Application Observability
How do we use Dynatrace Runtime Vulnerability Analytics to prioritize remediation for vulnerabilities actually used in production?
10 min read
Most security and platform teams already know they’ll never remediate every vulnerability. The real question is which vulnerabilities are actually exploitable in your production environment—and how to focus scarce engineering time there. That’s exactly what Dynatrace Runtime Vulnerability Analytics is designed to answer.
By combining runtime behavior, full‑stack topology, and causation-based AI, Dynatrace moves you from static CVE lists to a prioritized stream of vulnerabilities that are demonstrably used (or reachable) in production.
Quick Answer: The best overall choice for prioritizing remediation based on real production usage is Dynatrace Runtime Vulnerability Analytics with full Dynatrace Intelligence. If your priority is integrating runtime risk into existing DevSecOps workflows, Runtime Vulnerability Analytics + Workflows & ITSM/CI-CD integrations is often a stronger fit. For targeted teams that just need code-level and library-level insights, consider Runtime Vulnerability Analytics focused on application/service owners.
At-a-Glance Comparison
| Rank | Option | Best For | Primary Strength | Watch Out For |
|---|---|---|---|---|
| 1 | Runtime Vulnerability Analytics + Dynatrace Intelligence | Central security and platform teams | Precise, causation-based risk prioritization using runtime + topology + impact | Requires at least foundational Dynatrace deployment (OneAgent coverage) |
| 2 | Runtime Vulnerability Analytics + Workflows & Integrations | Organizations with mature DevSecOps and ITSM processes | Turns runtime risk into automated tickets, quality gates, and remediation actions | Needs clear ownership models to avoid ticket fatigue |
| 3 | Runtime Vulnerability Analytics for App/Service Owners | Individual product, app, and microservice teams | Code-level visibility into which components and libraries drive real risk | Less centralized governance if used in isolation |
Comparison Criteria
We evaluated these approaches using three practical criteria that matter when you’re scaling vulnerability management across hybrid and multi-cloud estates:
- Risk relevance in production: How accurately the approach tells you which vulnerabilities are actually used, reachable, or exposed in live traffic, rather than just present in a software bill of materials.
- Context and explainability: How well the approach explains why a vulnerability matters—affected entities, user and business impact, exploitability—and how easily teams can act on that information.
- Automation and operational fit: How readily the approach plugs into your existing workflows (ITSM, CI/CD, SOAR) to trigger remediation, change approvals, or compensating controls without creating alert storms.
Detailed Breakdown
1. Runtime Vulnerability Analytics + Dynatrace Intelligence (Best overall for production‑relevant risk)
Runtime Vulnerability Analytics with Dynatrace Intelligence ranks as the top choice because it connects vulnerabilities to real production behavior and impact, using causation-based AI instead of static scores.
Dynatrace automatically discovers your applications and services via OneAgent, maps their dependencies in real time, and then overlays vulnerability data with runtime usage, entity interdependencies, and user impact. That lets you prioritize vulnerabilities that are actually exercised or reachable in production, not just theoretically present.
What it does well:
-
Causation-based risk prioritization:
Dynatrace Intelligence goes beyond correlation. It understands how services, containers, processes, and libraries relate through real-time topology mapping, and it uses causation-based AI to determine which vulnerabilities are tied to entities that:- Are actively serving production traffic
- Sit on critical transaction paths (e.g., checkout, login, payments)
- Are reachable from the internet or untrusted networks
This gives you a ranked list of vulnerabilities where exploit would materially affect real users or business processes.
-
Automatic discovery and complete coverage:
OneAgent automatically discovers and instruments hosts, containers, services, and processes. That means:- No manual configuration to onboard new services
- New microservices, pods, and ephemeral workloads are automatically brought under runtime analysis
- Vulnerability detection stays accurate even as Kubernetes/OpenShift and multi-cloud environments change constantly
-
Impact-aware severity assessment:
Not every vulnerable library is a priority. Dynatrace factors in:- User impact (how many users, which journeys)
- Service criticality
- Infrastructure dependency risk
This aligns with how Dynatrace already assesses problem severity for performance issues—so your vulnerability prioritization uses the same business-aware lens.
