Many vulnerability detection scanning tools flag an entire component – a JAR, for instance – as vulnerable if it contains a single vulnerable class file, even if that vulnerable class is never used. These scanners typically have visibility only at the component JAR level, and this lack of precision causes them to produce a high level of false positives. Azul Vulnerability Detection identifies and prioritizes known Java security vulnerabilities in Java applications with up to 1,000 times greater accuracy.
“One bad apple spoils the bunch.” Many vulnerability detection scanning tools still seem to follow this 13th-century idiom. When a scanner sees one vulnerable class file among hundreds of class files that aren’t vulnerable in a JAR file, it may generate an alert that the entire JAR is vulnerable even if that one vulnerable class is never used in production. This blanket approach causes scanners to produce a high volume of false positives, which overwhelm DevOps teams and impact productivity.
In Azul’s State of Java 2025 Survey & Report, 33% of participants say more than half their DevOps teams’ time is wasted addressing false positives from Java-related CVEs (Common Vulnerabilities and Exposures).
Traditional scanning tools typically have visibility only at the JAR level in CI/CD and test environments, or they get run against a production snapshot. By comparison, Azul Vulnerability Detection, a feature of Azul Intelligence Cloud, operates at the class level in production, identifying and prioritizing known security vulnerabilities in Java applications with 100-1,000 times greater accuracy.
Let’s explore how Azul Vulnerability Detection works differently from other tools.
Eliminate up to 99% of false positives using class-level runtime data
A JAR file that contains hundreds of classes may have only three or four classes that contain vulnerable code. Traditional scanners identify the entire JAR as vulnerable, even if the three or four vulnerable classes never actually run in production, leading to a false positive that repeats every time an application with the vulnerable JAR file runs. Is it better to have repeated false positives than to eat a bad apple? Without a doubt. But with Azul Intelligence Cloud, this is a false dilemma.
Azul Vulnerability Detection identifies the vulnerability if and only if at least one vulnerable class is being run in production. In a recent study of several large enterprises, Vulnerability Detection saved them 57% of their remediation time and effort. When you give engineers that much time back, they can more easily prevent that bad apple from getting into your customers’ lunch.
Use real-time and historical analysis, accelerated by AI
Azul Intelligence Cloud retains a usage history for both components and code. Your DevOps teams can use this information to determine if vulnerable code was exploited prior to being identified as vulnerable. Azul continuously detects known vulnerabilities and precisely catalogs code in production so your DevOps teams can focus their scarce resources. Azul uses AI to quickly identify Java-specific CVEs from the NVD (National Vulnerabilities Database) and update the Azul Vulnerability Detection Knowledge Base with newly published vulnerabilities.
Intelligence Cloud provides continuous detection so DevOps teams can efficiently triage critical vulnerabilities in production when five-alarm fires like Log4Shell happen. Azul minimizes disruption and saves DevOps teams time so they can focus on other productive tasks. More focused DevOps teams, fewer bad apples, more accurate vulnerability detection.
Conclusion
False positives not only detract from DevOps productivity; they also contribute to cybersecurity burnout. When teams are plagued by security fatigue, they inevitably start ignoring alerts, which can lead to shipping compromised applications to customers or deploying exploitable code to production.
The benefits of Azul Vulnerability Detection are real, both in terms of minimizing cybersecurity burnout and maximizing DevOps productivity. In a 2025 Censuswide survey, application developers said they spend 41% of their time maintaining and retiring code, scanning or remediating vulnerabilities, and attending meetings. All this extraneous activity leaves just 27% of their time for writing or improving code.
In a recent study of several large enterprises, Azul Code Inventory showed that developers spend more than 50% of their time maintaining existing code. By de-prioritizing CVEs from unused components, staff reduced urgent remediation efforts by about 57%, saving engineering time equal to six full-time employees. Contact us today to see how your organization can start saving with Azul Vulnerability Detection.
