Modern application security (AppSec) suffers from a number of issues, one of the main ones being alert fatigue. Human teams do not have the time or resources to verify and investigate every security alert, especially with increasingly automated systems searching for security flaws. Many automated security solutions that trigger alerts for security teams to address lack adequate measures for contextualizing and prioritizing those alerts, leading to an overwhelming amount of noise for security teams to sift through.
OX Security recently published its 2025 Application Security Benchmark Report based on a large-scale study of over 101 million security alerts from 178 organizations. The report digs into the challenges of alert fatigue, the reasons for this difficulty, and what organizations should do to mitigate it.
The Signal-to-Noise Problem in Application Security
The OX Security analysis revealed that of all of the security findings reported to the company, a mere 2-5% of them are actionable alerts. This means that the other 95-98% of AppSec alerts are essentially nothing but noise, taking up time and other resources without benefiting security teams or helping to fortify organizations’ defenses. Even when organizations are able to employ dedicated security teams, they are not equipped to handle the volume of alerts that are flagged by many security solutions.
The average organization uses 469 active applications and receives almost 570,000 alerts, only 6,000 of which are critical, actionable issues. With context-based alert prioritization, these numbers can drop by up to 98%, delivering under 12,000 alerts and 202 critical issues. This difference emphasizes the need for security tools that can use environmental and organizational context to weed out massive volumes of unnecessary alerts.
Developers Under Siege
Developers and security teams face a significant amount of strain from massive volumes of alerts. Of the security alerts analyzed in the report, around 32% have a low risk of exploitability, 25% have no public exploits available, and 25% are of low business priority. If all of these alerts are delivered without context or prioritization, developers waste time chasing theoretical or non-actionable issues rather than addressing the small number of pressing, actionable alerts.
The emotional and operational toll of constant alert fatigue can severely hinder an organization’s security strategy. AppSec burnout is a growing problem as many organizations lack the resources to effectively handle the security alerts delivered by traditional tools. Overwhelming volumes of alerts, lack of context and prioritization, and difficulties maintaining security staff contribute to this phenomenon.
The Dependency Dilemma
A total of 25% of the analyzed alerts were related to indirect dependencies, development dependencies, and dependencies that were unused or unimported. These alerts are highly unlikely to be exploited by threat actors because they do not reach production environments, making it often more complicated and less effective to target these vulnerabilities. They are also frequently outside of the scope of the developers’ control, making them unable to fix it even if they need to.
Increasingly interconnected systems of software and hardware, as well as the growing complexity of modern software supply chains, amplify this struggle by introducing security issues that are not necessary or possible to address. Security alerts triggered by traditional detection solutions often trace back to these aspects of the environment that cannot be properly addressed by developers or security teams.
What Actually Matters
When it comes to the small portion of alerts that are actionable and important to address, only 1.71% are Known Exploited Vulnerabilities (KEVs). These are the security flaws and gaps that have been exploited in the wild and noted by industry officials as active threats, making it a category of importance for security teams to focus on, in contrast with the large volumes of alerts that are not actionable.
Another 1.62% of the alerts analyzed arise from poor development practices leading to exposure of secrets, including SaaS, SCM, and user management secrets. It is often easier for developers to embed important credentials directly into their code, like API keys, passwords, and tokens, leading to exposure of sensitive data. These alerts represent the highest-priority alerts that merit immediate investigation and remediation from security teams and developers.
From Alert Volume to Risk Context
To mitigate the challenges of overwhelming alerts leading to fatigue and security inefficiency, it is vital for organizations to invest in smarter triage strategies like context-aware prioritization of alerts. Risk-based models of security analysis perform better than static severity scores, and integrating exploitability, asset value, and threat intelligence with security flaw detection and alert systems is an important step in ensuring that alerts are helpful and actionable.
“Teams need to start collecting and acting on additional risk metrics and component metadata to prioritize which security issues demand the most urgent response,” according to Mike McGuire, Senior Security Solutions Manager at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “For example, for addressing vulnerabilities in open source dependencies, teams should be evaluating how the impacted dependency was introduced to their project, if it is in the call stack of the application given specific deployment configurations, the vulnerability severity score (CVSS), if it’s been exploited in the wild (CISA KEV), and how likely it is to be exploited (EPSS).”
Rethinking AppSec Strategy
In order to effectively protect modern applications against an ever-shifting threat landscape, developers and security teams must move beyond checkbox compliance to outcome-driven security. It is important to align security goals with developer workflows and take steps to improve AppSec maturity, including using KEV tracking for prioritization, investing in tools that correlate findings with business impact, and fostering collaboration between security and engineering.
Relying on legacy tools and solutions will not be effective in the face of modern threats and modern environments. Security alerts are far too numerous and vague to be helpful to most teams; the important ones get lost among all of the noise, and staff experience burnout and exhaustion from attempting to sift through these large volumes of irrelevant alerts.
Conclusion
The major discrepancy between alert volume and true risk is misleading and hinders effective security operations by overwhelming teams with irrelevant and unnecessary alerts. The vast majority of the alerts that are delivered to an organization are noise in the form of flaws that are not actionable or pose negligible risk. Security teams and developers can reclaim focus and cut through the noise by employing security tools that use context-aware prioritization to provide alerts that are useful for organizations to address.
