Spyderbat continuously records ALL runtime context in an environment (from Kernel to Cloud) while providing causal linkage (recording both good & bad events alike). Alerts can then be traced along the resultant causal chain that's created. Normal behaviors can then be safely ignored, allowing practitioners to focus on more toxic combinations ONLY (i.e., Alerts-to-Traces).
Practitioners can then group behaviors for another order of magnitude reduction in alerts.
To do this, Spyderbat has developed the following algorithms:

1. Guardian - Records context to determine and visualize aggregate event significance in the environment. Guardian is the backbone that surfaces risk while addressing drift by comparing running applications against prior versions
2. Flashback - Replays the sequence of activities within/across containers at the earliest warning signs of trouble
3. Scout - Maps to Mitre Attack Matrix and Kubernetes Threat Matrix and identifies attacks based on suspicious behaviors.
4. Interceptor - Acts as automatic guardrails to protect known-good processes, extracts attackers, and rolls back misconfigurations.

Collectively this delivers on the value chain from causality through enforcement.