Safeguard
Application Security

What is Noise Reduction in AppSec Tooling

Most AppSec scans return thousands of findings, but under 5% are ever reachable in production. Here's how noise reduction actually works.

James
Principal Security Architect
7 min read

A mid-size fintech security team running a standard SCA scan across 40 repositories will typically see 3,000-8,000 open findings on day one. Fewer than 5% of those findings sit in code paths that ever execute. The rest are dependencies that ship in a container image, get imported by a build tool, or sit in a test harness that never touches production traffic. Engineers still have to triage all of them, because a CVSS score of 9.8 looks the same whether the vulnerable function is called on every request or never called at all. This is alert noise: the gap between the volume of findings a scanner produces and the volume that represents actual exploitable risk. Noise reduction is the discipline — and increasingly the product category — built to close that gap, using techniques like reachability analysis, exploit-maturity data, and business-context weighting instead of raw severity scores alone.

What Counts as "Noise" in an AppSec Alert Feed?

Noise is any finding that is technically true but not actionable — a real CVE match with no practical path to exploitation in the deployed system. The National Vulnerability Database logged more than 40,000 new CVEs in 2024, a record year, and the average enterprise application now pulls in somewhere between 150 and 180 open-source dependencies according to Sonatype's annual State of the Software Supply Chain research. Each dependency upgrade or scan re-triggers matching against that growing CVE corpus. A finding is noise when at least one of three things is true: the vulnerable function is never called by the application, the vulnerable code path is unreachable behind a feature flag or dead branch, or the component only ships in a build-time or test dependency that never reaches a running service. None of that shows up in a CVSS base score, which describes the vulnerability in the abstract, not its context inside your specific codebase.

How Much Noise Are Security Teams Actually Dealing With?

Most teams are triaging thousands of alerts to find dozens of real ones. A 2022 Enterprise Strategy Group survey found that 55% of organizations receive more than 500,000 security alerts per day across their tooling stack, and separate Ponemon Institute research on SOC operations put the average security analyst's daily alert volume north of 10,000, with teams reporting they can manually investigate only a fraction of that number before burnout sets in. In AppSec specifically, a single Software Composition Analysis scan on a monorepo with 500+ transitive dependencies can return over 10,000 CVE matches after one dependency tree refresh. When Log4Shell (CVE-2021-44228) broke in December 2021, security teams everywhere had to individually verify whether their instance of the vulnerable JndiLookup class was ever invoked with attacker-controlled input — because the CVE matched practically every Java shop running Log4j 2.x, but only a fraction were actually exploitable in a given deployment.

Why Doesn't CVSS Severity Alone Solve This?

CVSS describes worst-case theoretical impact, not whether the vulnerability is reachable in your running code, so a 9.8-rated CVE and a 9.8-rated CVE can carry wildly different real-world urgency. CVSS was designed in 2005 (and revised through version 4.0 in 2023) to standardize how vulnerabilities are scored on paper — attack vector, complexity, privileges required, impact. It was never designed to answer "does my application call this function." That's why the Equifax breach in 2017 is still a canonical case study: the vulnerable Apache Struts component (CVE-2017-5638) had a patch available roughly two months before attackers exploited it, and the vulnerability was known and scored, but it sat in a queue of other "critical" findings competing for the same triage attention. Severity alone gave security teams no way to distinguish the one exploitable, internet-facing instance from everything else rated similarly. This is the core limitation noise-reduction tooling is built to address — severity tells you how bad a vulnerability could be, not how likely it is to matter in your specific deployment.

What Is Reachability Analysis, and Why Does It Matter for Noise Reduction?

Reachability analysis determines whether a vulnerable function inside a dependency is actually called by your application's code, and it is the single highest-leverage technique for cutting AppSec noise. It works by building a call graph from your application's entry points down through its dependency tree, then checking whether execution can ever reach the specific vulnerable function identified in a CVE advisory — not just whether the vulnerable package is present. Sonatype and Endor Labs have both published research suggesting that roughly 60-70% of vulnerable dependencies in a typical scan are not reachable from any code path the application actually executes. Applied consistently, reachability analysis is why teams using it report cutting SCA-driven ticket volume by more than half without changing what they consider a "critical" vulnerability — they're just correctly excluding the CVEs that were never exploitable in that codebase to begin with.

Does Reducing Alert Volume Increase the Risk of Missing a Real Threat?

No, done correctly noise reduction should decrease missed threats, because it redirects finite triage hours away from unreachable findings and toward the smaller set that's actually exploitable. The risk isn't in filtering — it's in filtering with incomplete data. A reachability engine that only analyzes first-party code and ignores transitive dependency chains, or one that doesn't account for dynamic dispatch and reflection (a known blind spot for Java and C# call-graph analysis), can produce false negatives by marking something "unreachable" when it's actually invoked through an indirect path. That's why credible noise-reduction approaches pair reachability with exploit-intelligence feeds — CISA's Known Exploited Vulnerabilities (KEV) catalog, EPSS exploit-prediction scores — so a finding that's technically unreachable today but has active exploitation in the wild still surfaces for review rather than getting silently suppressed.

What Does Good Noise Reduction Actually Look Like Day to Day?

In practice, good noise reduction means an engineer's ticket queue shows 20-40 findings instead of 4,000, each one tied to a specific reachable call path and a suggested fix, rather than a flat list sorted by CVSS score. It shows up as pull request comments scoped to the lines actually changed rather than a whole-repo re-scan dump, alert deduplication across SCA, container, and IaC scanners so the same underlying issue doesn't generate three separate tickets, and auto-closing findings when a dependency is upgraded past the fixed version rather than requiring manual verification. Teams that implement this well typically measure it by mean-time-to-triage dropping from days to under an hour for new criticals, and by the ratio of tickets closed as "won't fix — not reachable" dropping close to zero, because those findings never generate a ticket in the first place.

How Safeguard Helps

Safeguard's platform applies reachability analysis directly against your dependency graph and call paths, so findings are scoped to what's actually exploitable in your running code rather than every CVE match in a manifest file. Griffin, Safeguard's AI analysis engine, correlates that reachability data with exploit intelligence and your specific application context to prioritize the handful of findings that need human attention and to draft explanations engineers can act on immediately. Safeguard generates and ingests SBOMs automatically as part of every scan, giving reachability analysis an accurate, continuously updated map of what's actually shipping in your software rather than a stale snapshot. For the findings that do need remediation, Safeguard opens auto-fix pull requests with the minimum version bump required to resolve the vulnerability, so the fix path is as low-noise as the alert itself. The result is a triage queue sized for what your team can actually act on, not for every theoretical match a scanner can generate.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.