INFOGRAPHIC
Datadog’ s State of DevSecOps 2025 report finds only 18 % of critical vulnerabilities are truly worth prioritising
Security engineers said to be‘ wasting a lot of time on vulnerabilities that aren’ t necessarily all that severe.’
Datadog has released its new report, the State of DevSecOps 2025, which found that only a fraction of critical vulnerabilities are truly worth prioritising.
To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common Vulnerability Scoring System( CVSS) base score.
After runtime context was applied, Datadog found that only 18 % of vulnerabilities with a critical CVSS score – less than one in five – were still considered critical.
“ The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren’ t necessarily all that severe,” said Andrew Krug, Head of Security Advocacy at Datadog.
Adding in runtime context provided factors about a vulnerability – for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet – that CVSS did not take into account.
This helped to reduce noise and identify the issues that are most urgent.
“ The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations’ attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.”
28 INTELLIGENTCIO NORTH AMERICA www. intelligentcio. com