The Ultimate Guide to Reachability Analysis Which reachability is good for you: Enhancing Code, Library, and Container Security with ASPM

application-security-posture-management
reachability-analysis-vulnerability-management
code-reachability-analysis-ASPM
container-security-reachability-analysis
	exploitable-vulnerabilities-ASPM

In Application Security and, recently ASPM, Reachability analysis has become crucial too and a new way to reduce the load of vulnerabilities in vulnerability management. Recent articles from James Berthoty have highlighted why this matters https://pulse.latio.tech/p/reachability-matters-13, but also the confusion around the various types of recheability analysis techniques. This article aims to explain the various types of reachability analysis and how they can interact with each other 

As organizations build complex applications that rely on open-source libraries and containerized environments, traditional security approaches often produce overwhelming amounts of alerts—many of which do not pose real risk. Reachability analysis offers a refined approach by prioritizing vulnerabilities that are actively exploitable, helping security teams focus on what truly matters.

We will also focus on how to use contextual deduplication and contextual Cyber threat intelligence to prioritize and turn off the vulnerabilities that are not meant to be. 

This guide dives deep into reachability analysis, covering its application in code reachability analysis, container reachability analysis, and how Phoenix Security is leading the way in Application Security Posture Management (ASPM). You’ll learn how this technique, combined with contextual risk formulas and deduplication, enhances vulnerability management for modern software ecosystems.

What is Reachability Analysis in the context of ASPM?

Reachability analysis is a process used to determine whether a vulnerability in code, libraries, or containers is actually exploitable in a given environment. By analyzing if vulnerable code paths are reachable during runtime or in application execution, this method helps teams focus on vulnerabilities that pose actual risk, filtering out irrelevant issues and reducing noise.

The analysis comes in various forms, each of which is crucial for comprehensive vulnerability management:

Code Reachability Analysis: Determines whether vulnerabilities in a codebase can be triggered during execution.

Library Reachability Analysis: Identifies if vulnerable components within third-party libraries are actively being used in the application runtime.

Container Reachability Analysis: Assesses whether containerized applications utilize vulnerable packages during runtime.

application security,
ASPM,
reachability analysis  
Vulnerability Management application-security-posture-management
reachability-analysis-vulnerability-management
code-reachability-analysis-ASPM
container-security-reachability-analysis
exploitable-vulnerabilities-ASPM

Are you interested in a more reachable ASPM analysis? Check out the talk :

Code Reachability Analysis: Prioritizing Critical Code Vulnerabilities and how Contextual ASPM helps

In modern software development, code reachability analysis has become essential for securing the software development lifecycle (SDLC). Traditional scanning tools such as static application security testing (SAST) may generate numerous alerts, many of which are not exploitable. This is where code reachability analysis adds value by assessing whether the vulnerable code paths are ever executed during runtime.

For example, a critical vulnerability may exist within a third-party package, but if the application never calls the vulnerable function, the risk is minimal. Code reachability analysis filters out these cases, reducing false positives and helping developers focus on the vulnerabilities that matter. This makes it easier for security teams to prioritize and address risks based on actual usage in the application, improving vulnerability management processes.

The following slide comes from one of the recent talk given at OWASP global application security in San Francisco (slides available here)

application security,
ASPM,
Vulnerability Management application-security-posture-management
reachability-analysis-vulnerability-management
code-reachability-analysis-ASPM
container-security-reachability-analysis
exploitable-vulnerabilities-ASPM
What is Reachability analysis, how ASPM works, a talk by Francesco Cipollone @ OWASP Global Application Security SF 2024

Container Reachability Analysis: Securing Containerized Environments

As organizations adopt containerized environments with platforms like Docker and Kubernetes, container reachability analysis has emerged as a key component of modern security practices. Containers bundle application code with all dependencies, including operating system components and libraries, which can introduce vulnerabilities.

Traditional scanning tools might detect these vulnerabilities, but without understanding, if the application actually uses the vulnerable component, security teams can waste time chasing irrelevant risks. Container reachability analysis helps determine whether vulnerable packages within the container are executed at runtime, refining the focus of vulnerability management.

For example, a container may include a vulnerable Linux package, but if that package is never executed, the risk is much lower. This analysis filters out vulnerabilities that do not pose a real threat, allowing teams to focus on those that are actively being utilized by the running containerized application.

