We have thousands of vulnerability findings—how do we know which ones are actually exploitable in production?
Application Observability

We have thousands of vulnerability findings—how do we know which ones are actually exploitable in production?

10 min read

Most security teams already know they have a vulnerability problem. The real question is whether they have an exploitation problem. Thousands of findings from SCA, SAST, DAST, and cloud posture tools tell you what could be vulnerable—but almost none tell you which issues are actually reachable, exploitable, and impacting real users in production.

The gap between “vulnerability present” and “vulnerability exploitable” is where risk-based application security lives. Closing it requires moving beyond CVSS scores and scanner output toward real-time, production-aware context.

This article breaks down a practical approach—and how a unified observability and security platform like Dynatrace helps you answer, with confidence: Which vulnerabilities should we fix first because they are actually exploitable in production?

Why “thousands of findings” isn’t the real problem

In modern hybrid and multi-cloud environments, it’s normal to see:

  • Hundreds of microservices across Kubernetes and VMs
  • Multiple programming languages and frameworks
  • CI/CD pipelines wired into multiple scanners
  • Third-party and open-source dependencies changing daily

Every one of these surfaces produces findings. Without context, you get:

  • Alert storms: Multiple tools flagging the same underlying issue
  • False urgency: Critical CVSS scores on components that are never called in real traffic
  • Blind spots: Vulnerabilities running in production that don’t show up as “critical” in static reports
  • War rooms: Teams spend hours correlating spreadsheets, dashboards, and logs to understand real risk

To move from noise to signal, you need to attach each vulnerability to how your software is actually behaving in production.

The key question: Is this vulnerability exploitable here and now?

A vulnerability is actually exploitable in production when three conditions converge:

  1. The vulnerable code is deployed and running in production
  2. There is a realistic attack path from the internet or untrusted sources to the vulnerable component
  3. Exploitation would cause meaningful impact to users or the business

Scanner output usually tells you only the first part (there’s a vulnerable library somewhere). To make sound decisions, you need to:

  • Observe runtime behavior of applications and services
  • Understand topology and dependencies across your environment
  • Measure user, service, and business impact of each risk

This is where unified observability and security become essential.

How to prioritize exploitable vulnerabilities in production

1. Start with runtime, not static lists

Static lists (from SCA/SAST) are good for inventory, but they don’t reflect how code behaves in real traffic.

You want to know:

  • Is this vulnerable library or function loaded and executed in production?
  • Which services, pods, and hosts actually use it?
  • Is it part of a hot path that real users are hitting?

With Dynatrace OneAgent, instrumentation is automatic: it discovers and monitors processes, services, and code modules without manual configuration. That means you get a live, runtime map of where vulnerable components are actually active—not just where they might be present in source.

Why this matters: A high-CVSS vulnerability in a dormant library may be a lower priority than a “medium” issue in a hot, user-facing service that handles authentication or payments.

2. Map vulnerabilities onto real topology and data flows

Knowing a vulnerability exists is step one. Step two is understanding its reachability in your environment.

You need real-time topology mapping that shows:

  • How services depend on each other across Kubernetes, VMs, serverless, and cloud services
  • Which entry points (APIs, web endpoints) are exposed to the internet
  • Which downstream services and data stores a vulnerable component can access

Dynatrace builds a live dependency graph from user interactions through services, processes, and infrastructure. When a vulnerability is detected, it’s automatically overlaid on this topology:

  • You see exactly which entities are affected (services, pods, hosts, clusters)
  • You understand potential lateral movement and data access paths
  • You can distinguish internal-only risks from internet-exposed ones

Why this matters: Two services may share the same vulnerable library, but only one is accessible from the public internet and connected to sensitive data. That’s the one you fix first.

3. Assess user, service, and business impact

Technical root cause is critical, but it’s not enough to drive decisions or automation. An advanced system also needs to quantify how bad a vulnerability is in operational terms.

There are three key lenses:

User impact

  • How many real users (not synthetic projections) interact with the vulnerable service?
  • Is it part of critical journeys such as login, checkout, claims processing, or trading flows?

Real user monitoring (RUM) plus session data shows you exactly how often vulnerable paths are exercised and by whom.

Service calls impacted

Not all parts of a system are directly user-facing. For machine-to-machine workloads:

  • How many service calls go through the vulnerable component?
  • Are they part of batch jobs, data processing, or core transaction flows?

This gives you a reliable severity estimate even when there’s no UI.

Business impact

Ultimately, you need to connect security risk to business outcomes:

  • Which business processes rely on this vulnerable service?
  • Does it touch regulated data, financial transactions, or revenue-critical journeys?
  • What is the potential cost of downtime or compromise for this component?

Dynatrace correlates metrics, traces, and business events so you can see vulnerabilities in the context of SLOs, SLAs, and revenue.

Why this matters: Not every disappearing container or slow service is a problem. A vulnerability in an unused, internal utility service is less urgent than one in a high-traffic payment API, even if their CVSS scores are identical.

4. Use causation-based AI to cut through alert storms

Traditional tools bombard security and operations teams with:

  • Thousands of discrete vulnerability alerts
  • Independent performance incidents
  • Isolated log and anomaly signals

Humans are left to manually correlate everything—often in late-night war rooms.

