Back to Blog

The Economics of Vulnerability Noise

Security teams are drowning in vulnerability noise because finding problems has become cheap, while checking and fixing them still burns scarce human judgment. The teams that win will stop measuring backlog size and start measuring whether the truly exploitable issues get fixed first.

Every security team knows this feeling. The scanners run all night. The bug bounty inbox keeps filling up. Each finding lands in the same funnel: triage it, assign it, fix it, verify it. Somehow the funnel is always full.

The simpler question: why is there so much noise in the first place?

Finding problems has become almost free. Checking them and fixing them is still expensive, and still (mostly) requires a human to do the work. Scanner vendors get punished when they miss a bug, but a false alarm costs them nothing. It costs you. Bounty hunters get paid per report, so they send a lot of reports. The noise is the result of the incentives.

So the scarce resource is judgment: the attention needed to decide what’s real, and the capacity to actually fix it.

Once you look at the problem like this, a few different ways of thinking about it open up. Each one starts from a different guess about what’s really going on. None of them solve the whole thing, but each one points you toward a different first move.

The Economics Angle

The guess: some of the cost of checking a finding can be pushed back onto whoever produced it.

Ask bounty hunters for working proof, not theory. Reward precision and make spam hurt reputation. Narrow scanner rules and bounty scope. If the people producing findings had to carry even part of the checking cost, the volume would probably shrink on its own.

But maybe you can’t change the market. Maybe the scanners will still over-report, and bounty hunters will still send whatever might get paid. If that’s the world you’re in, then your move is different: build your own absorption layer and get very good at cheap filtering.

The Classification Angle

The guess: the noise repeats.

The same duplicates come back. The same unreachable code paths. The same “technically true but harmless” settings. If that’s what’s happening, then filtering is a learnable problem, not a heroic human judgment problem every single time.

The fear, of course, is that you’ll filter out the one real issue and that’s a legitimate fear. But compare it to the real baseline, not to perfection. Your current human process already misses things. The question is not “filtering versus perfect triage.” The question is “filtering versus a burnt out human at 4pm on a Friday.” Measure against your actual miss rate, not against zero.

The Context Angle

The guess: most triage decisions are easy once you know enough about the environment.

Is the server exposed to the internet? Does it hold sensitive data? Is there a control in front of it? Is the vulnerable code even reachable? A lot of the time, the finding itself isn’t that mysterious. The environment around it is.

That changes the work. Instead of trying to make people judge findings better, you work on making your environment legible: what systems exist, what they touch, what data they hold, what protects them, and how code actually runs. Put that in a form machines can use, and a lot of “hard triage” becomes much simpler.

The Prioritization Angle

The guess: you will never clear the queue, and clearing it is the wrong goal anyway.

Only a small fraction of vulnerabilities ever get exploited in the real world. So success does not mean an empty backlog. It means the genuinely dangerous few don’t sit around waiting while the team burns time on trivia. That’s a ranking problem, not a throughput problem.

It also means severity scores can’t be the compass. A “critical” on paper can be harmless in your environment, and a “medium” might be the one that hurts you. Rank by real-world exploitability and by what the asset actually protects.

The Queueing/Constraint Angle

The guess: your funnel is a production line, and one station is the bottleneck.

Maybe the bottleneck is triage or engineering fix capacity or intake. Whatever it is, improving anything else mostly just gives you prettier dashboards and the same jammed system.

Teams also forget that incoming volume is not weather. You picked the scanners, the rulesets, and the bounty scope. Turning some of that down is a legitimate move. More detection is only useful if you can do something with it.

The Root-Cause Angle

The guess: findings follow a power law.

A small number of causes create a huge amount of the volume: one bad default, one missing guardrail, one old code pattern copied everywhere. If that’s true, closing tickets one by one is mostly treating symptoms.

The leverage is upstream. Kill the class, and hundreds of future findings never appear. One fixed template beats three hundred closed tickets.

The Risk-Management Angle

The guess: the real goal is acceptable risk, not an empty backlog.

That means it can be completely legitimate to say, in writing, “we deliberately do not triage this category below this threshold.” It’s a policy choice that’s much more honest than pretending everything gets looked at while a silent pile of ignored tickets grows in the background.

It’s culturally hard, because audits and compliance push everyone towards a comforting story where every finding gets attention. But judgment is a limited resource. If you spend it everywhere, you don’t really spend it anywhere.

What About “Just Patch Everything”?

There’s a tempting shortcut that avoids a lot of this: “We can’t triage at this scale. Stop judging. Fix it all.”

It sounds a bit naive, but there’s a strong argument for it. For every finding, you spend one of three currencies: judgment, work, or risk. Triage assumes judgment is cheaper than work. Patch-everything bets that, at least for some categories, work has become cheaper than judgment.

And for some categories, that bet is right. Dependency bumps, base image rebuilds, config rollouts. If a machine can safely fix the thing, then having a human sit there and decide whether the finding is “real” may be more expensive than just fixing it.

The strongest version goes even further. Don’t respond to findings one by one. Rebuild everything from patched bases, often, so patching becomes a property of the platform.

But that only works if a few things are true.

First, a fix has to exist. Scanner findings often map to “bump version X to Y.” Bounty findings often don’t. A business logic flaw is not a patch… It’s an engineering project.

Second, your fix capacity has to beat the arrival rate. If findings come in faster than you can fix them, you haven’t removed the queue. You’ve just renamed it. And if there’s no triage, the one dangerous issue may wait behind three hundred easy but trivial ones.

Third, change has to be safe. Every patch is a change, and change breaks production. Without tests, rollback, and boring deploys, you didn’t remove the judgment cost. You moved it from “is this finding real?” to “will this patch break something important?”

Fourth, someone has to absorb the work. Patch-everything often looks efficient from the security team’s chair because the cost moved to engineering. Without real automation or a real mandate, teams find ways around it: exceptions, carve-outs, quiet ticket-closing games, and dashboards that look better than reality.

And when capacity is the limit, triage does not disappear. It just happens accidentally. What gets patched first, what slips when the sprint fills up, whose tickets move and whose tickets sit, all of that is triage. You can do it deliberately, or you can let the system do it for you.

Patch-everything is right where fixing is cheap, safe, and mechanical. Everywhere else, it’s more of a forcing function than a solution. Commit to it, and every reason patching is hard gets exposed: missing tests, snowflake servers, unpinned dependencies, scary deploys, systems nobody owns. That exposure is useful. It shows you where automation can grow, and where human judgment was always going to be needed.

The goal is to make the “fix without thinking” bucket bigger. Whatever survives that pressure, the legacy system nobody dares touch, the design flaw, the dependency nobody owns, is the part that actually deserves judgment. And now that part is small enough to judge well.

The Question Underneath It All

What would you measure to know you’re winning?

If you measure backlog size, you’ve chosen a throughput strategy.
If you measure how fast you fix the things that actually get exploited, you’ve chosen a ranking strategy.

Most teams never make that choice on purpose. They inherit a metric, and the metric quietly becomes the strategy.

Pick the metric carefully, it’ll decide what the team actually does.

From research to review

Want this level of analysis on your code?

Enclave reviews real pull requests with codebase context, traces findings across files, and filters for what is exploitable in your environment.

Get a demo