by William Fellows

INTRODUCTION

Azul Systems now provides class-level detection, exposing vulnerabilities for Java code classes running in production rather than at the file level. Part of Azul Vulnerability Detection, this new enhancement is designed to enable customers to recover more of their engineering capacity by identifying whether vulnerable code (identified at a class level) is used at runtime.

THE TAKE

Azul’s addition of vulnerability detection at a class level to its Intelligence Cloud Vulnerability
Detection feature should increase customers’ DevOps productivity and ultimately impact their
bottom lines by recovering time that would otherwise be spent remediating common vulnerabilities
and exposures (CVEs) that are not exposed in production. This ultimately translates into fewer false
positives. Such a degree of forensic understanding is probably the last commercially pragmatic
development in this particular hierarchy — Azul has other opportunities to address in its Intelligence
Cloud suite as the universe of Java code continues to expand.

Portfolio

Lowering the Oracle Java licensing cost remains the foundation of Azul’s business. It says the OSS Azul
Platform Core offering is typically 70% less expensive than Oracle Java SE and remains the core revenue-generating component of its business.
Azul Platform Prime is a high-performance Java platform designed for optimizing cloud costs (reducing/
containing public, on-premises and hybrid cloud spending by over 20%) and improving application efficiency, resiliency and performance (improving throughput by up to 2x and code speed by 20%-50%), which it claims outperforms other OpenJDK distributions by an average of 37%.
The newest portfolio addition is the SaaS Azul Intelligence Cloud analytics offering, which is designed to save time and increase the productivity of DevOps teams — on any Java Virtual Machine — by surfacing actionable intelligence from production Java runtime data. It pinpoints what code is actually in use during production to detect high-priority vulnerabilities and identify unused code within Java Archive files. Its Code Inventory module helps identify unused and dead code by detailing which custom and third-party code is actually run. It provides continuous detection of known security vulnerabilities for Java applications in production, enabling DevOps teams to triage new vulnerabilities.

Class-level support in Azul Vulnerability Detection

Intelligence Cloud includes Azul Vulnerability Detection to eliminate false positives by identifying and
prioritizing known security vulnerabilities. Azul’s recent 2025 State of Java Report found that 33% of survey respondents said more than half of their DevOps teams’ time is spent on false positives from Java-related security vulnerabilities.
The company notes that when customers use OSS or Maven Java build automation tools, additional code and dependencies are dragged in for classes that are not used in production, making maintenance more difficult and increasing the risk of unexpected behavior or exposure to vulnerabilities. Traditional “shift left” tools scan all third-party Java components in an application for CVEs, which tends to flood DevOps teams with alerts, regardless of whether the vulnerable code is used in production. This makes prioritization intractable and reduces productivity. Azul Vulnerability Detection, by contrast, continuously detects CVEs, triages CVEs based on code that actually runs versus that which is only present, and runs in production with no performance penalty. It says that customers can expect that, while the number of vulnerabilities (and total component count generally) may remain the same before and after Azul Vulnerability Detection is deployed, the number of those CVEs actually used versus those only present will be dramatically reduced (and the amount of time wasted along with it). As a result, it says its Vulnerability Detection enables customers to recover engineering capacity and avoid 50% of the work spent on remediating vulnerability alerts.
Azul now provides class-level detection as an additional new feature in its Vulnerability Detection, which it says enables customers to recover orders of magnitude more of their engineering capacity by identifying not only whether a component is vulnerable and whether it is used in any capacity, but more specifically whether the actual vulnerable code down to the class level is used. Class levels identify the severity or impact of a vulnerability and are determined by a numerical 1 to 10 Common Vulnerability Scoring System. The data is surfaced as a new column in Azul Vulnerability Detection reports.
Azul says its knowledge base of security data and CVEs is more extensive than tools that look only at public data sources such as NIST for components with associated CVEs. Azul pulls down the data and hashes the classes to determine before-and-after deltas to identify vulnerable classes. This enables Azul Vulnerability Detection to remove more than just false positives based on component-level matching, and to ignore things that don’t matter. It now also uses AI to improve the real-time and historical analysis of CVEs.

IC Integrations, next developments

Azul also has a new integration partnership with automated code refactoring and analysis company Moderne, which it says will enable Java development teams to identify, remove and refactor unused and dead code. Specifically, it integrates Azul’s runtime visibility and Java expertise with Moderne’s automated, multi-repository rules-based code refactoring (it can automatically mark deprecated code in repositories).
While Java is somewhat behind the game when it comes to use for AI programming — where Python leads among languages — Azul expects Java will continue to be a leading language of choice for enterprise applications. It claims Java’s advantages include scalability, platform independence, security and performance. Ultimately, the use of AI co-pilots for code assist is taking away toil and helping developers create more Java code faster and retain the benefits of the JVM. Java is improving as a tool for building AI integrations with libraries such as lanchain4J, although this is less impactful to the future of Java than the benefits of AI co-pilots and code assist.

Business Model

Azul claims new customer bookings grew 63% year over year through March 2025, which it says reflects
increasing enterprise demand for high-performance Java platforms and more economic, commercially
supported Java as organizations seek to rein in cloud expenses and migrate away from Oracle Corp.’s pricing and licensing structures (Oracle takeouts are 50% of Azul’s business). It also points to continued product advancements, global expansion and channel expansion as growth drivers, although it does not provide revenue guidance. Azul, which landed a $340 million private equity infusion in 2020, believes about 25% of the Java market is “paid for” — its challenge is to capture a larger share of this spending.

Competition

In the vulnerability-detection space, Azul says it is not seeking to replace the likes of Snyk, Black Duck or
JFrog Ltd., and expects to work alongside them, providing greater depth to the breadth that these kinds of tools have. Azul both competes and cooperates with Oracle — some of its large cloud- and software-provider customers feel more comfortable dealing with an independent company than directly with Oracle. Many other distributions of OpenJDK are available, including versions from Alibaba Group Holding Ltd., Amazon.com Inc., BellSoft, IBM Corp., Red Hat, Microsoft Corp., SAP SE and Tencent Holdings Inc., many of them at no extra cost for users of the vendors’ programs/platforms.

SWOT Analysis

______________________________________________________________________________________________

Copyright © 2025 by S&P Global Market Intelligence, a division of S&P Global Inc. All rights reserved.