How it Works

Monarx Architecture

The Magic Inside Monarx

The Monarx approach uses the application stack and operating system to protect webservers. Our runtime application protection lives in the server-side scripting engine, so it sees everything that is executed from where and by who. Our hunting engine looks deep into the server to find malicious scripts and compromised source binaries using a combination of methods. We harden servers and applications reducing the attack surface, by providing actionable information about web security posture. Monarx has overcome the challenges that Antivirus, IDS, and WAF’s have detecting and preventing backdoors/web shells, by combining application prevention, hardening and proactive hunting.

Monarx Protected Web Servers

Linux Agent

The Monarx server-size agent has 3 modules:

  • Hunter: to find web shells no matter how and where they hide.
  • Lock: to detect and prevent shell execution in real-time without signature reliance.
  • Audit: analyzes key elements of the system to inventory applications, identify misconfiguration and vulnerabilities


Monarx cloud is the command center that collects and analyzes data from Monarx protected servers. That data is processed and then used to develop a better understanding of web shells/backdoors; what they are capable of, how they got in and how to find them:

  • View alerts and manage protected servers
  • Attack information (source IP and entry point)
  • Whitelist repository: to reduce false positives
  • Web shell repository: where we store and analyze web shells and identify compromised source binaries


Hunter Module

The hunting engine searches across the server's filesystem looking for suspicious backdoor files. It uses a combination of methods including rules, signatures, analytics, dynamic analysis, and whitelisting. Results from the scan are securely sent to the Monarx cloud where they are reviewed and used to help clean up backdoors across your environment. The Hunter also has an automatic incremental scan feature that monitors the filesystem as new backdoors are delivered, after the initial scan, and will update the console on a regular basis. To identify compromised source binaries, the Hunter compares the known good hashes of the binaries, from our cloud, to the specific ones from a version perspective on the server. It also provides basic host information and version information about installed applications.

Protect Module

Monarx PROTECT shields servers from malicious backdoors by preventing backdoors from executing. It evaluates the unknown script before it is executed based off specific criteria. Depending on your settings (detect or prevent) it will either alert you that a backdoor has been executed or prevent it from executing. Since Monarx PROTECT lives inside the scripting engine it identifies the entry URL, source IP, any activation attempts, where the activation attempts came from and what vulnerabilities were exploited in the delivery process.

Audit Module

Our Audit Module analyzes multiple elements of Linux web servers, across your environment, from the operating system, application and database perspective. It gives you easy to understand visibility into configuration flaws, based off best practices, exposed services and sites, application inventory and outdated software.