Tradeoffs & Limitations:
- Requires broad observability adoption:
To unlock full value, you need OneAgent deployed across your critical production stack. Partial coverage still provides insight, but you lose the complete “runtime + topology + impact” picture that makes prioritization so precise.
Decision Trigger:
Choose Runtime Vulnerability Analytics + Dynatrace Intelligence if you want a single, explainable risk ranking across your estate and prioritize accurate, context-rich decisions about which vulnerabilities to remediate first.
2. Runtime Vulnerability Analytics + Workflows & Integrations (Best for DevSecOps and operationalization)
Runtime Vulnerability Analytics combined with Dynatrace Workflows and integrations is the strongest fit if your main challenge is operationalizing remediation—getting the right work to the right teams at the right time.
Here, the focus is less on discovering vulnerabilities and more on turning runtime-aware risk insights into automated actions: tickets, change requests, quality gates, and even auto-remediation.
What it does well:
-
From answers to automated actions:
Dynatrace already turns observability data into “actionable answers to performance problems through precise root-cause analysis.” Runtime Vulnerability Analytics extends this to security and compliance findings. With Workflows, you can:- Automatically create prioritized tickets in Jira, ServiceNow, or other ITSM tools when high-risk vulnerabilities are detected on critical services
- Trigger CI/CD pipeline gates when a build introduces a vulnerability that’s higher risk than production baselines
- Launch remediation playbooks or compensating controls based on vulnerability severity and entity impact
-
Consistent prioritization across incidents and risk:
Because Dynatrace uses the same topology, impact severity, and causation-based AI for performance issues and vulnerabilities, you can:- Normalize how you prioritize incidents and vulnerabilities across teams
- Reduce alert fatigue by only notifying on vulnerabilities that truly matter (root causes and high-impact entities)
- Combine performance, security, and business insights in one workflow
Tradeoffs & Limitations:
- Requires mature process ownership:
Automated ticket creation and pipeline gating are powerful—but they depend on:- Clear ownership of services and vulnerabilities
- Agreed SLAs for different risk tiers
Without that, you risk pushing high-value insights into queues with no accountable owner.
Decision Trigger:
Choose Runtime Vulnerability Analytics + Workflows & Integrations if you want to operationalize runtime-aware vulnerability risk across DevSecOps and ITSM and prioritize automation, consistency, and reduced manual triage.
3. Runtime Vulnerability Analytics for App/Service Owners (Best for team-level remediation focus)
Using Runtime Vulnerability Analytics directly within application and service teams stands out when you want engineers to make better day-to-day decisions on what to fix, and when.
In this model, runtime insights are targeted primarily at product and service owners: they see which libraries, frameworks, and services they own are actually putting production users at risk.
What it does well:
-
Code- and service-level clarity:
Teams can see:- Which specific processes and services use vulnerable components
- Whether those services are active in production
- How topologies and dependencies make those vulnerabilities reachable from real traffic
This avoids engineers wasting time patching libraries used only in non-critical paths or dead code.
-
Support for shift-left and shift-right together:
While SAST/DAST/SBOM tools provide shift-left coverage, they often lack runtime context. By bringing runtime usage into developers’ view, you can:- Inform backlog prioritization with “used in production” signals
- Align refactoring work with real business risk
- Feed learnings back into design and architecture decisions
Tradeoffs & Limitations:
- Limited central oversight if used alone:
If Runtime Vulnerability Analytics is only consumed by team-level dashboards and views, you may:- Lose an enterprise-wide picture of cross-cutting risks
- Struggle to enforce consistent risk thresholds across teams
It’s a powerful view for engineers, but it’s most effective when complemented by central governance and platform oversight.
Decision Trigger:
Choose Runtime Vulnerability Analytics for App/Service Owners if you want developers to focus on vulnerabilities that actually affect their live services and prioritize local decision-making and backlog hygiene over central command-and-control.
How Dynatrace Runtime Vulnerability Analytics prioritizes what’s actually used in production
Regardless of which consumption model you adopt, the prioritization logic follows a consistent pattern—rooted in real runtime behavior, not static lists.
