For over a decade, the application security team has faced brutal irony. The more sophisticated the detection tools, the less useful their results were. With the surge in alerts from static analytics tools, scanners and CVE databases, the promise of better security has become even further. Instead, a new reality has taken hold. It is defined by alert fatigue and overwhelmed teams.
Ox Security’s 2025 Application Security Benchmark Report shows astonishing 95-98% of AppSec alerts require no action – And in fact, it may be hurting the organization more than supporting it.
Our research, spanning over 101 million security surveys across 178 organizations, highlights the fundamental inefficiencies in modern AppSec operations. Of the nearly 570,000 average alerts per organization, only 202 represent true and important issues.
That’s an amazing conclusion that is hard to ignore. Security teams are chasing the shadows, wasting time, burning budgets, and tensing relationships with developers over vulnerabilities that don’t pose real threats. The worst part is that security hinders real innovation. Chris Hughes puts it in Resilient Cyber: “We do all this while spoofing business enablers and actively struggling with our peers, slowing down development and ultimately hindering business outcomes.
How to: mountains of problems, zero context
In 2015, the application security challenge became easier. That year, only 6,494 CVEs were released. The detection was the king. The tools were measured by the number of problems they found – not whether they are important or not.
Fast forward to 2025. Applications have become cloud-native, accelerated the development cycle and bulging the attack surface. Over 40,000 new CVEs have been released over the past year, bringing a global total of over 200,000. However, despite these major changes, many AppSec tools have not evolved. They doubled detection and flooded the dashboard with alerts without unfiltered context.
Ox’s benchmark confirms that practitioners have long suspected.
- 32% The exploitation of reported issues is unlikely to occur
- twenty five% It’s not publicly available
- twenty five% Caused by unused or development-only dependencies
This flood of unrelated discoveries not only slows down security, but actively undermines it.
Most alerts can be ignored, but it is essential to accurately identify 2-5% of people who need immediate attention. This report states that these rare alerts typically include KEV issues, secret management issues, and in some cases posture management issues.
The need for an overall prioritization approach
To combat this fateful spiral, organizations need to adopt a more sophisticated approach to application security based on evidence-driven prioritization. This involves a transition from general alert processing to a comprehensive model that covers code from the design stage to the runtime, with multiple elements.
- Reachability: Is vulnerable code used? Is it reachable?
- Possibility of misuse: Are there any conditions of exploitation in this environment?
- Impact on business: Does a violation here cause real damage?
- Cloud-to-cloud mapping: Where did this issue arise from in SDLC?
Implementing such a framework allows organizations to effectively eliminate noise and focus their efforts on a small portion of alerts that pose a real threat. This increases security effectiveness, frees up valuable resources, and allows for more confident development practices.
OX Security addresses this challenge with Code Projection, an evidence-based security technology that brings cloud and runtime elements back to code origins, allowing contextual understanding and dynamic risk prioritization.
https://www.youtube.com/watch?v=e2xrjqifdhs
Real-world impact
Data tells a powerful story: Amazing averages of using evidence-based prioritization 569,354 Total Alerts Can be reduced by organization 11,836that’s only 202 Immediate action is required.
Industry benchmarks reveal some important insights:
- Consistent noise threshold: Baseline noise levels remain significantly similar in a variety of environments, whether in business or commercial.
- The complexity of enterprise security: Enterprise environments face a huge challenge due to a wider tool ecosystem, a larger application footprint, a large number of security events, more frequent incidents, and increased overall risk exposure.
- Financial Sector Vulnerability: Financial institutions have experienced a very high alert volume. Financial transactions and processing of sensitive data make them a valuable target. As the Verizon Data Brace Investigations Report shows, 95% of attackers are motivated by financial gain, not spying or other reasons. The proximity of financial institutions to financial assets creates directly profit opportunities for attackers.
The findings have broad meaning. If less than 95% of application security fixes are important to an organization, then all organizations waste huge amounts of resources in triage, programming, and cybersecurity time. This waste covers the costs of paying for bug bounty programs where white hat hackers find vulnerabilities to fix, and complex fixes for vulnerabilities discovered early and reached production. The ultimate important cost is the tension created within the organization between the development and security teams, requiring fixes for unrelated vulnerabilities.
Detection fails and prioritization is the future path
As organizations face 50,000 new vulnerabilities projected in 2025 alone, the interests of effective security triage are higher than ever before. The old model “Detect everything and fix it later” is not outdated and dangerous.
Ox Security reports create compelling cases. The future of application security is not about addressing all possible vulnerabilities, but about intellectually identifying and focusing on issues that pose real risks.
