Listen to this Post
Introduction:
For the past decade, application security teams have been drowning in a firehose of SAST and SCA findings—thousands of alerts, most of them not exploitable, yet consuming countless engineering hours in triage. The industry bolted AI on top of existing workflows, but the fundamental problem never changed: the signal-to-1oise ratio remained broken. Maze Code emerges as a paradigm shift, moving beyond traditional reachability analysis to confirm actual exploitability in your specific environment, delivering only verified vulnerabilities with evidence-backed fixes routed directly to the developers who own the code.
Learning Objectives:
- Understand the critical distinction between reachability (a function can be called) and exploitability (a vulnerability can actually be weaponized in your environment)
- Learn how AI agents can automate vulnerability investigation, eliminating 80-90% of false positives without human intervention
- Master practical commands and techniques for validating reachability, assessing exploitability, and implementing targeted fixes across Linux and Windows environments
You Should Know:
- Reachability Is Not Exploitability — The Difference That Changes Everything
Reachability analysis tells you that a vulnerable function can be called somewhere in your codebase. It builds call graphs, traces data flows, and identifies paths from entry points to dangerous sinks. But reachability is necessary, not sufficient. A function can be reachable yet completely harmless if it sits behind authentication, processes only trusted inputs, or is mitigated by runtime controls.
Exploitability, by contrast, asks the question that actually matters: given how this specific asset runs in your environment, is exploitation technically possible? This requires checking every prerequisite: kernel subsystems, process flags, configuration settings, network locations, and dependency versions.
Maze Code’s AI agents investigate each CVE the way your best security engineer would—researching the vulnerability, piecing together conditions from advisories, PoCs, and blog posts, then pulling live context from your cloud environment to determine whether those conditions actually exist. The result? In real customer environments, most scanner findings simply aren’t exploitable vulnerabilities.
Practical Validation: Checking Reachability in Your Environment
To validate reachability manually before trusting any tool, start with call graph analysis:
Linux — Using CodeQL for call graph construction:
Install CodeQL CLI wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip unzip codeql-linux64.zip -d /opt/codeql export PATH=$PATH:/opt/codeql Create a CodeQL database for your project codeql database create ./db --language=javascript --source-root=./src Run reachability queries codeql database analyze ./db --format=sarif-latest --output=results.sarif /path/to/ql/queries
Windows — Using PowerShell for dependency traversal:
Map dependency trees to identify vulnerable packages
Get-ChildItem -Path .\ -Recurse -Filter "package.json" | ForEach-Object {
$content = Get-Content $<em>.FullName | ConvertFrom-Json
$content.dependencies.PSObject.Properties | ForEach-Object {
Write-Host "$($</em>.Name)@$($_.Value)"
}
} | Sort-Object -Unique
These commands help you understand what’s actually in your codebase before relying on automated scanners to tell you what matters.
- The False Positive Epidemic: Why 80-90% of Vulnerabilities Don’t Matter
Industry studies indicate that false positive rates from SAST tools can range from 70% to over 90%, depending on the tool and configuration. This volume of noise creates a constant drain on AppSec teams and developers, who spend countless hours triaging alerts that lead nowhere.
Maze’s data confirms this: anywhere from 70-90% of vulnerabilities in your environment aren’t technically exploitable. Not “probably won’t be exploited”—they literally cannot be exploited in your specific environment with your specific configuration and controls.
The problem is that traditional scanners don’t know the difference between a vulnerability that looks like it might be there and one that can actually hurt you. They lack context about your infrastructure, your runtime configuration, your network topology, and your compensating controls.
Maze’s AI agents eliminate this noise by investigating each vulnerability in context. They pull data from cloud provider APIs, inspect containers and workloads through the control plane, and collect runtime context like which images run where and with which configurations. Each CVE and asset pair goes into one of two buckets: either at least one key prerequisite is missing (not exploitable), or the technical conditions line up (exploitable).
