RASP is mostly built by instrumenting the application code. The premise is that application should do it’s own protection at run-time instead of relying on any other enforcement layer. RASP mostly addresses OWASP Top-10 vulnerabilities. It’s efficacy is not much different compared to WAF and due to resistance  of organizations to modify the code, RASP adoption is pretty limited.