Duke history

JVMXRay is an AI-enhanced security monitoring platform that watches Java applications in real-time, detecting vulnerabilities and suspicious activity without requiring code changes. Intelligence analysis enriches security events with AI-powered metadata and context for enhanced risk prioritization and compliance reporting. With simple setup and minimal performance impact, JVMXRay provides comprehensive security visibility into applications and third-party dependencies, enhanced by machine learning that improves detection accuracy over time.

📰 View News Archive - Complete history of project announcements and milestones

🚨 ALPHA SOFTWARE - NOT FOR PRODUCTION USE 🚨

JVMXRay is currently in alpha development status and should NOT be deployed in production environments. This software is intended for testing, evaluation, and development purposes only.

📖 Learn more about alpha limitations and security considerations →

Java applications are under constant attack, but traditional security tools require code changes, create performance overhead, or generate too many false positives. JVMXRay improves upon current state by:

• Zero Code Changes: Monitor any Java application without modifications
• Intelligence Analysis: AI enriches security events with contextual metadata for risk prioritization and compliance reporting
• Complete Visibility: See exactly what applications and dependencies are doing
• Minimal Impact: Low performance overhead using well-proven technologies like bytecode injection and Logback enterprise logging
• Enterprise Ready: Works with existing logging infrastructure and scales to any size

Traditional application logging relies on developers manually adding log statements throughout code. This creates several challenges:

• Developer-Dependent: Log quality varies based on individual experience and foresight
• Needle in Haystack: Complex parsing tools required to extract meaningful insights from unstructured text
• Inconsistent Format: Different developers use different logging patterns and message formats
• Reactive Coverage: Only logs what developers anticipated needing, missing unexpected security events

JVMXRay automatically generates structured security events without developer intervention:

• System-Generated: Consistent, comprehensive coverage regardless of developer experience
• Machine-Readable: Structured formats enable instant analysis and correlation without complex parsing
• Predictive Coverage: Monitors security-relevant operations automatically, capturing events developers might not anticipate
• AI-Ready: Structured data enables intelligent analysis, pattern recognition, and automated threat detection

• Datacenter Intelligence: Keep sensitive security data on-premises while leveraging AI analysis capabilities
• Zero-Downtime Deployment: Monitor applications without restarts or maintenance windows
• Alert Reduction: Intelligent filtering significantly reduces security alert noise
• Infrastructure Integration: Works with existing Splunk, ELK, DataDog, and logging systems

• Beyond Traditional Logging: Eliminate dependency on manual log statements - JVMXRay automatically captures security-relevant operations in structured formats that don't require complex parsing tools to find security needles in log haystacks
• AI Security Intelligence: JVMXRay MCP Server provides event-based security intelligence to AI clients instantly, making them security experts on your datacenter. Compatible with Claude Desktop or internal MCP clients.
• Improved Diagnostics: Point-in-time system state capture with monitor sensor and uncaught exception handler to diagnose cloud server failures. Eliminates the need to recreate complex test environments for debugging production issues.
• Real-time Insights: See file access, network connections, and system calls as they happen

• Advanced Threat Detection: Machine learning enhances vulnerability identification accuracy
• MITRE ATT&CK Mapping: Automatic attack technique identification and timeline analysis
• Incident Response: Complete attack context with file, network, and process details
• Low False Positives: Context-aware detection based on actual application security events

• Risk Reduction: Proactive vulnerability detection prevents costly data breaches
• Strategic Investment: Comprehensive security monitoring that scales with business growth
• Open Source Foundation: No vendor lock-in with enterprise support options available
• Supply Chain Security: Monitor third-party libraries and detect malicious behavior
• Compliance Automation: AI-enriched security event data supporting compliance automation for SOC 2, PCI DSS, and regulatory reporting

Watch a video to build JVMXRay and integrate with Claude Desktop AI followed by a quick demo or jump directly to the demo at 3:30.

Get up and running in under 5 minutes:

1. Change to GitHub Repository Folder

   cd {your-github-folder}/

2. Clone JVMXRay Repository

   git clone https://github.com/spoofzu/jvmxray.git

3. Build JVMXRay Project

   mvn clean package

4. Generate Test Data

   ./script/data/generate-test-data

   Note: This script executes various activities to stimulate JVMXRay Agent's sensors. When finished, a SQLite database contains sensor data for experimentation.

   Explore the test data:

   sqlite3 .jvmxray/common/data/jvmxray-test.db "SELECT EVENT_ID, TIMESTAMP, NAMESPACE, KEYPAIRS FROM STAGE0_EVENT LIMIT 10;"

Congratulations! You've built JVMXRay successfully!

