SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
DevOps
#
Application Security
#
APM

Azul unveils Java tool to cut false positives by up to 99%

Wed, 11th Jun 2025
Author image
By Melvin Hipolito, Editor

Azul has unveiled a new class-level Java vulnerability detection capability within its Intelligence Cloud platform intended to improve the accuracy of identifying security threats in Java applications in production environments.

The latest enhancement utilises runtime data to identify only those code paths that are actually executed in production, rather than simply identifying the presence of potentially vulnerable components based on file names or software bill of materials (SBOM) information.

Traditional application security (AppSec) and application performance monitoring (APM) tools often generate a significant number of false positives, as they typically flag vulnerabilities if a component is present within an application regardless of whether the vulnerable portion of code is used. According to Azul, its new approach enables organisations to focus only on executable code paths, delivering a reported 100x to 1,000x reduction in false positives compared to other tools.

Reducing false positives

Azul referenced data from its own "2025 State of Java Survey & Report," which found that 33% of organisations say more than half of their DevOps teams' time is spent dealing with false positives from Java-related Common Vulnerabilities and Exposures (CVEs). This, the company states, not only overwhelms teams but also makes it difficult to prioritise genuine security issues and disrupts developer productivity.

Java components, such as Log4j, often comprise Java ARchive (JAR) files, each containing multiple classes. It is therefore possible for applications to include components where the vulnerable class exists but is never invoked, meaning the associated vulnerability is not an actual risk. Azul argues that prioritising detection down to the class level can help Java teams correctly identify components that need patching, thereby eliminating unnecessary remediation efforts.

Class-level analysis

The new Vulnerability Detection capability in Azul Intelligence Cloud reportedly maps CVEs to Java classes observed at runtime, allowing organisations to pinpoint which components are in use and which are vulnerable. By relying on production runtime data, Azul claims this feature eliminates up to 99% of false positives.

A cited example involves the 'Critical' severity vulnerability CVE-2024-1597, affecting certain versions of the pgjdbc PostgreSQL Java Database Connectivity (JDBC) driver. The vulnerability, which carries a CVSS score of 9.8 out of 10, only applies in specific non-default configurations. Traditional tools tend to flag the presence of the vulnerable component regardless of usage, potentially resulting in unnecessary security work. Azul states that its platform determines at runtime if any of the 11 vulnerable classes (among a total of 470 in the component) are actually used in production, enabling more precise prioritisation for remediation.

"The improved Vulnerability Detection features strengthen the proposition of Azul's Intelligence Cloud analytics SaaS offering as a way to increase DevOps productivity and recover developer capacity by reducing the need for full-time employee time spent wasted on security false positives and inefficient triage," said William Fellows, Research Director at 451 Research, part of S&P Global Market Intelligence.

Additional capabilities

Azul states that its Intelligence Cloud platform provides several key benefits for enterprise Java security management. These include the ability to efficiently triage new vulnerabilities in real time, enabling DevOps teams to focus on the most pressing issues during high-impact events. The platform offers both real-time and historical vulnerability analysis, with forensic capabilities to determine whether vulnerable code was executed before the associated threat was identified.

The underlying knowledge base that supports Azul Vulnerability Detection is updated with newly published vulnerabilities using AI-based processes, and it operates across all OpenJDK-based Java Virtual Machines (JVMs), including those provided by vendors such as Oracle, Amazon, Microsoft, Red Hat, and others. Azul notes that its approach has no measurable impact on application performance as it leverages runtime data already generated by the JVM.

Azul also highlights that the system is designed to help teams recover capacity lost to unnecessary security triage, by illuminating only those vulnerabilities present in live production environments.

"Our mission is to help enterprises focus their security efforts on what matters, real risk, not noise," said Scott Sellers, Co-Founder and Chief Executive Officer of Azul.
"By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100x – 1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritise real risk and accelerate remediation, all with zero impact to performance and without slowing innovation."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Over 80,000 Microsoft Entra ID accounts hit by major takeover campaign
Digital.ai launches Quick Protect Agent for rapid app defence
LevelBlue to acquire Aon’s cyber consulting teams in global deal
Datadog unveils new Bits AI agents to streamline cloud workflows
New Relic adds Model Context Protocol support to AI monitoring
Top stories
Fake booking sites push malware as HP warns of click fatigue
Red Canary deploys AI agents to slash security investigation times
ReliaQuest details Black Basta’s legacy & rise of Teams phishing
Salesforce industry cloud flaws put sensitive data at global risk
SMBs overestimate cyber readiness as tools & AI uptake lag