Managed On-Chain Operations
Managed on-chain operations is the standing 24/7 watch for a live on-chain product: monitoring, incident response, and key and upgrade operations, run on top of your detection tools. It is the team that answers the alert a detection tool can only raise.
When an institution puts a product on a public chain, it becomes live money, and live money runs 24/7: oracles deviate, dependencies get exploited, keys need rotating, and upgrades can go wrong at any hour. Detection tools will send the alert. The question they cannot answer is who acts on it, with what authority, in what order.
Managed on-chain operations is the service that answers it: 24/7 monitoring, incident response, and key and upgrade operations for live on-chain financial products, run by senior web3 engineers with AI-scaled triage, so the product is never unattended. On-chain monitoring alone is a timestamp for the post-mortem, the operation is the part that acts.
Protofire runs that operation. We are an engineering-led firm with 250+ projects shipped since 2016, and we already operate production on-chain infrastructure under uptime SLAs: nodes, validators, RPC endpoints, and block explorers we run for chains and protocols. This is the MSSP model applied to on-chain finance, the same managed-operations line item institutions already buy for their cloud and their security, for a new asset class, and we run on top of detection tools rather than replacing them.
The managed on-chain operations stack
We run on top of your detection tools and turn signal into a rehearsed response, so a live product is watched, defended, and maintained around the clock.
Detection integration
Monitoring
Incident response
Lifecycle operations
Authority matrix
AI-scaled triage
Custody & keys
What we watch and operate
Live on-chain products fail in specific, chain-native ways, and each one needs a watch and a runbook. We monitor smart contracts for anomalous state, pauses, and unexpected calls; oracles and price feeds for deviation and staleness, the single most common trigger behind a cascade; dependencies and integrations, because an exploit two protocols away can drain a product that is itself sound; treasury and key operations; and liquidity, collateral, and liquidation health for lending and stablecoin systems, where a slow drift ends in a fast failure.
We run this on top of your detection tools, not instead of them. Benefits: 24/7 watch across contracts, oracles, dependencies, keys, and liquidation health · runs on top of your existing detection tools · chain-native coverage a generalist NOC does not have.
Detection raises the alert; response acts on it. When something is wrong, we triage in minutes, contain it, execute the multisig fix, and escalate along a pre-agreed authority matrix, rehearsed rather than improvised. The failure mode is not missing the alert, it is the alert landing in a channel nobody owns at three in the morning, and that is the seam we fill, with the runbook, the authority, and the chain-specific judgment already in place before the incident. Benefits: triaged in minutes, acted on per runbook · rehearsed playbooks and a clear authority matrix · senior escalation, not improvisation.
Between incidents, a live product needs the routine that keeps it healthy: key ceremonies, upgrade execution, dependency tracking, and parameter changes, each rehearsed and documented rather than done ad hoc by a single person. This is the standing maintenance that stops a routine change from becoming the next incident, run as a managed service so it does not compete with your product roadmap. Benefits: ceremonied, witnessed key and upgrade operations · no single-person operational risk · maintenance that does not compete with your roadmap.
There is a healthy market of on-chain detection and risk tools, and a live product should use them. Hypernative and Hexagate detect threats; Gauntlet and Chaos Labs model risk parameters; OpenZeppelin Defender automates admin actions. What none of them do is act on the alert, with authority, a runbook, and chain-specific judgment, in minutes, at any hour.
We operate on top of those tools the way an MSSP runs on top of a SIEM, and a generalist cloud MSSP covers servers, not oracle deviations or liquidation cascades. Concretely, AI-scaled triage means we layer alert-classification over your detection tools' output, auto-suppressing noise and grouping related signals, so a senior engineer reviews a ranked incident rather than a flood of alerts, and owns any irreversible action within a defined SLA.
Detection is software you buy; response is an operation you staff, and staffing a 24/7 web3 rotation from the scarcest talent pool in the industry is what institutions ask us to run instead. Benefits: keep your detection tool, we operate on top of it · web3-native, not a generalist MSSP · the response operation you would otherwise have to staff.
What is managed on-chain operations?
Managed on-chain operations is a service that keeps a live on-chain financial product safe and running in production, so the institution does not have to build and staff a 24/7 web3 operations team itself. It has three parts. Monitoring watches the product's contracts, oracles, treasury, dependencies, and keys around the clock, on top of detection tools rather than instead of them.