Manual Triage: Commands to Validate Scanner Findings
Before trusting any automated prioritization, verify findings manually:
Linux — Check kernel subsystems and enabled features:
Check if a specific kernel module is loaded
lsmod | grep -i <module_name>
Verify kernel configuration
zcat /proc/config.gz | grep -i <feature>
Check process capabilities
cat /proc/$(pgrep -f <process_name>)/status | grep Cap
capsh --decode=0x$(cat /proc/$(pgrep -f <process_name>)/status | grep CapEff | awk '{print $2}')
Windows — Check configuration and feature flags:
Check if a Windows feature is enabled
Get-WindowsOptionalFeature -Online -FeatureName <FeatureName>
Verify registry configuration for security settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -1ame <SettingName>
Check running services and their configurations
Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name, DisplayName, StartType
These commands help you understand your actual runtime environment, not just what your scanner thinks is there.
- Automated Remediation That Actually Works — The Context Problem
Most security vendors rush to ship a “fix it” button, but fixing vulnerabilities that don’t pose a real threat isn’t progress. Worse, auto-fixing everything introduces unnecessary risk. Every change to cloud or code comes with risk—downtime or new security issues. Even if auto-fix is 99.9% accurate, if 90% of findings are false positives, you’re introducing a ridiculous amount of unnecessary risk.
Maze’s approach is different. Their investigation agents run first, eliminating 80-90% of vulnerabilities as not exploitable. Only then does remediation begin—and it’s targeted, context-aware, and routed to the developer who owns the code.
The remediation challenge is best illustrated by a real example. A scanner flags CVE-2025-32989 in a package called gnutls. The developer didn’t install it. They’ve never touched it. It’s a dependency of wget, which was installed via the package manager in the container’s build process.
Red Hat UBI 9 (base image) └── microdnf install wget ← installed during container build └── gnutls 3.8.3 ← pulled in as a dependency (vulnerable)
The developer must now figure out: Do they upgrade Red Hat? Does a new version exist? Could it break the application? Can they pin a specific version of gnutls? Can they remove wget entirely? This research takes hours—multiplied by hundreds of vulnerabilities in the backlog.
Maze generates targeted fixes that understand the full dependency chain, not just the surface-level CVE. It doesn’t just tell you something’s wrong—it shows you why it matters and how to fix it.
Practical Remediation Commands
Linux — Dependency analysis and safe upgrades:
Map all dependencies of a package apt-cache depends <package_name> Debian/Ubuntu rpm -qR <package_name> RHEL/CentOS Check for available security updates apt-get update && apt-get upgrade --dry-run | grep -i security Debian/Ubuntu yum check-update --security RHEL/CentOS Pin a specific package version to avoid breaking changes echo "<package_name> hold" | dpkg --set-selections Debian/Ubuntu
Windows — Dependency mapping and patch management:
List all installed packages and their dependencies
Get-Package | ForEach-Object {
$pkg = $_
$deps = Get-Package -ProviderName Programs -IncludeDependencies -1ame $pkg.Name
Write-Host "$($pkg.Name) depends on: $($deps.Dependencies -join ', ')"
}
Check for available security updates
Get-WUList | Where-Object {$_.Categories -match "Security"}
Container-specific — Base image remediation:
Scan container image for vulnerabilities docker scan <image_name>:<tag> Check for base image updates docker pull <base_image>:latest Rebuild with updated base image docker build --1o-cache -t <new_image_name> .
A single package update or base image rebuild can resolve dozens of vulnerabilities at once, but most tools present every CVE as an individual problem. Maze’s approach consolidates these fixes intelligently.
- AI Agents vs. Static Rules: Why Traditional Filtering Fails
The state of the art in most vulnerability management products remains rule-based filtering: IF public facing AND critical asset AND CVSS > 8, THEN high risk. But rules capture only a tiny fraction of the context needed to truly assess risk.
The reality is that over 90% of vulnerabilities are false positives when investigated in context. And rules often fail to identify the edge cases where real breaches actually happen.
