Skip to content

Managed On-Chain Operations

In short

Managed on-chain operations is the standing 24/7 watch for a live on-chain product: monitoring, incident response, and key and upgrade operations, run on top of your detection tools. It is the team that answers the alert a detection tool can only raise.

24/7
monitoring and incident response
99.95%
uptime operated, Filecoin infrastructure
$2B+
in assets secured through Safe across 120+ networks
250+
projects shipped since 2016
Trusted by teams building on-chain

When an institution puts a product on a public chain, it becomes live money, and live money runs 24/7: oracles deviate, dependencies get exploited, keys need rotating, and upgrades can go wrong at any hour. Detection tools will send the alert. The question they cannot answer is who acts on it, with what authority, in what order.

Managed on-chain operations is the service that answers it: 24/7 monitoring, incident response, and key and upgrade operations for live on-chain financial products, run by senior web3 engineers with AI-scaled triage, so the product is never unattended. On-chain monitoring alone is a timestamp for the post-mortem, the operation is the part that acts.

Protofire runs that operation. We are an engineering-led firm with 250+ projects shipped since 2016, and we already operate production on-chain infrastructure under uptime SLAs: nodes, validators, RPC endpoints, and block explorers we run for chains and protocols. This is the MSSP model applied to on-chain finance, the same managed-operations line item institutions already buy for their cloud and their security, for a new asset class, and we run on top of detection tools rather than replacing them.

The managed on-chain operations stack

We run on top of your detection tools and turn signal into a rehearsed response, so a live product is watched, defended, and maintained around the clock.

01

Detection integration

We operate on top of detection incumbents such as Hypernative and Hexagate, the way a managed security provider runs on top of a SIEM, turning their alerts into action.
02

Monitoring

A 24/7 watch of contracts, oracles, dependencies, treasury, keys, and liquidation and collateral health, the specific ways a live on-chain product fails.
03

Incident response

Triage in minutes, containment, and multisig execution, along a pre-agreed authority matrix, rehearsed rather than improvised by whoever is awake.
04

Lifecycle operations

Key ceremonies, upgrade execution, dependency tracking, and parameter changes, rehearsed and documented between incidents.
05

Authority matrix

Defined containment actions we may take autonomously and defined escalations that are always the client's call; nothing irreversible without authority granted in advance.
06

AI-scaled triage

AI handles alert volume so signal is not lost in noise, and a senior engineer owns every irreversible action.
07

Custody & keys

Treasury and keys stay with the client behind Safe multisig; we act within the authority matrix, we do not hold funds.
01

What we watch and operate

Live on-chain products fail in specific, chain-native ways, and each one needs a watch and a runbook. We monitor smart contracts for anomalous state, pauses, and unexpected calls; oracles and price feeds for deviation and staleness, the single most common trigger behind a cascade; dependencies and integrations, because an exploit two protocols away can drain a product that is itself sound; treasury and key operations; and liquidity, collateral, and liquidation health for lending and stablecoin systems, where a slow drift ends in a fast failure.

We run this on top of your detection tools, not instead of them. Benefits: 24/7 watch across contracts, oracles, dependencies, keys, and liquidation health · runs on top of your existing detection tools · chain-native coverage a generalist NOC does not have.

02

What is managed on-chain operations?

Managed on-chain operations is a service that keeps a live on-chain financial product safe and running in production, so the institution does not have to build and staff a 24/7 web3 operations team itself. It has three parts. Monitoring watches the product's contracts, oracles, treasury, dependencies, and keys around the clock, on top of detection tools rather than instead of them.

Incident response is the operation that acts when something is wrong: triage in minutes, containment, multisig execution, and escalation along a pre-agreed authority matrix, not improvised by whoever happens to be awake. Lifecycle operations cover the routine that keeps a product healthy between incidents: key ceremonies, upgrade operations, dependency tracking, and parameter changes, each rehearsed and documented.

It is the difference between having a tool that raises an alert and having an operation that answers it, which is what counterparties and regulators actually ask about.

03

Managed operations versus reactive incident response

There are two different things a live protocol needs, and we offer both as distinct services. Protocol rescue is the emergency call: a protocol is already under active exploit, and a team scrambles to contain it, execute a multisig fix, and coordinate recovery. Managed on-chain operations is the standing watch that comes before and after: continuous monitoring so an issue is caught early, a rehearsed response so containment is not improvised, and the lifecycle operations that keep the product healthy between incidents.

Rescue is reactive and one-off, priced to a crisis. Managed operations is ongoing and preventative, and it is why protocols with active monitoring and response demonstrably lose less per incident than audit-only setups. Many institutions start with a rescue and keep us on as the standing operation, because the honest lesson of every post-mortem is that the incident was infrequent but existential, and the watch is cheaper than the loss.

04

What Protofire does and does not do

We monitor, respond, and maintain. The client owns the product, the funds, and the regulatory perimeter. Every engagement runs on a pre-agreed authority matrix: a defined set of actions we may take autonomously to contain an incident, and a defined set of escalations that are always the client's call.

Nothing irreversible happens without the authority the client granted in advance. We are not a custodian, not an auditor, and not an insurer: we do not hold client or customer funds, key custody stays with the client behind Safe multisig, and our job is response, not a point-in-time review or a payout.

AI handles triage volume so signal is not lost, and a senior human owns every irreversible action. We do not claim incidents become impossible, that is not a promise anyone can keep. We claim they get answered, in minutes, by a team that has the runbook and the authority to act.

