For over a decade, application security teams have faced a brutal irony: the more advanced the detection tools became, the less useful their results proved to be. As alerts from static analysis tools, scanners, and CVE databases surged, the promise of better security grew more distant. In its place, a new reality took hold—one defined by alert fatigue and overwhelmed teams.
According to OX Security’s 2025 Application Security Benchmark Report, a staggering 95–98% of AppSec alerts do not require action – and may, in fact, be harming organizations more than helping.
Our research, spanning over 101 million security findings across 178 organizations, shines a spotlight on a fundamental inefficiency in modern AppSec operations. Of nearly 570,000 average alerts per organization, just 202 represented true, critical issues.
It’s a startling conclusion that’s hard to ignore: security teams are chasing shadows, wasting time, burning through budgets, and straining relations with developers over vulnerabilities that pose no real threat. The worst part of it – is that security gets in the way of actual innovation. As Chris Hughes puts it in Resilient Cyber: “We do all this while masquerading as business enablers, actively burying our peers in toil, delaying development velocity, and ultimately impeding business outcomes.
How We Got Here: Mountains of Issues, Zero Context
Back in 2015, the application security challenge was simpler. That year, just 6,494 CVEs were publicly disclosed. Detection was king. Tools were measured by how many issues they found – not whether they mattered.
Fast forward to 2025: Applications went cloud-native, development cycles accelerated, and attack surfaces ballooned. In just the past year, over 40,000 new CVEs were published, bringing the global total to over 200,000. Yet, despite these major changes, many AppSec tools have failed to evolve: they’ve doubled down on detection, flooding dashboards with unfiltered, context-free alerts.
OX’s benchmark confirms what practitioners have long suspected:
32% of reported issues have a low probability of exploitation
25% have no known public exploit
25% stem from unused or development-only dependencies
This flood of irrelevant findings doesn’t just slow security down – it actively impairs it.
While most alerts can be disregarded, it is essential to accurately identify the 2-5% that require immediate attention. The report shows these rare alerts usually involve KEV issues, secrets management problems, and in some cases, posture management issues.
The Need for A Holistic Prioritization Approach
To combat this doom-spiral, organizations must adopt a more sophisticated approach to application security, based on evidence-driven prioritization. This requires a shift from generic alert handling to a comprehensive model that covers code from design stages to runtime, and includes multiple elements:
Reachability: Is the vulnerable code used, and is it reachable?
Exploitability: Are the conditions for exploitation present in this environment?
Business Impact: Would a breach here cause real damage?
Cloud-to-Code Mapping: Where in the SDLC did this issue originate?
By implementing such a framework, organizations can effectively filter out the noise and focus their efforts on the small percentage of alerts that pose a genuine threat. This improves security effectiveness, frees up valuable resources, and enables more confident development practices.
OX Security is addressing this challenge with Code Projection, an evidence-based security technology that maps cloud and runtime elements back to code origin, enabling contextual understanding and dynamic risk prioritization.
Real-World Impact
The data tells a powerful story: By using evidence-based prioritization, the alarming average of 569,354 total alerts per organization can be reduced to 11,836, of which only 202 require immediate action.
Industry benchmarks reveal several key insights:
Consistent Noise Thresholds: Baseline noise levels remain remarkably similar across different environments, whether enterprise or commercial, regardless of industry.
Enterprise Security Complexity: Enterprise environments face significantly greater challenges due to their broader tool ecosystem, larger application footprint, higher volume of security events, more frequent incidents, and elevated overall risk exposure.
Financial Sector Vulnerability: Financial institutions experience distinctively higher alert volumes. Their processing of financial transactions and sensitive data makes them high-value targets. As the Verizon Data Breach Investigations Report indicates, 95% of attackers are motivated primarily by financial gain rather than espionage or other reasons. Financial institutions’ proximity to monetary assets creates direct profit opportunities for attackers.
The findings have far-reaching implications. If less than 95% of application security fixes are critical to the organization, then all organizations invest enormous resources in triage, programming, and cybersecurity hours in vain. This waste extends to payments for bug-bounty programs, where white-hat hackers find vulnerabilities to fix, as well as the costs of complicated fixes for vulnerabilities that were not discovered early and reached production. The final significant cost is the tension created within organizations between development teams and security teams, who demand fixes for vulnerabilities that aren’t relevant.
Detection failed, Prioritization is the Way Forward
As organizations face a projected 50,000 new vulnerabilities in 2025 alone, the stakes for effective security triage have never been higher. The old model of “detect everything, fix later” is not just outdated – it’s dangerous.
OX Security’s Report makes a compelling case: The future of application security lies not in addressing every possible vulnerability but in intelligently identifying and focusing on the issues that pose real risk.