The project compiles, tests pass, and includes:

• Complete sensor framework with 15+ monitoring capabilities
• Multi-database support (SQLite/MySQL/Cassandra)
• AI-enhanced security event analysis
• Enterprise logging integration

Ready for advanced features? Continue with:

📖 Continue Setup → - Security event enrichment, AI integration, and vulnerability analysis

Optional features include:

• Step 5: Migrate data to enriched format for AI analysis
• Step 6: MCP integration for Claude Desktop AI-powered queries
• Step 7: AI Service for vulnerability analysis and library tracking

• Structured Security Events: Unlike traditional unstructured logs that require complex parsing, JVMXRay generates machine-readable security events automatically
• AI Data Enrichment: Structured data enables intelligent vulnerability classification with CWE assignment and dynamic CVSS scoring based on attack characteristics
• Pattern Recognition: Advanced detection for SQL injection, command injection, path traversal using consistent event formats
• Intelligence Pipeline: Rule-based analysis with configurable pattern matching and threat classification on structured data

• File I/O Sensor: Monitors file system access, reads, writes, and deletions

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.io.fileio |  | caller=java.io.File:1075, file=/tmp/sensitive.data, operation=DELETE, status=deleted, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=unit-test
  

• Network Sensor: Tracks socket connections, binds, and data transfers

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.net.connect |  | caller=java.net.Socket:189, destination=malicious-site.com:443, status=connected, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• Process Sensor: Detects system command execution and privilege escalation

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.system.exec |  | caller=java.lang.ProcessBuilder:1029, command=/bin/sh -c rm -rf /, status=blocked, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• Monitor Sensor: System performance and health monitoring with point-in-time snapshots

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.monitor |  | caller=org.jvmxray.agent.sensor.monitor.MonitorSensor:45, GCCount=1, ThreadRunnable=2, MemoryFree=566.3MB, ProcessCpuLoad=0%, OpenFiles=163, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• Library Sensor: Dynamic and static JAR loading detection

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.system.lib |  | caller=ClassLoader:123, method=dynamic, jarPath=/path/to/library.jar, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• Serialization Sensor: Object serialization monitoring for deserialization attacks

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.serialization |  | caller=ObjectInputStream:123, target=UserData.class, status=deserialized, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• SQL Sensor: Database query monitoring and injection attempt detection

  C:AP | 2025.09.18 at 11:23:34 CDT | main |  INFO | org.jvmxray.events.sql.query |  | caller=java.sql.Statement:142, query=SELECT * FROM users WHERE id = '1 OR 1=1', status=potential_injection, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• Uncaught Exception Sensor: Application error and crash monitoring with comprehensive diagnostics

  C:AP | 2025.09.18 at 11:23:34 CDT | payment-processor-1 |  INFO | org.jvmxray.events.system.uncaughtexception |  | caller=com.example.PaymentProcessor:145, thread_name=payment-processor-1, thread_id=42, thread_group=main, exception_type=java.lang.NullPointerException, exception_location=com.example.PaymentProcessor:145, exception_method=processPayment, exception_message=Cannot process null payment, stack_depth=28, memory_pressure=HIGH, heap_used_mb=756.2, command_line=java -jar payment-service.jar --port=8080, jvm_uptime_minutes=47, incident_id=f3d4e5a6-b7c8-4d9e-a1b2-3c4d5e6f7a8b, AID=7KLZZAC0DM9RA1ISVXQY63NTK, CID=production
  

• API Sensor: REST and web service call monitoring
• Configuration Sensor: Application configuration access and modification tracking
• Data Transfer Sensor: Large data movement and export detection
• Thread Sensor: Thread lifecycle and synchronization monitoring
• Authentication Sensor: Login attempts and credential usage tracking
• Cryptographic Sensor: Encryption/decryption operations and key usage
• Reflection Sensor: Dynamic code loading and class manipulation detection
• HTTP Sensor: Web request and response pattern analysis

• Database Support: SQLite (testing), MySQL, Cassandra (production)
• Logging Integration: Logback framework supports any destination (Kafka, JMS, SMTP, etc.)
• High Performance: Bytecode injection with minimal overhead
• Scalable Design: From single applications to enterprise-wide deployments

1. Deploy Agent: Add JVMXRay as Java agent: java -javaagent:xray.jar -jar yourapp.jar - That's it! Your application won't know it's monitored.
2. Sensor Installation: Bytecode injection installs monitoring sensors automatically
3. Event Capture: Sensors monitor file access, network connections, system calls
4. AI Analysis: Intelligence pipeline analyzes patterns and assigns vulnerability classifications
5. Structured Event Generation: Unlike traditional unstructured logs that require complex analysis tools, JVMXRay automatically generates machine-readable security events that enable instant analysis and AI enhancement
6. Query & Analyze: Generate reports with standard BI tools, visualize with Grafana dashboards, or answer ad-hoc queries using AI MCP clients connected to JVMXRay's MCP server

JVMXRay's MCP server enables AI clients like Claude Desktop to become instant security experts on your datacenter. The system provides sophisticated querying capabilities with advanced filtering, pagination, and real-time analysis.

See it in action: JVMXRay AI Integration Demo - A video is worth a thousand words!

• 🔧 JVMXRay Agent - Java agent setup and sensor configuration
• 🌐 REST Service API - REST API endpoints and authentication
• 🤖 MCP Client - Claude Desktop integration guide
• 📊 Common Components - Database setup and utilities
• 📝 Log Service - Event aggregation service

• 📰 News Archive - Complete project history

Milton Smith - Project creator, leader

Disclosure(s): The JVMXRay project is not, approved, endorsed by, or affiliated with Oracle Corporation. Oracle is a long-time supporter of secure open source software and the Online Web Application Security(OWASP) project. Milton Smith is an active industry open source contributor, OWASP member, and an employee of Oracle.