05

How an engagement works

1

Assess

We map the product's attack surface, dependencies, oracles, keys, and existing tooling, and agree the authority matrix with the client. Deliverable: a monitoring and response plan.
2

Onboard

We wire monitoring on top of your detection tools, write the runbooks, set up the Safe authority matrix, and rehearse the response paths. Deliverable: a live watch with tested runbooks.
3

Operate

24/7 monitoring, incident triage and response, and lifecycle operations, with AI-scaled triage and senior humans on every irreversible action. Deliverable: a product that is never unattended.
4

Evolve

Every incident and near-miss feeds the runbook library, and coverage grows as the product does. Deliverable: a response operation that gets better with every event. We confirm scope and coverage after a short discovery call, and we are explicit about what stays the client's call versus ours.
06

What we cover

24/7 monitoring on top of your detection tools
Incident triage and response in minutes
Multisig execution under an authority matrix
Key ceremonies and rotation
Upgrade execution and parameter changes
Oracle, dependency, and liquidation-health monitoring
Rehearsed runbooks and on-call rotation
Post-incident hardening and runbook growth
07

An engineering-led team that operates live on-chain infrastructure

Protofire is an engineering-led blockchain development firm with 250+ projects shipped since 2016, across 60+ networks and 95+ protocols, and we do not just build on-chain systems, we operate them. We run production node and validator infrastructure under uptime SLAs, including Filecoin infrastructure at 99.95% uptime, plus RPC endpoints and Blockscout explorers we keep live for chains and protocols.

We are a Safe Guardian with deployments across 120+ EVM networks securing $2B+ in assets, the custody-governance layer incident response runs through, and a core contributor to Chainlink, the oracle layer whose deviation is the most common incident trigger. We maintain Solhint, the Solidity linter used by 1M+ developers, so we know what breaks in production because we harden against it. Operating live on-chain infrastructure 24/7 is work we already do, not a new line of business.

Detection tools send the alert; we are the operation that acts on it, in minutes, with the runbook and the authority to respond, so live money is never unattended at 3am.

Live infrastructure we operate under SLA
99.95%average uptime operated on production Filecoin infrastructure

We build and operate production node and RPC infrastructure for Filecoin under uptime SLAs, the same monitoring, response, and lifecycle-operations discipline managed on-chain operations applies to a live financial product.

A 24/7 in-house web3 rotation vs managed operations with Protofire

In-house 24/7 rotationManaged operations with Protofire
CoverageBusiness hours plus best effort24/7/365 watch
Alert handlingLands in a Slack channelTriaged in minutes, acted on per runbook
Incident responseImprovised by whoever is awakeRehearsed: playbooks, authority matrix, senior escalation
Key and upgrade opsAd-hoc, single-person riskCeremonied, witnessed, documented
Team required6+ senior web3 hires for a real rotationA retainer, insource later if scale justifies it
Readiness"We have a tool""We have an operation," what counterparties ask

FAQ

What is on-chain monitoring?
On-chain monitoring is the continuous watching of a live blockchain product, its smart contracts, oracles, treasury, dependencies, and keys, for anomalies that signal an incident: an oracle deviation, an unexpected contract call, a dependency exploit, a compromised key, or a drift in collateral and liquidation health. Monitoring on its own raises an alert. Managed on-chain operations adds the part that acts on it: triage in minutes, containment, and response along a pre-agreed authority matrix, run 24/7 by senior web3 engineers on top of detection tools rather than instead of them. The value is not detecting the problem, it is answering it before it becomes a loss.
Who acts when something goes wrong at 3am?
That is exactly the gap managed on-chain operations closes. A public-chain product is live around the clock, but most teams are 9-to-5 and not web3-native, and the specialist hires to cover a 24/7 rotation cannot be found at market speed. We hold the watch: senior web3 engineers on call 24/7, with the runbooks, the rehearsed response paths, and a pre-agreed authority matrix that says exactly which actions we may take to contain an incident and which escalate to the client. AI handles triage volume so nothing is lost in noise, and a senior human owns every irreversible action.
Do you replace detection tools like Hypernative or Hexagate?
No, we operate on top of them. Detection tools are the sensor layer, and a live product should run one. What they cannot do is act on the alert, with authority, a runbook, and chain-specific judgment, in minutes. We turn their signal into a rehearsed response, the way a managed security provider runs on top of a SIEM. Keep your detection tool, we are the operation that responds to it.
Do you hold client funds or keys?
No. We are not a custodian, an auditor, or an insurer. The client owns the product, the funds, and the regulatory perimeter, and key custody stays with the client behind Safe multisig. We act only within a pre-agreed authority matrix: defined containment actions we may take autonomously, and defined escalations that are always the client's decision. Nothing irreversible happens without authority granted in advance.
Should we build a 24/7 on-chain operations team in-house or use a managed service?
It depends on scale. A real 24/7 rotation is six or more senior web3 engineers before vacation coverage, drawn from the scarcest talent pool in the industry, standing up runbooks and response paths from scratch before the first incident. A managed service is the same operation as a retainer, at a fraction of the cost of that rotation, with runbooks that already exist. The honest path for most institutions is to start with a managed operation and insource later if scale justifies it, because the runbooks transfer. We scope both openly.
What does managed on-chain operations cover?
Monitoring of contracts, oracles, treasury, dependencies, keys, and liquidation and collateral health; incident response with triage, containment, multisig execution, and escalation along an authority matrix; and lifecycle operations including key ceremonies, upgrade execution, and parameter changes. It runs 24/7, on top of your detection tools, with AI-scaled triage and a senior engineer owning every irreversible action. We do not claim incidents become impossible, we make sure they get answered.

Reviewed by Luis Medeiros, Field CTO at Protofire. Last reviewed: July 2026.

Book a call with Alejandro Losa

Schedule a call with our Web3 Solution Architect to receive practical recommendations and a prompt proposal for upgrading your solution.

Protofire 2026. All rights reserved

Message us on Telegram