Azul Introduces 100–1000x More Accurate In-Production Java Vulnerability Detection
Azul Intelligence Cloud Detects Known Vulnerabilities Down to the Class-Level, Eliminating Up to 99% of False Positives and Boosting DevOps Capacity and Productivity
Azul, the only company 100% focused on Java, has announced an enhancement to Azul Intelligence Cloud, a breakthrough capability in Azul Vulnerability Detection that brings unprecedented precision to detection of Java application security vulnerabilities.
Unlike traditional AppSec or APM tools that flag vulnerabilities by matching component file names or SBOM information—often leading to an overwhelming number of security false positives—Azul Vulnerability Detection uses class-level production runtime data to detect vulnerabilities. This enables organisations to focus only on the code paths that are actually used, delivering 100x to 1,000x reduction in false positives compared to other tools, empowering DevOps teams to prioritise and remediate real risks faster, improve security posture and dramatically boost developer productivity.
DevOps Teams Need Precision, Not Noise, in Java Vulnerability Detection
Enterprises are drowning in Java security noise. According to Azul’s 2025 State of Java Survey & Report, 33% of organisations say that more than half of their DevOps teams’ time is wasted chasing false positives from Java-related Common Vulnerabilities and Exposures (CVEs) alerts. Traditional AppSec tools flag CVEs in third-party Java components bundled in an application—regardless of whether the vulnerable component is used in production or simply present. This broad-brush approach overwhelms teams with irrelevant alerts, cripples prioritisation and drains productivity.
Java components like Log4j comprise JAR (Java ARchive) files, and each JAR file typically contains many classes. This means it is entirely possible for a flagged component to be present or even used by the application but the code from a vulnerable class is never invoked—meaning the application is not truly at risk. To recover DevOps capacity and increase productivity, Java teams need a solution that can accurately detect vulnerable code used in production, down to the class level, to prioritise components for security patching based on real risk and eliminate the time chasing false positives.
Azul Intelligence Cloud Pinpoints Only the Java Code That Is Actually at Risk
Azul Intelligence Cloud is a cloud analytics solution that provides actionable intelligence from production Java runtime data to dramatically boost developer productivity. Its Vulnerability Detection capability identifies and prioritises known security vulnerabilities in Java applications in production with 100-1000x greater accuracy than traditional AppSec or APM tools. It uses a curated knowledge base mapping CVEs to classes used at runtime to pinpoint vulnerable components for prioritisation and remediation, eliminating up to 99% of false positives and dramatically boosting DevOps productivity.
As an example, a recent ‘Critical’ severity vulnerability, CVE-2024-1597, in specific 42.x versions of the pgjdbc PostgreSQL Java Database Connectivity (JDBC) driver allows attackers to perform a SQL injection attack. This CVE scores 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) and applies in the relatively uncommon case when the driver is used in a specific non-default mode.
Traditional AppSec tools issue a security alert when the component is present even if it’s unused or used in the (safe) default mode, resulting in false positive alerts and precious developer hours being spent remediating code unnecessarily. Vulnerability Detection is orders of magnitude more accurate because it detects at runtime if one or more of the 11 vulnerable classes associated with the CVE out of the 470 total classes in the component are actually used in production.
“The improved Vulnerability Detection features strengthen the proposition of Azul’s Intelligence Cloud analytics SaaS offering as a way to increase DevOps productivity and recover developer capacity by reducing the need for full-time employee time spent wasted on security false positives and inefficient triage,” said William Fellows, research director at 451 Research, part of S&P Global Market Intelligence.
Bringing Compelling Business Benefits
Azul Vulnerability Detection delivers additional key benefits across an enterprise’s entire Java estate:
- Efficiently triages new vulnerabilities: delivers continuous, real-time detection of Java vulnerabilities in production, enabling DevOps teams to quickly triage and prioritise critical issues, especially during high-impact events like Log4j. This reduces time spent on false positives and minimises disruption, allowing teams to stay focused on higher-value work.
- Real-time and historical analysis, accelerated by AI: retains component and code-use history, focusing forensic efforts to determine if vulnerable code was actually exploited prior to it being known as vulnerable. It continuously detects known vulnerabilities and precisely catalogs code in production to focus scarce human effort. Azul’s vulnerability team uses AI to quickly identify Java-specific CVEs from the NVD (National Vulnerabilities Database) and other sources and updates the Azul Vulnerability Detection Knowledge Base with newly published vulnerabilities.
- Production monitoring for Oracle JDK and any OpenJDK-based JVM: Takes advantage of production runtime data from Oracle JDK and any OpenJDK-based JVM, independent of vendor or distribution—including Azul, Amazon, Temurin, Microsoft, Red Hat, and more—to improve overall DevOps productivity.
- No performance impact in production: Leverages Java runtime data that exists within a JVM when running the application, resulting in no performance impact, something not possible using any other tool.
“Our mission is to help enterprises focus their security efforts on what matters—real risk, not noise,” said Scott Sellers, Co-Founder and CEO of Azul. “By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100–1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritise real risk and accelerate remediation—all with zero impact to performance and without slowing innovation.”
Check out these resources for more information:
