Only 2-5% of application security alerts require immediate action

The large volume of security alerts, many created by automated tools, is overwhelming security and development teams, according to the 2025 Application Security Benchmark report by Ox Security.

The report is based on an analysis of over 101 million application security findings collected from 178 organizations over 90 days (Q4 2024), indicating that only 2-5% of security alerts require immediate action, yet organizations continue to waste valuable resources on the remaining 95% of non-critical issues.

On average, organizations deal with 569,354 security alerts, but this number can be reduced to 11,836 through context-based prioritization. Critical issues are a mere 202.

Application security vulnerabilities have skyrocketed in recent years

The number of application security vulnerabilities reported has gone way up in recent years. The public Database CVE detail identified 6,494 vulnerabilities in 2015, as opposed to 40,291 in 2024 — bringing the total number of known vulnerabilities to around 200,000. This trend shows no sign of slowing. The Forum of Incident Response and Security Teams (FIRST) predicts that 41,000 to 50,000 new weaknesses will appear in 2025.

The volume of security findings and the inability to prioritize issues have created a concerning pattern in AppSec: vulnerabilities go unaddressed in the early stages of development — when fixes are simpler and less costly.

This growth of vulnerabilities, combined with the pressure to deploy software quickly, has strained security teams. While many commercial security tools excel at detecting issues, they often produce an over whelming number of alerts, resulting in alert fatigue.

Security and development teams get worn down by chasing after issues that aren’t really that important and sifting through tons of alerts. This can mean that they’re more likely to miss actual threats, which puts the organization at a higher risk. So, organizations need smart ways to filter out the noise and focus their limited security resources on the small number of issues that are real, exploitable risks to important business assets.

Also, security scanners often have a hard time telling the difference between actual security vulnerabilities and just plain old poor coding practices.

Financial institutions face higher security alert volumes

The 95% problem highlight the importance of contextual analysis and evidence-based prioritization. By considering factors beyond the initial vulnerability assessment, organizations can effectively filter out non-critical alerts and focus on those that pose a genuine threat.

While it’s true that most alerts can be deprioritized, it’s crucial to be able to pinpoint the 2-5% that need immediate attention. About 1.71% of all issues (around 36,000) were identified as Known & Exploited Vulnerabilities (KEV). The KEV catalog, which is maintained by CISA, lists vulnerabilities that we know have been exploited and are currently being used in attacks.

These are no longer theoretical vulnerabilities; they have already been exploited and can be exploited again, making them a high risk. Therefore, we would expect that critical vulnerabilities listed in the catalog would be treated with higher priority than those not identified in the KEV.

Financial institutions experience distinctively higher alert volumes – up to 55% more. Their proximity to monetary transactions and sensitive data makes them high-value targets.

If less than 95% of application security fixes are critical, organizations end up wasting huge amounts of time and resources on triage, programming, and cybersecurity efforts.This waste also includes payments for bug bounty programs, where white hat hackers get paid to find vulnerabilities, and the costs of fixing vulnerabilities that weren’t caught early and made it into production.

The bottom line is that the future of application security isn’t about trying to fix every single possible vulnerability. It’s about being smart and focusing on the issues that pose actual risks.