Application Security appsec

Drowning in Security Alerts? OX Security Says You're Focusing on the Wrong 98%

Hero image for Drowning in Security Alerts? OX Security Says You're Focusing on the Wrong 98%

Drowning in Security Alerts? OX Security Says You’re Focusing on the Wrong 98%.

We recently sat down with Boaz Barzel, the Field CTO at OX Security, for the threatmodel.co podcast. The conversation was a frank look at why application security feels broken for so many teams and how to start fixing it. Our collaboration with OX Security is about bringing these essential, ground-level conversations to you.

The feeling is familiar for many in development and security: you’re drowning. A sea of alerts, endless vulnerability lists, and constant friction between the teams meant to build the software and those meant to protect it.

Boaz has a deep understanding of these pain points. His work at OX Security is about cutting through that noise. And their approach is clearly resonating, marked by a recent $60 million funding round. So, what are they doing differently?

Why Most Security Alerts Are Just Noise

According to research Boaz shared, the vast majority of security alerts are just noise. He laid out a startling statistic from their findings.

“In that research we’ve discovered that only 2.08% of issues are actually real issues. And out of those only 1.7% are critical issues. The number of actual critical issues on an average of 569,000 issues per organisation… is extremely low.”

The reason? Not every vulnerability is reachable, exploitable, or has any real impact in your specific environment. The core of the OX platform is to find that tiny percentage of genuine problems and let you ignore the rest. It connects to your whole setup—source control, CI/CD, cloud, ticketing systems—and filters everything down to a manageable, prioritised list of what actually needs fixing.

Following the Thread from Cloud to Code

One of the toughest jobs in security is seeing a problem in a live application and figuring out where on earth it came from. A pen test might find a weakness, but who wrote that code? Which build is it from? Who needs to fix it?

Boaz calls this “cloud-to-code traceability.” OX maps how your software is built so that when a problem is found in production, they can trace it backward.

“We can trace issues that are found in the cloud in production during runtime back to code to understand who’s the one that’s created that issue, when it was committed and then who needs to solve it.”

This turns a days-long investigation into a straightforward task, connecting the production problem directly to the source and the developer who can solve it.

Seeing How an Attacker Could Break in In with Attack Path Analysis

For anyone who does threat modeling, the process of manually drawing data flow diagrams to map out potential attack routes is painstakingly familiar. We asked Boaz about a feature that directly addresses this: OX’s Attack Path Analysis.

This powerful analysis starts with a deep understanding of the environment. First, the system builds a “P-BOM” or Pipeline Bill of Materials. The P-BOM is essentially a dynamic, living inventory of your entire application ecosystem—from packages and APIs to containers, cloud assets, and connected SaaS services. Unlike a static inventory, it’s a real-time map that continuously tracks not just what assets you have, but critically, correlates each asset to the specific risks it exposes. This comprehensive view is what makes the subsequent attack path analysis possible.

“And when we have all that information,” Boaz continued, “then our technology… creates those attack path, creates those analysis automatically behind the scene… connecting all the relevant dots to be able to tell the story.”

With the P-BOM as the foundation, the Attack Path Analysis feature draws the route an attacker could take. It doesn’t just flag a vulnerability; it shows you the step-by-step path to exploit it, highlighting the specific APIs an attacker would manipulate and confirming if the system is reachable from the internet.

This transforms the conversation with a developer. Instead of a theoretical risk on a long list, you can show them a visual, evidence-backed story of how a breach could happen. It’s hard to argue with a map that shows someone how to walk right through your digital front door.

The New Speed of Attacks (Thanks, AI)

The conversation turned to AI, and not just as a tool for defenders. Attackers are using it to move faster than ever.

Quoting OX Security’s CEO, Neatsun Ziv, the host noted: “Threat actors are executing attacks faster, weaponising software vulnerabilities in record time — often with the assistance of AI..

Boaz noted that while attackers can now cook up an exploit for a new vulnerability on the same day it’s announced, companies are still taking a median time of 55 days to patch it, even when they know it’s being used in attacks.

OX is using the same methods as the attackers to determine if a new vulnerability could be used against your code, providing a massive head start for defenders. It’s about fighting speed with speed.

A New Game Plan for Application Security

The bottom line from our talk with Boaz is that the old way of doing things is no longer sustainable. You can’t hire your way out of the problem. The only way forward is to re-architect your approach.

Focus on the tiny fraction of risks that can cause real damage. Give developers clear, actionable information so they can fix things quickly, early, and without guesswork. Automate the simple fixes. This shift doesn’t just make you more secure; it removes the security bottlenecks that slow down your business.

As Boaz puts it, it’s about making AppSec people “the heroes” again, building trust with developers, and creating a system where security enables speed instead of hindering it.

Listen to the full conversation with Boaz Barzel on the threatmodel.co podcast to hear more.

← Back to Blog Contact Us →