Incident response is the operation that acts when something is wrong: triage in minutes, containment, multisig execution, and escalation along a pre-agreed authority matrix, not improvised by whoever happens to be awake. Lifecycle operations cover the routine that keeps a product healthy between incidents: key ceremonies, upgrade operations, dependency tracking, and parameter changes, each rehearsed and documented.
It is the difference between having a tool that raises an alert and having an operation that answers it, which is what counterparties and regulators actually ask about.
Managed operations versus reactive incident response
There are two different things a live protocol needs, and we offer both as distinct services. Protocol rescue is the emergency call: a protocol is already under active exploit, and a team scrambles to contain it, execute a multisig fix, and coordinate recovery. Managed on-chain operations is the standing watch that comes before and after: continuous monitoring so an issue is caught early, a rehearsed response so containment is not improvised, and the lifecycle operations that keep the product healthy between incidents.
Rescue is reactive and one-off, priced to a crisis. Managed operations is ongoing and preventative, and it is why protocols with active monitoring and response demonstrably lose less per incident than audit-only setups. Many institutions start with a rescue and keep us on as the standing operation, because the honest lesson of every post-mortem is that the incident was infrequent but existential, and the watch is cheaper than the loss.
What Protofire does and does not do
We monitor, respond, and maintain. The client owns the product, the funds, and the regulatory perimeter. Every engagement runs on a pre-agreed authority matrix: a defined set of actions we may take autonomously to contain an incident, and a defined set of escalations that are always the client's call.
Nothing irreversible happens without the authority the client granted in advance. We are not a custodian, not an auditor, and not an insurer: we do not hold client or customer funds, key custody stays with the client behind Safe multisig, and our job is response, not a point-in-time review or a payout.
AI handles triage volume so signal is not lost, and a senior human owns every irreversible action. We do not claim incidents become impossible, that is not a promise anyone can keep. We claim they get answered, in minutes, by a team that has the runbook and the authority to act.
How an engagement works
Assess
Onboard
Operate
Evolve
What we cover
An engineering-led team that operates live on-chain infrastructure
Protofire is an engineering-led blockchain development firm with 250+ projects shipped since 2016, across 60+ networks and 95+ protocols, and we do not just build on-chain systems, we operate them. We run production node and validator infrastructure under uptime SLAs, including Filecoin infrastructure at 99.95% uptime, plus RPC endpoints and Blockscout explorers we keep live for chains and protocols.
We are a Safe Guardian with deployments across 120+ EVM networks securing $2B+ in assets, the custody-governance layer incident response runs through, and a core contributor to Chainlink, the oracle layer whose deviation is the most common incident trigger. We maintain Solhint, the Solidity linter used by 1M+ developers, so we know what breaks in production because we harden against it. Operating live on-chain infrastructure 24/7 is work we already do, not a new line of business.
“Detection tools send the alert; we are the operation that acts on it, in minutes, with the runbook and the authority to respond, so live money is never unattended at 3am.”
We build and operate production node and RPC infrastructure for Filecoin under uptime SLAs, the same monitoring, response, and lifecycle-operations discipline managed on-chain operations applies to a live financial product.
A 24/7 in-house web3 rotation vs managed operations with Protofire
| In-house 24/7 rotation | Managed operations with Protofire | |
|---|---|---|
| Coverage | Business hours plus best effort | 24/7/365 watch |
| Alert handling | Lands in a Slack channel | Triaged in minutes, acted on per runbook |
| Incident response | Improvised by whoever is awake | Rehearsed: playbooks, authority matrix, senior escalation |
| Key and upgrade ops | Ad-hoc, single-person risk | Ceremonied, witnessed, documented |
| Team required | 6+ senior web3 hires for a real rotation | A retainer, insource later if scale justifies it |
| Readiness | "We have a tool" | "We have an operation," what counterparties ask |
FAQ
What is on-chain monitoring?
Who acts when something goes wrong at 3am?
Do you replace detection tools like Hypernative or Hexagate?
Do you hold client funds or keys?
Should we build a 24/7 on-chain operations team in-house or use a managed service?
What does managed on-chain operations cover?
Reviewed by Luis Medeiros, Field CTO at Protofire. Last reviewed: July 2026.