1. Start with automatic discovery and instrumentation
Dynatrace OneAgent:
- Auto-discovers hosts, processes, containers, services, and dependencies
- Auto-instruments applications for observability (metrics, logs, traces, user experience) and security signals
- Auto-updates as your environment evolves
This eliminates manual configuration and ensures that whenever new workloads spin up in Kubernetes/OpenShift or across multi-cloud, they’re automatically brought under runtime vulnerability analysis.
2. Build a real-time topology of your estate
Dynatrace maintains a real-time topology map that:
- Unifies the dependencies between all observability data
- Connects metrics, logs, traces, user experience, and security data to entities (services, processes, hosts, Kubernetes objects)
- Shows how requests and transactions flow through your architecture
This topology is the foundation for intelligent observability: vulnerabilities are no longer isolated flags, but attributes of entities embedded in a living map of your system.
3. Correlate vulnerabilities with runtime usage
Runtime Vulnerability Analytics then overlays vulnerability data onto this topology, focusing on:
- Which services and processes actually load and use vulnerable libraries
- Which of those entities are actively handling production traffic
- Which are reachable from external or untrusted entry points
Instead of treating every CVE as equal, Dynatrace can differentiate:
- Libraries present but never invoked in production
- Libraries used only in internal, low-risk paths
- Libraries actively exercised in high-value transactions
4. Assess impact severity with user and business context
Building on Dynatrace’s broader approach to severity:
-
User impact:
Dynatrace evaluates how many users and which journeys are tied to entities using the vulnerable component (e.g., login, checkout, payments, internal financial workflows). -
Service criticality:
The platform understands whether a service is classified as critical, supports SLOs, or underpins key business processes. -
Infrastructure and dependency risk:
Using topology, Dynatrace sees how a vulnerable component sits in relation to other services, data stores, and network boundaries.
This allows Runtime Vulnerability Analytics to highlight vulnerabilities that would cause meaningful harm if exploited—not just technically interesting issues.
5. Apply causation-based AI for precise answers
Traditional tools tend to swamp teams with correlated “possible issues.” Dynatrace Intelligence takes a different approach:
- Uses causation-based AI to identify the foundational root causes and the sequence of events leading to risk
- Distinguishes between vulnerabilities that:
- Are theoretically exploitable but not exercised
- Are actually driving risky behavior in production (e.g., exposed endpoints, dangerous calls)
- Provides explainable reasoning, so teams understand why a particular vulnerability is prioritized
This is the same engine that powers Dynatrace’s performance problem analysis—“actionable answers to performance problems through a precise root-cause analysis”—now applied to security and vulnerability risk.
6. Trigger prioritized alerts and workflows
Finally, Dynatrace turns insights into action:
-
Actionable alerts, not alert storms:
You can configure alerts to fire on:- High-risk vulnerabilities on critical services
- Vulnerabilities newly exposed to public traffic
- Risk increases tied to specific business processes
Because alerts are rooted in impact and root cause, you avoid noise and focus on what matters.
-
APIs for auto-remediation and governance:
Problem and vulnerability evolution data is available via APIs, so you can:- Trigger remediation sequences or compensating controls
- Enforce policy (for example, block deployments that introduce higher runtime risk than currently accepted in production)
- Maintain human oversight while moving toward more preventive and autonomous security operations
This combination—runtime usage, topology, causation-based AI, and automation—allows you to prioritize remediation for vulnerabilities actually used in production, not just present in code.
Final Verdict
For most enterprises, the most effective way to use Dynatrace Runtime Vulnerability Analytics is to anchor it in full Dynatrace Intelligence for risk ranking, then operationalize it via Workflows and integrations, and finally surface targeted views to app and service owners.
That gives you:
- A single, trusted picture of which vulnerabilities truly matter
- Explainable root-cause and impact context, not just CVE scores
- Automated, targeted remediation actions that align with how your teams already work
Instead of reacting to endless vulnerability reports, you can act on precise, runtime-aware answers about where risk is real—and what to do next.