Dynatrace Intelligence, powered by Davis® AI, takes a different approach:

  • It continuously ingests metrics, logs, traces, UX, and security findings
  • It maintains a real-time topology map of all entity interdependencies
  • It applies deterministic, causation-based analysis to identify root causes and impacted entities

For vulnerability management, this means:

  • Findings are not treated as isolated flags—they’re evaluated in the context of actual traffic, behavior, and impact
  • You see precise answers such as:
    • “This critical vulnerability is present but not reachable from any user-facing endpoint.”
    • “This medium vulnerability is in an internet-facing service that’s part of 35% of checkout flows and accesses cardholder data.”
  • You can prioritize based on causal chains and business impact, not just severity scores

Why this matters: You don’t just know that a vulnerability exists—you know whether it’s part of an active incident, likely to cause one, or currently inert.

5. Define an exploitability score that reflects your reality

To rank thousands of findings, you need a risk model that captures your environment, not a generic one.

An effective exploitability score typically blends:

  • Exposure: Is the vulnerable component reachable from the internet or untrusted networks?
  • Runtime usage: Is the vulnerable code path actually executed under real workloads?
  • Impact severity: How many users, service calls, and business processes rely on this component?
  • Data sensitivity: Does the service handle regulated or high-value data (PII, PHI, payment data)?
  • Compensating controls: Are there effective WAF rules, segmentation, or other mitigations in place?

Because Dynatrace sees everything in context—traffic patterns, dependency topology, and business events—you can compute and update this score in real time as your environment changes.

Outcome: Instead of a flat list of “critical” CVEs, you get a ranked backlog that reflects actual exploitability and impact in production.

6. Automate decisions and workflows—with guardrails

Once you trust your exploitability signal, you can safely automate more of the response while preserving human oversight.

With Dynatrace Workflows, you can:

  • Enrich and route:

    • Auto-create tickets in Jira/ServiceNow with full context: affected services, topology, user/business impact, and suggested remediation
    • Route issues to the right team based on ownership and runtime stack

  • Trigger preventive actions:

    • Automatically tighten WAF rules or API gateways when an exploitable vulnerability is detected on an internet-facing service
    • Adjust autoscaling or configuration to minimize blast radius in case of compromise

  • Enforce CI/CD quality gates:

    • Block deployments when a change introduces a vulnerability that is known to be exploitable in production
    • “Shift left” using production signatures to test whether a new build behaves better (or worse) than what’s in production, using the same observability and security data

All of this is governed by Trusted AI principles and human-defined policies:

  • Engineers configure thresholds, approval steps, and exceptions
  • Security teams retain visibility and the ability to override automation
  • The Trust Center ensures data protection, privacy, and explainable AI behavior

Why this matters: Determining technical root cause is necessary for auto-remediation, but you also need severity, impact, and governance to decide when to remediate automatically and when to involve humans.

7. Unify observability, security, and business data in one place

A key reason teams drown in vulnerability findings is architectural: data is scattered across tools.

When metrics, logs, traces, UX signals, and security findings live in silos:

  • You can’t easily see how a vulnerability affects performance or user journeys
  • You waste time stitching together evidence from multiple dashboards
  • You miss patterns across apps, clouds, and business units

Dynatrace centralizes all this telemetry in Grail™, a massively scalable data lakehouse. On top of it, Dynatrace Intelligence provides:

  • Fast, contextual analytics across security, operations, and business data
  • Precise, explainable answers to questions like:
    • “Which exploitable vulnerabilities are impacting our top three revenue-critical journeys?”
    • “Which services combine high-risk vulnerabilities with recurrent performance anomalies?”
  • Enterprise-wide visibility, including multi-cloud, Kubernetes/OpenShift, and legacy systems

This unification is what turns vulnerability data from a compliance artifact into an operational decision engine.

What “good” looks like: from findings to exploitable risk

When you move from static vulnerability lists to production-aware, causation-based risk, your operating model changes:

  • You stop asking: “How many open findings do we have?”
  • You start asking: “Which vulnerabilities are exploitable in production and matter most right now?”

In practice, that means:

  • Security teams focus on a prioritized queue of vulnerabilities, ordered by real exploitability and impact—not by alphabetical CVE or CVSS alone
  • Platform and SRE teams see vulnerabilities in the same context as performance and availability, reducing finger-pointing and war rooms
  • Developers get clear, actionable tickets tied to their services, with runtime evidence, impact, and suggested fixes
  • Executives and risk owners get a defensible narrative:
    • Where are we exposed?
    • What’s the potential business impact?
    • What are we doing about it, and how fast?

Final verdict: How to know which vulnerabilities are actually exploitable in production

To answer the question “Which of our thousands of vulnerability findings are actually exploitable in production?”, you need more than better scanners. You need:

  1. Runtime visibility into where vulnerable code is actually executing
  2. Real-time topology mapping to see how that code is exposed and what it can reach
  3. Impact analysis across users, service calls, and business processes
  4. Causation-based AI to cut through alert storms and surface root causes and real risk
  5. Automated workflows that act on trustworthy answers, with clear governance and human oversight
  6. Unified data across observability and security, so your teams share a single, contextual view

That’s the design center of the Dynatrace platform: deliver precise, production-aware answers about vulnerability exploitability—and then let you automate the right next action, whether that’s an alert, a ticket, a configuration change, or a full auto-remediation workflow.

Next Step

Get Started

Back to Application Observability

Keep Reading

More from Application Observability

How do I add Seer AI Debugger in Sentry, and how is “active contributor” counted for the $40/user/month add-on?

Read more

Which Sentry plan do I need for US/Germany data residency + PII scrubbing, and how do I configure it before rollout?

Read more

How do I self-host Sentry, and what are the operational requirements vs using sentry.io?

Read more