Get a demo with your data, test Reachability Analysis and ASPM

Phoenix Security’s Advanced Reachability Analysis for ASPM

Phoenix Security has revolutionized Application Security Posture Management (ASPM) by introducing advanced reachability analysis capabilities. Phoenix enhances traditional vulnerability scanning by introducing static and runtime reachability analysis and powerful contextual deduplication to provide precise vulnerability prioritization.

application security,
ASPM, Runtime Recheability

Static and Runtime Reachability Analysis

Phoenix Security employs two levels of reachability analysis:

1. Static Reachability Analysis: This scans the codebase for loaded vulnerable libraries, even if they are not actively in use. It gives security teams an overview of potential risks in the code and allows them to assess whether vulnerabilities may become exploitable.

2. Runtime Reachability Analysis: This assessment of the running application environment focuses on vulnerabilities that are actively being executed. This type of reachability analysis is especially useful for container reachability analysis, as it helps determine whether containerized applications are using vulnerable components during runtime.

By combining static and runtime analysis, Phoenix Security ensures that security teams have a complete view of their threat landscape, enabling smarter, more focused remediation efforts.

Contextual Deduplication: Reducing Vulnerability Noise

One of the biggest challenges in vulnerability management is dealing with duplicate vulnerability alerts that often arise across different environments. Phoenix Security’s contextual deduplication feature removes duplicated vulnerabilities by considering the context across the entire SDLC, including codebases, containers, and cloud environments.

For instance, a vulnerability in both the codebase and container might be reported twice in traditional tools. Phoenix Security consolidates these duplicate alerts into a single, actionable vulnerability, reducing noise and enabling teams to focus on real threats.

By leveraging contextual deduplication, Phoenix Security helps reduce vulnerability noise by up to 95%, allowing security teams to focus on real-world exploitable risks that need immediate attention.

Prioritization and Risk Management with Reachability Analysis

Vulnerability Managment, Prioritization

Phoenix Security’s reachability analysis significantly enhances vulnerability management by prioritizing risks based on their potential exploitation. Traditional methods often rely on broad CVSS scores or EPSS (Exploit Prediction Scoring System) to gauge risk, but these methods do not account for whether the vulnerability is actively used in your environment.

Reachability analysis adds critical context by asking, “Is this vulnerability reachable or in use in my application?” By focusing on real-world exploitation potential, Phoenix ensures that vulnerabilities are prioritized based on actual usage rather than theoretical exposure.

Phoenix Security’s 4D Contextual Risk Formula

Phoenix utilizes a simple structure of probability of exploitation, base severity, and impact analysis

Vulnerability Managment, Prioritization

Phoenix Security’s 4D contextual risk formula goes beyond traditional vulnerability scoring by considering multiple factors:

  1. Vulnerability Severity: How critical is the vulnerability
  2. Dynamic Reachability: Is the vulnerability actively exploitable in the application environment, is the vulnerability weaponized and automatically utilized in the wild to launch large-scale attacks 
  3. Threat Intelligence: Are there active exploits for this vulnerability in the wild, is there evidence of exploitation
  4. Contextual Data: What is the context of the application’s environment, how external are the assets where the application is deployed, and how impactful are the aggregated application
Reachability Analysis, Contextual Risk Based, RBVM

Contextual Reachability AI: Phoenix adopts contextual reachability analysis to reduce the number of vulnerabilities and transfer the contextual risk when a library is used in production. 

Business Impact and Damage calculation: How much damage can an organization suffer if the vulnerabilities are exploited? 

By correlating these four dimensions, Phoenix Security offers a more nuanced risk score, allowing for smarter, more targeted vulnerability management.

Those prioritization concepts are also explained in the book: https://phoenix.security/whitepapers-resources/ebook-aspm-programs-appsec/ 

Reachability Analysis, Contextual Risk Based, RBVM

Phoenix Security Reachability and EPSS: A Powerful Combination

Phoenix Security integrates EPSS with reachability analysis to provide a comprehensive approach to risk-based prioritization. While EPSS offers a global view of the likelihood of a vulnerability being exploited, reachability analysis adds local context by determining whether the vulnerability is actually in use in your application.

This dual approach ensures that security teams can prioritize vulnerabilities based on global trends and specific environmental risks. It helps teams focus on the most critical issues, enabling more effective remediation and faster security risk reduction.

