TL;DR
Traditional application security focuses on finding vulnerabilities before code ships. However, pre-production scanning identifies theoretical risks while production reveals what is actually reachable, exploitable, and under active attack. Production-first security leverages runtime intelligence to prioritize remediation, giving teams visibility into real-world attack patterns rather than hypothetical weaknesses.
Should application security focus more on production or pre-production?
Security teams have historically prioritized shift-left strategies. Static Application Security Testing (SAST) scans code during development, while Dynamic Application Security Testing (DAST) tests applications before release. These tools are designed to find vulnerabilities early in the Software Development Life Cycle (SDLC).
Yet attackers don't read your pre-production scan reports. They probe running applications, looking for what actually works. According to Contrast Security's Software Under Siege 2025 report, applications face an average of 81 viable attacks per application monthly. These aren't automated scanners or random probes. These are attacks that reach exploitable vulnerabilities.
The disconnect between pre-production findings and production reality leaves security teams drowning in backlogs while attackers exploit the small percentage of vulnerabilities that truly matter.
The shift from pre-production to production-centric security
This evolution mirrors the shift in endpoint protection. Early antivirus software relied on signature-based detection. The industry eventually moved to Endpoint Detection and Response (EDR), adding behavioral analysis to watch what programs actually do at runtime. A similar shift is occurring in application security (AppSec).
|
Dimension
|
Pre-production scanning
|
Production-first security
|
|
Data source
|
Static code analysis, test environments
|
Running applications, real traffic
|
|
Vulnerability context
|
Theoretical risk based on code patterns
|
Actual exploitability based on execution
|
|
Attack intelligence
|
Generic threat models
|
Real attacks targeting your applications
|
|
Prioritization basis
|
Severity scores, compliance requirements
|
What's reachable, exploitable and under attack
|
Pre-production tools work from theoretical models. They analyze code paths that might execute, dependencies that could be exploited, and configurations that seem risky. Production-first security starts with what's actually happening: which code runs, what attackers target and where real risk exists.
Why pre-production tools alone create blind spots
SAST and DAST tools catch coding errors early and enforce standards. However, they lack production context, leading to three major issues:
- Low exploitability rates: Research by Chainguard, analyzing Sysdig data, found that only 2-5% of vulnerabilities are exploitable in production. Pre-production tools cannot distinguish this critical 2% from the 98% of "noise."
- Lack of attack visibility: Scanners cannot predict specific attack patterns. They flag risks without knowing what adversaries are actually targeting.
- The timing gap: Attacks typically begin within 5 days of vulnerability disclosure, while pre-production scans may have occurred months prior.
What runtime intelligence reveals that scanning cannot
Runtime intelligence provides data that only exists within a running application:
-
Executed code paths: Distinguishes between active code and "dead code" that poses no risk.
-
Real-time threat intelligence: Shows exactly which techniques attackers are using against your specific stack.
-
Exploitability context: Confirms if a vulnerability, like SQL injection, is reachable and lacks compensating controls in production.
When applications face 81 viable attacks per application per month, the data to prioritize remediation is available. It's in production, not in pre-production scan reports.
Production-first doesn't mean production-only
Production-first security creates a feedback loop. By identifying which vulnerabilities attackers target in production, you can tune pre-production scans to prioritize those patterns. This aligns Application Detection and Response (ADR) with existing shift-left efforts to reduce noise and focus development resources on reducing actual risk.
The result:
- Smaller backlogs with noise filtered out
- Faster remediation of vulnerabilities that matter
- Security effort focused where it reduces actual risk
Consider how this changes prioritization. Without production data, a security team might prioritize based solely on CVSS scores. A critical-severity finding gets immediate attention regardless of whether the affected code runs in production.
With production data, that same team knows which critical findings affect code that's reachable, exploitable, and actively targeted. They fix those first. The theoretical findings that will never see an attacker can wait.
Operationalizing production-first security
Moving from pre-production-focused to production-first security requires three operational changes:
SOC integration
Traditional vulnerability management produces developer-facing reports. Production-first security generates alerts with runtime context that SOC teams can act on immediately. Instead of "vulnerability found in function X," the alert includes attack details, affected sessions, and recommended responses.
Compensating controls
Code fixes take time. Production-first security provides immediate protection through runtime controls while permanent fixes develop. When a new vulnerability disclosure hits, protection can deploy in hours rather than waiting weeks for code changes.
Detection at the precise moment of exploitation, before lateral movement or data exfiltration can occur
Pre-production scanning catches vulnerabilities. Runtime protection catches attacks. Detection at the application layer means stopping attackers at the MITRE ATT&CK early stages, before they establish persistence or move through your environment.
The production-first advantage
Security teams face a math problem. Vulnerabilities accumulate faster than teams can fix them. Pre-production scanning makes the problem worse by flooding backlogs with findings that don't translate to real risk.
Production-first security changes the equation. By starting with what's actually reachable, exploitable, and under active attack, teams can focus finite remediation resources on vulnerabilities that matter.
The data to make this shift exists. It's in the 81 viable attacks per application monthly that your production systems already see. Production-first security turns that data into actionable intelligence.
Frequently asked questions
What is production-first security?
Production-first security is an approach that uses runtime intelligence from running applications to drive security priorities. Rather than relying solely on pre-production scanning, it incorporates data about actual code execution, real attack patterns and production context to determine which vulnerabilities require immediate attention.
Does production-first security replace pre-production scanning?
No. Production-first security complements pre-production scanning by providing context that makes scan results more actionable. Pre-production tools catch coding errors early. Runtime intelligence determines which findings represent real risk based on what actually executes in production.
How does runtime intelligence improve vulnerability prioritization?
Runtime intelligence shows which code paths execute, which vulnerabilities are reachable, and which weaknesses attackers actively target. This context transforms a generic severity score into a risk assessment based on your specific production environment and threat landscape.
What's the difference between theoretical vulnerabilities and production-exploitable ones?
Theoretical vulnerabilities exist in code that may never be executed or reachable by attackers. Production-exploitable vulnerabilities exist in code paths that run, process untrusted input and are realistically targetable. Research indicates that only 2-5% of vulnerabilities fall into the production-exploitable category.
How quickly do attackers target vulnerabilities after disclosure?
According to research from Contrast Security, attacks begin an average of 5 days after vulnerability disclosure. This rapid timeline underscores why production visibility matters: By the time a newly disclosed vulnerability is being actively exploited, pre-production scans from weeks or months ago provide little actionable guidance.
Key takeaways
- Only 2-5% of vulnerabilities are exploitable in production. Pre-production tools can't tell you which ones. Runtime intelligence can.
- Attackers move fast. With exploitation beginning 5 days after disclosure, production visibility catches what pre-production scans miss.
- 81 viable attacks per application monthly provide the data needed to prioritize remediation based on real threat activity.
- Production-first complements shift-left. Runtime data makes pre-production scanning more effective by filtering noise and focusing effort.
SOC integration changes the game. Runtime context turns vulnerability reports into actionable alerts, including attack details and recommended responses.