Before LLMs, encoding nuanced logic across every OS, app stack, cloud provider, version, and misconfiguration simply wasn’t feasible. Now, Maze can take every relevant signal—kernel versions, library paths, IAM roles, network configs—and reason over them dynamically.
For every finding, Maze’s agents explore a deep decision tree that looks at prerequisites, mitigating factors, additional software in context, and different layers of configuration. It’s not just about surfacing facts—it’s about interpreting them in context.
Manual Context Gathering: Commands for Deeper Investigation
Linux — Gather comprehensive system context:
Kernel version and enabled features uname -a cat /proc/version IAM and permission context (AWS example) aws sts get-caller-identity aws iam list-attached-user-policies --user-1ame <username> Network configuration and exposure ss -tulpn | grep LISTEN iptables -L -1 -v Library paths and versions ldconfig -p | grep <library_name>
Windows — Gather comprehensive system context:
System information
Get-ComputerInfo | Select-Object WindowsVersion, OsHardwareAbstractionLayer
Network configuration
Get-1etIPAddress | Where-Object {$<em>.AddressFamily -eq "IPv4"}
Get-1etFirewallRule | Where-Object {$</em>.Enabled -eq "True" -and $_.Direction -eq "Inbound"}
Permission context
whoami /all
- The Future of Vulnerability Management: From Triage to Self-Healing
Maze sits at the intersection of LLM maturity, scalable infrastructure, and a real need for signal over noise in cloud security. The industry is moving beyond traditional CNAPP approaches toward platforms that prioritize real exploitability over noise.
Teams never wanted a dashboard showing thousands of “critical” alerts—they want to know which vulnerabilities can actually be exploited in their environment and very prescriptive details on how to fix them.
The future is heading toward “self-healing” environments where remediation is completely automated. But we can’t jump all the way to the end. The first step is to radically improve our understanding of vulnerabilities. We have to be able to confidently identify vulnerabilities that cannot be exploited, removing 90% of the backlog, before we can safely automate fixes.
Maze Code represents this first step—confirming exploitability, eliminating noise, and delivering targeted fixes only where they actually matter.
What Undercode Say:
- Reachability is a trap. Just because a function can be called doesn’t mean it can be exploited. The industry has wasted years chasing vulnerabilities that don’t actually matter. Maze’s shift from reachability to exploitability is the most significant evolution in application security since SAST itself was invented.
-
Context is everything, and rules can’t capture it. Static filters like “public-facing AND CVSS > 8” are directionally helpful but miss the nuanced reality of how systems actually work. AI agents that can reason across layers—infrastructure, runtime, configuration, and metadata—are the only path forward at scale.
Analysis: The fundamental problem Maze solves isn’t technical—it’s organizational. Security teams are burning real cycles on false positives, creating friction with developers who rightfully push back on noise. By delivering only confirmed exploitable findings with evidence and targeted fixes, Maze transforms the security-engineering relationship from adversarial to collaborative. The 80-90% reduction in backlog isn’t just efficiency—it’s a complete rethinking of what vulnerability management should be. The challenge, as always, will be adoption. Teams entrenched in legacy workflows may resist the shift, but those who embrace it will gain an insurmountable competitive advantage in security posture.
Prediction:
- +1 Within 24 months, “exploitability confirmation” will become a mandatory feature for enterprise SAST/SCA procurement, rendering traditional reachability-only tools obsolete.
-
+1 The security industry will finally move beyond CVSS scores as a primary prioritization metric, with exploitability context becoming the new standard for risk assessment.
-
-1 Organizations that fail to adopt exploitability-based triage will continue wasting 70-90% of their AppSec resources on false positives, widening the gap between security and engineering teams.
-
+1 AI agents that can investigate vulnerabilities at scale will become as foundational to security operations as SIEMs are today, with Maze leading the charge.
-
-1 The transition won’t be seamless—legacy tooling and entrenched workflows will create resistance, and early adopters will need to invest in change management alongside technology.
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=b0UFt4g3_WU
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Matthewjohansen Sponsored – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
