Azul Introduces 100 – 1000x More Accurate In-Production Java Vulnerability Detection i3e6k
India, June 11, 2025: Azul, the only company 100% focused on Java, today announced an enhancement to Azul Intelligence Cloud, a breakthrough capability in Azul Vulnerability Detection that brings unprecedented precision to detection of Java application security vulnerabilities. Unlike traditional AppSec or APM tools that flag vulnerabilities by matching component file names or SBOM information — often leading to an overwhelming number of security false positives — Azul Vulnerability Detection uses class-level production runtime data to detect vulnerabilities. This enables organizations to focus only on the code paths that are actually used, delivering 100x to 1,000x reduction in false positives compared to other tools, empowering DevOps teams to prioritize and remediate real risks faster, improve security posture and dramatically boost developer productivity. 2o6l4o
DevOps Teams Need Precision, Not Noise, in Java Vulnerability Detection
Enterprises are drowning in Java security noise. According to Azul’s 2025 State of Java Survey & Report, 33% of organizations say that more than half of their DevOps teams’ time is wasted chasing false positives from Java-related Common Vulnerabilities and Exposures (CVEs) alerts. Traditional AppSec tools flag CVEs in third-party Java components bundled in an application — regardless of whether the vulnerable component is used in production or simply present. This broad-brush approach overwhelms teams with irrelevant alerts, cripples prioritization and drains productivity. Java components like Log4j comprise JAR (Java ARchive) files, and each JAR file typically contains many classes. This means it’s entirely possible for a flagged component to be present or even used by the application but the code from a vulnerable class is never invoked — meaning the application isn’t truly at risk. To recover DevOps capacity and increase productivity, Java teams need a solution that can accurately detect vulnerable code used in production, down to the class level, to prioritize components for security patching based on real risk and eliminate the time chasing false positives.
Azul Intelligence Cloud Pinpoints Only the Java Code That’s Actually at Risk, Eliminating up to 99% of False Positives
Azul Intelligence Cloud is a cloud analytics solution that provides actionable intelligence from production Java runtime data to dramatically boost developer productivity. Its Vulnerability Detection capability identifies and prioritizes known security vulnerabilities in Java applications in production with 100-1000x greater accuracy than traditional AppSec or APM tools. It uses a curated knowledge base mapping CVEs to classes used at runtime to pinpoint vulnerable components for prioritization and remediation, eliminating up to 99% of false positives and dramatically boosting DevOps productivity. As an example, a recent ‘Critical’ severity vulnerability, CVE-2024-1597, in specific 42.x versions of the pgjdbc PostgreSQL Java Database Connectivity (JDBC) driver allows attackers to perform a SQL injection attack. This CVE scores 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) and applies in the relatively uncommon case when the driver is used in a specific non-default mode. Traditional AppSec tools issue a security alert when the component is present even if it’s unused or used in the (safe) default mode, resulting in false positive alerts and precious developer hours being spent remediating code unnecessarily. Vulnerability Detection is orders of magnitude more accurate because it detects at runtime if one or more of the 11 vulnerable classes associated with the CVE out of the 470 total classes in the component are actually used in production.
“The improved Vulnerability Detection features strengthen the proposition of Azul’s Intelligence Cloud analytics SaaS offering as a way to increase DevOps productivity and recover developer capacity by reducing the need for full-time employee time spent wasted on security false positives and inefficient triage,” said William Fellows, research director at 451 Research, part of S&P Global Market Intelligence.
Azul Vulnerability Detection delivers additional key benefits across an enterprise’s entire Java estate:
· Efficiently triages new vulnerabilities – delivers continuous, real-time detection of Java vulnerabilities in production, enabling DevOps teams to quickly triage and prioritize critical issues, especially during high-impact events like Log4j. This reduces time spent on false positives and minimizes disruption, allowing teams to stay focused on higher-value work.
· Real-time and historical analysis, accelerated by AI – retains component and code-use history, focusing forensic efforts to determine if vulnerable code was actually exploited prior to it being known as vulnerable. It continuously detects known vulnerabilities and precisely catalogs code in production to focus scarce human effort. Azul’s vulnerability team uses AI to quickly identify Java-specific CVEs from the NVD (National Vulnerabilities Database) and other sources and updates the Azul Vulnerability Detection Knowledge Base with newly published vulnerabilities.
· Production monitoring for Oracle JDK and any OpenJDK-based JVM – takes advantage of production runtime data from Oracle JDK and any OpenJDK-based JVM, independent of vendor or distribution – including Azul, Amazon, Temurin, Microsoft, Red Hat and more – to improve overall DevOps productivity.
· No performance impact in production – leverages Java runtime data that exists within a JVM when running the application, resulting in no performance impact, something not possible using any other tool.
“Our mission is to help enterprises focus their security efforts on what matters — real risk, not noise,” said Scott Sellers, co-founder and CEO of Azul. “By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100x – 1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritize real risk and accelerate remediation — all with zero impact to performance and without slowing innovation.”
Be the first to comment 6f1x34