For over a decade, the application security team has faced brutal irony. The more sophisticated the detection tools, the less useful their results were. With the surge in alerts from static analytics tools, scanners and CVE databases, the promise of better security has become even further. Instead, a new reality has taken hold. It is defined by alert fatigue and overwhelmed teams.
According to Ox Security’s 2025 Application Security Benchmark Report, 95-98% of AppSec alerts require no action. In fact, it can do more harm than supporting an organization.
Our research, spanning over 101 million security surveys across 178 organizations, highlights the fundamental inefficiencies in modern AppSec operations. Of the nearly 570,000 average alerts per organization, only 202 represent true and important issues.
That’s an amazing conclusion that is hard to ignore. Security teams are chasing the shadows, wasting time, burning budgets, and tensing relationships with developers over vulnerabilities that don’t pose real threats. The worst part is that security hinders real innovation. Just as Chris Hughes puts it on a resilient cyber, “We do this all while pose as a business enabler and actively struggling with our peers, slowing down development speeds, and ultimately hindering business outcomes.
How to: mountains of problems, zero context
In 2015, the application security challenge became easier. That year, only 6,494 CVEs were released. The detection was the king. The tools were measured by the number of problems they found – not whether they are important or not.
Fast forward to 2025. Applications have become cloud-native, accelerated the development cycle and bulging the attack surface. Over 40,000 new CVEs have been released over the past year, bringing a global total of over 200,000. However, despite these major changes, many AppSec tools have not evolved. They doubled detection and flooded the dashboard with alerts without unfiltered context.
Ox’s benchmark confirms that practitioners have long suspected.
25% of reported issues are not known to have 25% of public misuse from unused or development-only dependencies, 32% of the cases are less likely to be exploited.
This flood of unrelated discoveries not only slows down security, but actively undermines it.
Most alerts can be ignored, but it is essential to accurately identify 2-5% of people who need immediate attention. This report states that these rare alerts typically include KEV issues, secret management issues, and in some cases posture management issues.
The need for an overall prioritization approach
To combat this fateful spiral, organizations need to adopt a more sophisticated approach to application security based on evidence-driven prioritization. This involves a multi-element transition from general alert processing to a comprehensive model that covers code from the design stage to the runtime, with multiple elements.
Reachability: Is vulnerable code used? Is it reachable? Possibility of misuse: Are there any conditions for exploitation in this environment? Business Impact: Does a violation here cause real damage? Cloud-to-cloud mapping: Where did you encounter this issue in SDLC?
Implementing such a framework allows organizations to effectively eliminate noise and focus their efforts on a small portion of alerts that pose a real threat. This increases security effectiveness, frees up valuable resources, and allows for more confident development practices.
OX Security addresses this challenge with Code Projection, an evidence-based security technology that brings cloud and runtime elements back to code origins, allowing contextual understanding and dynamic risk prioritization.
Real-world impact
Data tells a powerful story. By using evidence-based prioritization, the surprising average of a total of 569,354 per organization can be reduced to 11,836, of which only 202 require immediate action.
Industry benchmarks reveal some important insights:
Consistent Noise Threshold: Baseline noise levels remain very similar in a variety of environments, whether they are enterprise or commercial, regardless of industry. Enterprise Security Complexity: Enterprise environments face a huge challenge due to a wider tool ecosystem, a larger application footprint, a large number of security events, more frequent incidents, and increased overall risk exposure. Financial Sector Vulnerabilities: Financial institutions are experiencing a clear amount of alerts. Financial transactions and processing of sensitive data make them a valuable target. As the Verizon Data Brace Investigations Report shows, 95% of attackers are motivated by financial gain, not spying or other reasons. The proximity of financial institutions to financial assets creates directly profit opportunities for attackers.
The findings have broad meaning. If less than 95% of application security fixes are important to an organization, then all organizations waste huge amounts of resources in triage, programming, and cybersecurity time. This waste covers the costs of paying for bug bounty programs where white hat hackers find vulnerabilities to fix, and complex fixes for vulnerabilities discovered early and reached production. The ultimate important cost is the tension created within the organization between the development and security teams, requiring fixes for unrelated vulnerabilities.
Detection fails and prioritization is the future path
As organizations face 50,000 new vulnerabilities projected in 2025 alone, the interests of effective security triage are higher than ever before. The old model “Detect everything and fix it later” is not outdated and dangerous.
Ox Security reports create compelling cases. The future of application security is not about addressing all possible vulnerabilities, but about intellectually identifying and focusing on issues that pose real risks.
Source link
