:
- Precision
The model must capture fine-grained detail at each layer—code-level ASTs, container metadata, syscall behavior, heap and memory access patterns—without losing fidelity across stages. - Correlation
It must correlate behaviors across layers and lifecycle stages. For example, it should relate a log line in staging to a function in a specific microservice that allocates memory in a container with known capabilities. - Temporal Binding
It should support time-based joins, making it possible to track how behaviors emerge or change over time, and how those shifts map to code changes or deployment events.
The Architecture
Here's how we at Kodem are thinking about architecting such a model to power intelligent security agents:
1. Sensor Fabric
We begin by deploying sensors at multiple points:
- Static analyzers during CI for ASTs, dependency graphs, and taint flows
- eBPF-based runtime sensors in Kubernetes for syscall and memory introspection
- Sidecar proxies and tracing hooks for API paths and data flows
- Container introspectors for file system and process behavior
Each sensor emits structured telemetry that is tagged with:
- Code identity (repo, commit hash, function name)
- Deployment identity (container ID, pod UID, node info)
- Event context (timestamp, origin, trace ID)
2. Telemetry Ingestion + Normalization
Sensor outputs are ingested into a stream processing system that applies:
- Type normalization (AST nodes, memory ops, syscall categories)
- Entity linking (functions ↔ containers ↔ runtime events)
- Privacy filtering (PII tagging and scrubbing)
3. Application Graph Construction
The normalized events are used to build a graph model of the application:
- Nodes represent functions, files, containers, processes, endpoints
- Edges represent observed execution paths, data flows, control flow transitions
- Weights encode runtime frequency, timing, or risk
This graph is versioned and updated incrementally across lifecycle stages.
4. Agent Interface
Security agents (autonomous or human-in-the-loop) query this graph to:
- Trace attack paths
- Simulate reachability
- Confirm exploitability
- Recommend remediations
- Run counterfactuals (e.g., “What if this component were removed?”)
The model allows reasoning about “what’s happening” in the app—at every layer, in every stage—at once.
Why This Matters for Agents
The most powerful AI agents in security won’t be the ones trained on generic code snippets or curated CVE datasets. They’ll be the ones trained on representations of how real applications behave under real workloads, in real environments.
These agents will learn that a buffer overflow in a library that’s never loaded into memory isn’t a priority. That an unpatched CVE that’s dynamically blocked by configuration is low risk. And that a low-severity bug, when chained with a permission escalation vector and an exposed endpoint, is actually a critical exploit path.
That kind of judgment only comes from context. And context only comes from a model that sees the whole picture.
Related blogs
Prompt Injection was Never the Real Problem
A review of “The Promptware Kill Chain”Over the last two years, “prompt injection” has become the SQL injection of the LLM era: widely referenced, poorly defined, and often blamed for failures that have little to do with prompts themselves.A recent arXiv paper, “The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multi-Step Malware,” tries to correct that by reframing prompt injection as just the initial access phase of a broader, multi-stage attack chain.As a security researcher working on real production AppSec and AI systems, I think this paper is directionally right and operationally incomplete.This post is a technical critique: what the paper gets right, where the analogy breaks down, and how defenders should actually think about agentic system compromise.
A Guide to Securing AI Code Editors: Cursor, Claude Code, Gemini CLI, and OpenAI Codex
AI-powered code editors such as Cursor, Claude Code, Gemini CLI, and OpenAI Codex are rapidly becoming part of enterprise development environments.
From Discovery to Resolution: A Single Source of Truth for Vulnerability Statuses
Continuous visibility from first discovery to final resolution across code repositories and container images, showing who fixed each vulnerability, when it was resolved and how long closure took. Kodem turns issue statuses into ownership for engineers, progress tracking for leadership and defensible risk reduction for application security.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.
