IT Brief India - Technology news for CIOs & IT decision-makers
India
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
SaaS
#
DevOps
#
Application Security

Azul enhances Java security detection, cutting false positives by 99%

Yesterday
Author image
By Catherine Knowles, Journalist

Azul has announced a new enhancement to its Azul Intelligence Cloud service, designed to increase the accuracy of Java application security vulnerability detection.

The company's latest improvement centres on the Azul Vulnerability Detection capability, which now utilises class-level production runtime data to detect vulnerabilities within Java applications. This approach contrasts with traditional Application Security (AppSec) or Application Performance Management (APM) tools, which typically flag vulnerabilities by matching component file names or Software Bill of Materials (SBOM) details. Such conventional methods have been criticised for generating high numbers of false positives, leading to inefficiencies in enterprise DevOps operations.

By focusing solely on code paths actually used in production, Azul claims its solution can reduce false positives by a factor of 100 to 1,000 compared to existing tools. This precision allows DevOps teams to prioritise genuine risks and streamline remediation processes.

Precision over volume

According to data from Azul's 2025 State of Java Survey & Report, 33% of organisations report that over half of their DevOps teams' time is currently spent addressing false positives from Java-related Common Vulnerabilities and Exposures (CVEs). Traditional tools frequently flag CVEs in third-party Java components automatically, regardless of whether the vulnerable part is active in the production environment. This approach can overburden teams with irrelevant alerts, hampering their ability to prioritise and undermining productivity.

Java applications commonly include numerous JAR (Java ARchive) files, with each file containing a range of classes. As a result, a vulnerable component may be present within an application, but the associated risky code may not be executed, meaning there is no actual security threat in practical terms. The new class-level detection feature addresses this specific challenge by identifying only those vulnerabilities that relate directly to code used in production.

Detection method and capability

Azul Intelligence Cloud's Vulnerability Detection leverages a curated knowledge base that maps CVEs to classes used at runtime. This matching capability enables a targeted approach to prioritising and remediating vulnerabilities. As an illustration, the press release referenced CVE-2024-1597: a critical vulnerability found in specific versions of the pgjdbc PostgreSQL Java Database Connectivity (JDBC) driver. The vulnerability can enable SQL injection attacks, but only in uncommon, non-default configurations. Traditional tools notify users of the presence of the component regardless of actual risk, potentially leading to unnecessary remediation work. By contrast, Azul's solution identifies precisely when one or more of the eleven vulnerable classes within the component are active in production, addressing only those instances.

"The improved Vulnerability Detection features strengthen the proposition of Azul's Intelligence Cloud analytics SaaS offering as a way to increase DevOps productivity and recover developer capacity by reducing the need for full-time employee time spent wasted on security false positives and inefficient triage," said William Fellows, Research Director at 451 Research, part of S&P Global Market Intelligence.

Additional benefits

The updated solution provides continuous, real-time detection of Java vulnerabilities as they arise in production environments. This functionality is especially relevant during high-pressure incidents such as Log4j, since it allows teams to triage and prioritise issues quickly, minimising disruption and enabling focus on higher-value tasks.

Azul states that its tool supports both real-time and historical analysis, retaining code-use history to help determine whether any vulnerable code was executed before a vulnerability became publicly known. The company's vulnerability team employs artificial intelligence to rapidly identify new Java-specific CVEs from sources such as the National Vulnerabilities Database, updating the knowledge base accordingly.

Support for production monitoring extends across Oracle JDK and any OpenJDK-based Java Virtual Machines (JVMs), including widely used distributions from Amazon, Eclipse Temurin, Microsoft, Red Hat and others. Azul notes that the approach uses existing Java runtime data within the JVM, ensuring that there is no impact on application performance.

"Our mission is to help enterprises focus their security efforts on what matters — real risk, not noise," said Scott Sellers, Co-founder and CEO of Azul. "By eliminating up to 99% of false positives and pinpointing vulnerabilities in Java applications with 100x – 1000x greater accuracy than traditional tools, Azul Intelligence Cloud enables capacity recovery across DevOps and security teams. As a result, teams can dramatically reduce noise, prioritise real risk and accelerate remediation — all with zero impact to performance and without slowing innovation."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Azul boosts Java security with improved runtime vulnerability detection
SEON expands real-time AML suite with AI-driven risk platform
Opus 2 leads AI litigation management in major law firms survey
Liftoff unveils AppRefinery for app insights & market trends
Sun World partners with Semarchy to streamline global data management
Top stories
AU10TIX unveils AnyDoc AI tool to combat document fraud risk
Silverpush unveils AI tool for brand safety on TikTok ads
PPDS & Shure form global alliance to offer unified AV solutions
Aiden Technologies now available in Azure Marketplace via MACC
Cloudera urges telcos to invest in AI or risk falling behind
OSZAR »