Code reachability and AI triage: what AppSec teams need now

TL;DR: More than 48,000 new CVEs were published in 2025, and Orca’s analysis argues that AppSec is now bottlenecked by prioritization, not discovery, as code reachability and AI-driven triage aim to separate executable risk from noise. Security programmes built on severity scoring alone cannot keep up with findings that are real on paper but unreachable in practice.

NHIMG editorial — based on content published by Orca Security: code reachability, AppSec triage, and application risk dashboards

Questions worth separating out

Q: How should security teams prioritise AppSec findings when CVE volume keeps rising?

A: Security teams should prioritise findings that are both validated and reachable in the application’s actual execution path.

Q: Why do code reachability and false-positive triage matter in AppSec programmes?

A: They matter because AppSec teams do not fail mainly on detection.

Q: How can organisations tell if an AppSec dashboard is actually useful?

A: A useful AppSec dashboard shows whether risk is being reduced over time, which repositories repeatedly introduce exposure, and whether remediation targets are being met.

Practitioner guidance

• Prioritize reachable vulnerabilities first Triage issues by proving whether the vulnerable function is actually invoked in the deployed application, then defer non-executable findings until higher-risk work is complete.
• Use code context to validate SAST findings Require data flow, sanitization, and control-path evidence before escalating a high-priority static analysis result into the remediation queue.
• Tie findings to named code owners Map each validated issue to the repository, service, or team that actually invokes the vulnerable path so tickets do not stall in security-owned queues.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanation of how code reachability labels vulnerable functions as Reachable or Inconclusive
• Detailed triage-agent workflow for validating true positives and likely false positives in SAST output
• Dashboard metrics and widget ideas for tracking remediation SLAs, control violations, and risky repositories
• Platform-level workflow locations where findings surface inside IDEs, CLI output, pull requests, and policy views

👉 Read Orca Security’s analysis of code reachability, triage, and AppSec dashboards →

Code reachability and AI triage: what AppSec teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →