October 24, 2023

Deepfactor’s New Static + Runtime Software Composition Analysis Delivers Runtime Reachability; Organizations Can Now Prioritize Remediation Based on True Application Security Risk

New Customer Sisense Realizes Valuable AppSec Insights for Business

Now Available as SaaS and On-Premises Versions

SAN JOSE, Calif., Oct. 24, 2023 – Deepfactor™, the next-gen Application Security company, today announced new features and capabilities that align with modern application development and define the next-generation of software composition analysis (SCA). Deepfactor now combines static container scan data with runtime analysis of applications, so customers receive prioritized vulnerabilities that represent true risk to the business—based on reachability, runtime usage, and deployment context, as well as exploit maturity.

SCA tools scan code as well as build artifacts such as container images, to determine if there are vulnerabilities in third-party open-source components present in the application or container image. This is important since nearly 50% of applications have high-risk vulnerabilities due to open source and 91% include at least one open-source component that has had no development in the past two years (OSSRA Report), a likely sign that the project is no longer being maintained and, therefore, represents a security risk.

The Challenge of Traditional SCA Tools

Current SCA tools generate significant “noise,” alerting on vulnerabilities that, while severe, may not represent real risk to the business as many of the vulnerabilities are not exploitable in the deployment context. These tools typically rely solely on CVSS severity scores, and other information based on static scanning of code or container images, with no awareness of how the application is deployed or running. This is not enough information to assess enterprise risk because these results are missing critical context for prioritization—whether or not the vulnerable component is actually reachable and being used in the running application. Current tools typically have no visibility into the runtime usage and deployment context of the applications they scan, so they are unable to provide the rich runtime context needed to prioritize vulnerabilities. This contextual capability has significant impact on the business:

  • The application security team delivers a long list of vulnerable components to developers
  • Developers spend significant time fixing vulnerabilities that may not represent risk to the business
  • Leadership ends up tracking vulnerability counts instead of understanding their true business risk posture

Organizations that deployed more intensive, risk-based analysis (vs. relying on CVE scores only) experienced 18.3% lower average cost of a data breach.

Deepfactor’s Next-Generation ‘Static + Runtime’ SCA

Deepfactor’s new version 3.4 introduces a next-generation ‘static + runtime’ SCA capability, available as both SaaS and on-premises solutions. This advanced capability merges both static analysis of artifacts and container images with runtime analysis of applications and correlates them automatically to prioritize risk based on reachability and actual usage at runtime. This provides a more precise evaluation of vulnerability risk to a business.

“Deepfactor’s next-generation SCA transcends traditional AppSec boundaries. Its pioneering approach is a game changer, offering unparalleled insight into the intersection of vulnerable modules and real-time application behavior,” said Abhishek Rath, Head of Product Security at Business Intelligence software company Sisense.

“Our vision for AppSec 2.0 is to help security and engineering teams optimize their time by focusing on those vulnerabilities that have the highest potential impact on the business, while providing leadership with a clear understanding of risk to their business,” said Kiran Kamity, Deepfactor CEO and founder. “These new capabilities do just this and we’re pleased that our customers are seeing the value.”


Deepfactor version 3.4 with this new runtime reachability capability is available immediately and in different modules to meet your AppSec needs:

  • SBOM and SCA for OSS dependencies and container scans
  • Runtime SCA
  • Container runtime security
  • All the above

About Deepfactor

The Deepfactor Application Security Platform combines SBOM, software composition analysis, container scans, and container runtime security into a powerful integrated platform. With the platform’s unique runtime software composition analysis, customers can now correlate static scans with runtime analysis, and prioritize vulnerabilities based on true usage. Deepfactor was named a winner of the 2023 SINET16 Innovator Award and to Will Reed’s Top 100 Class of 2023 as an early-stage company shaping the future of workplace culture. For more information, visit www.Deepfactor.io and follow us on LinkedIn and Twitter.

Press Contact:


Additional Resources

Subscribe to our monthly eNewsletter and stay up-to-date on everything Deepfactor has to offer!