AppSec rules detect security threats using predefined criteria based on standard compliance frameworks and best practices. Custom rules are supported.
Cortex Cloud Application Security rules detect security threats within your application security environment, which includes the various components, configurations, and interactions within your application that can potentially introduce vulnerabilities or pose risks to its security. Cortex Cloud Application Security rules identify and flag issues based on predefined criteria, ensuring that potential threats are proactively detected and addressed to enhance the overall security posture of your application.
Cortex Cloud Application Security rules cover a wide range of security best practices, inspired by compliance frameworks such as PCI, GDPR, ISO 27001:2013, and NIST, as well as additional best practices beyond regulatory requirements.
In addition to managing rules manually through the tenant, you can use the Cortex Cloud public API for Application Security (AppSec) rules to programmatically manage your detection logic. The AppSec rules API automates rule inventory audits, custom rule creation, label-based organization, and rule lifecycle management, enabling security teams to govern detection logic at scale.
Note
The AppSec rules API manages rule definitions and metadata. It does not execute scans, create issues, or enforce policies.
Two categories of rules exist in the Cortex Cloud Application Security platform:
Out-of-the-box (OOTB) rules are pre-built detection rules maintained by Cortex Cloud. OOTB rules cover IaC misconfigurations, secrets exposure, SAST weaknesses, CI/CD risks, and SCA vulnerabilities. OOTB rules cannot be deleted. Only labels can be modified on OOTB rules
Custom rules are user-created detection rules for the IaC and Secrets scanners. Custom rules support full lifecycle management; create, modify, validate, and delete. Custom rule identifiers follow the pattern
APPSEC_CUSTOM_{number}
Core achievements
Detection governance at scale: Listing and filtering rules programmatically enables systematic audits of detection coverage by scanner, severity, category, compliance standard, and label, replacing manual console reviews
Organization-specific detection: Creating custom IaC and Secrets rules extends detection coverage to address security requirements unique to the organization, beyond the OOTB rule library
Label-based rule organization: Applying labels to rules enables categorization by team, compliance framework, environment, or business unit, supporting scoped policy conditions and filtered rule views
Rule customization through cloning: Cloning OOTB rules into custom rules enables modification of detection logic while preserving traceability to the original rule definition
Validation before deployment: Validating custom rule framework definitions before creation prevents deployment of rules with syntax errors or invalid detection logic
Functional responsibilities
AppSec managers (Governance): Audit the rule inventory to verify detection coverage across compliance frameworks. Organize rules with labels to align detection logic with organizational policies. Review custom rule definitions to ensure consistency with security standards
AppSec practitioners (Operations): Create custom IaC and Secrets detection rules to address organization-specific security requirements not covered by OOTB rules. Clone OOTB rules to customize detection logic for specific environments. Manage the custom rule lifecycle (create, modify, delete) through CI/CD pipelines
Platform engineers (Automation): Integrate rule management into infrastructure-as-code provisioning workflows. Build automated pipelines that synchronize custom rule definitions across tenants. Export rule inventories for compliance reporting and audit evidence
Creation and management workflows
Choose the workflow that best fits your operational scale.
Capability | UI (Tenant Console) | Public API | Terraform (IAC) |
|---|---|---|---|
Use case | Ad-hoc creation and testing | Bulk audits and sync | Scalable multi-tenant gov |
Cloning | Visual duplication |
| Via resource declaration |
Validation |
| Validation endpoint | terraform plan / HCL |
Rule format | Visual or YAML | JSON payload | HCL frameworks block |