Reachability Analysis, Contextual Risk Based, RBVM , Vulnerability Managment

Conclusion: The Future of Vulnerability Management with Reachability Analysis

In an era where security teams are overwhelmed by vulnerability alerts, reachability analysis offers a smarter, more focused approach to vulnerability management. Whether you’re dealing with vulnerabilities in code, libraries, or containerized environments, reachability analysis helps to filter out the noise and prioritize the vulnerabilities that truly matter.

Phoenix Security’s advanced Application Security Posture Management (ASPM) platform, with its integrated reachability analysis, contextual deduplication, and 4D risk formula, sets a new standard for vulnerability management. By combining these innovations, Phoenix empowers security teams to manage risk more effectively, focus on exploitable vulnerabilities, and reduce overall security noise by up to 95%.

With Phoenix Security, you’re not just finding vulnerabilities—you’re finding the ones that matter.

For more information on how Phoenix Security’s reachability analysis can enhance your security posture, visit our website or contact us today.

Get on top of your code and container vulnerabilities with Phoenix Security Actionable ASPM powered by AI-based Reachability Analysis

attack graph phoenix security
ASPM

Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.

Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues.

Why do people talk about Phoenix?

Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.

• Contextual Deduplication with reachability analysis: Utilizing canary token-based traceability for network reachability and static and dynamic runtime reachability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.

Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.

ASPm, CISA KEV, Remote Code Execution, Inforamtion Leak, Category, Impact, MITRE&ATTACK, AI Assessment, Phoenix CISA KEV, Threat intelligence

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get a demo with your data, test Reachability Analysis and ASPM

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Are never-ending critical alerts leaving you scrambling? Explore how reachability analysis identifies vulnerabilities that truly matter, saving your teams from needless patch frenzies. This session, hosted by the OWASP NYC Chapter, uncovers the latest insights in ASPM, remediation techniques, and application security best practices. Attendees learn how to streamline vulnerability management through practical examples, advanced risk scoring, and live demonstrations of container-based architectures. Expect lively discussions, real-world success stories, and expert tips on targeting only the exploitable weaknesses—rather than chasing every single alert in your backlog.
Francesco Cipollone
The cybersecurity landscape is evolving rapidly, demanding a threat-centric, risk-based approach to vulnerability management. With the U.S. favoring voluntary guidelines and Europe enforcing stricter regulations, organizations must navigate compliance while focusing on real exploitability over CVE volume. This blog delves into ASPM, cloud security, and regulatory intelligence, exploring how businesses can move beyond the traditional patch-and-pray model to address root cause vulnerabilities before they become critical risks.
Francesco Cipollone
Enhance your vulnerability management with Application Security Posture Management (ASPM) and reachability analysis. Discover how ASPM helps prioritize exploitable vulnerabilities, reduce security noise, and improve risk management. Learn about advanced techniques like code and container reachability, contextual deduplication, and Phoenix Security’s cutting-edge solutions for smarter, more effective application security.
Francesco Cipollone
The 2024 CWE Top 25 is out, and it’s no casual stroll through the vulnerability garden—especially when ransomware operators are busy planting path traversal exploits, while bug bounty hunters dig up endless injection flaws. In this blog, we examine the biggest risers, the most surprising dips, and the divergence between real-world exploit data and official CWE rankings. We’ll also reveal how AI-driven ASPM (Application Security Posture Management) and Phoenix Security’s contextual risk-based approach unite to help you focus on your most pressing threats. After all, not all flaws are created equal—some are simply more mischievous than others.
Francesco Cipollone
The 2024 CWE Top 25 list highlights the most dangerous software weaknesses. This article explores the methodology behind the list and how AI is improving threat detection. Discover how Application Security Posture Management (ASPM) and unified vulnerability management can help organizations address these critical threats.
Francesco Cipollone
Phoenix Security kicks off 2025 with recognition from Gartner Digital Markets through GetApp, solidifying its position as a leader in Application Security Posture Management (ASPM). Recognised for best customer success and support in ASPM, Phoenix Security empowers organisations with comprehensive, contextual vulnerability management and actionable cybersecurity solutions. With a user-friendly interface, robust real-time monitoring, and seamless risk prioritisation, the platform reduces alert fatigue while delivering precise remediation. As a cloud security leader, Phoenix Security continues to innovate, partnering with enterprises like LastPass and ClearBank to tackle the modern cybersecurity landscape head-on.
Francesco Cipollone
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO