Many vulnerability detection scanning tools flag an entire component – a JAR, for instance – as vulnerable if it contains a single vulnerable class file, even if that vulnerable class is never used. These scanners typically have visibility only at the component JAR level, and this lack of precision causes them to produce a high level of false positives. Azul Vulnerability Detection identifies and prioritizes known Java security vulnerabilities in Java applications with up to 1,000 times greater accuracy.

“One bad apple spoils the bunch.” Many vulnerability detection scanning tools still seem to follow this 13^th-century idiom. When a scanner sees one vulnerable class file among hundreds of class files that aren’t vulnerable in a JAR file, it may generate an alert that the entire JAR is vulnerable even if that one vulnerable class is never used in production. This blanket approach causes scanners to produce a high volume of false positives, which overwhelm DevOps teams and impact productivity.  

In Azul’s State of Java 2025 Survey & Report, 33% of participants say more than half their DevOps teams’ time is wasted addressing false positives from Java-related CVEs (Common Vulnerabilities and Exposures).

Traditional scanning tools typically have visibility only at the JAR level in CI/CD and test environments, or they get run against a production snapshot. By comparison, Azul Vulnerability Detection, a feature of Azul Intelligence Cloud, operates at the class level in production, identifying and prioritizing known security vulnerabilities in Java applications with 100-1,000 times greater accuracy. 

Let’s explore how Azul Vulnerability Detection works differently from other tools. 

Eliminate up to 99% of vulnerability false positives 

A JAR file that contains hundreds of classes may have only three or four classes that contain vulnerable code. Traditional scanners identify the entire JAR as vulnerable, even if the three or four vulnerable classes never actually run in production, leading to a false positive that repeats every time an application with the vulnerable JAR file runs. Is it better to have repeated false positives than to eat a bad apple? Without a doubt. But with Azul Intelligence Cloud, this is a false dilemma. 

Traditional scanners identify the entire JAR as vulnerable, even if the three or four vulnerable classes never actually run in production, leading to a false positive that repeats every time an application with the vulnerable JAR file runs.

Azul Vulnerability Detection identifies the vulnerability if and only if at least one vulnerable class is being run in production. In a recent study of several large enterprises, only 47% of the vulnerabilities their scanner identified were actually being loaded by the JVM. Azul Vulnerability Detection saved them 57% of their remediation time and effort. When you give engineers that much time back, they can more easily prevent that bad apple from getting into your customers’ lunch. 

Use real-time and historical analysis, accelerated by AI 

Azul Intelligence Cloud retains a usage history for both components and code. Your DevOps teams can use this information to determine if vulnerable code was exploited prior to being identified as vulnerable. Azul continuously detects known vulnerabilities and precisely catalogs code in production so your DevOps teams can focus their scarce resources. Azul uses AI to quickly identify Java-specific CVEs from the NVD (National Vulnerabilities Database) and update the Azul Vulnerability Detection Knowledge Base with newly published vulnerabilities. 

Intelligence Cloud provides continuous detection so DevOps teams can efficiently triage critical vulnerabilities in production when five-alarm fires like Log4Shell happen. Azul minimizes disruption and saves DevOps teams time so they can focus on other productive tasks. More focused DevOps teams, fewer bad apples, more accurate vulnerability detection. 

Conclusion 

False positives not only detract from DevOps productivity; they also contribute to cybersecurity burnout. When teams are plagued by security fatigue, they inevitably start ignoring alerts, which can lead to shipping compromised applications to customers or deploying exploitable code to production. 

The benefits of Azul Vulnerability Detection are real, both in terms of minimizing cybersecurity burnout and maximizing DevOps productivity. In a 2025 Censuswide survey, application developers said they spend 41% of their time maintaining and retiring code, scanning or remediating vulnerabilities, and attending meetings. All this extraneous activity leaves just 27% of their time for writing or improving code. 

In a recent study of several large enterprises, Azul Code Inventory showed that developers spend more than 50% of their time maintaining existing code. By de-prioritizing CVEs from unused components, staff reduced urgent remediation efforts by about 57%, saving engineering time equal to six full-time employees. Contact us today to see how your organization can start saving with Azul Vulnerability Detection.

The post How Azul Identifies Java Security Vulnerabilities with 1,000 Times Greater Accuracy appeared first on Azul | Better Java Performance, Superior Java Support.

*** This is a Security Bloggers Network syndicated blog from Security Blog Posts - Azul authored by Azul. Read the original post at: https://www.azul.com/blog/how-azul-identifies-java-security-vulnerabilities-with-1000-times-greater-accuracy/