{"id":107714,"date":"2026-03-24T17:30:14","date_gmt":"2026-03-24T15:30:14","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=107714"},"modified":"2026-03-25T19:02:43","modified_gmt":"2026-03-25T17:02:43","slug":"attackability-why-context-not-reachability-should-drive-remediation","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/","title":{"rendered":"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0"},"content":{"rendered":"<p>For years, reachability has been the security industry\u2019s go-to approach for vulnerability prioritization.&nbsp;Instead of flagging every vulnerable dependency, the idea was to determine whether an application could actually reach the vulnerable function.&nbsp;This marked&nbsp;a meaningful&nbsp;step forward in&nbsp;application security, shifting focus to code that&nbsp;executes&nbsp;in production.&nbsp;<\/p>\n\n\n\n<p><strong>But reachability is not exploitability.&nbsp;<\/strong>A function can be reachable and still pose no practical risk if it sits behind authentication, processes only trusted inputs, or is mitigated by runtime controls. Reachability confirms that code can run, not that an attacker can abuse it.&nbsp;<\/p>\n\n\n\n<p>Modern software development requires more than execution analysis.&nbsp;<\/p>\n\n\n\n<p>Checkmarx&nbsp;Triage Agent addresses this&nbsp;head on&nbsp;with&nbsp;<em>Attackability<\/em>:&nbsp;AI-driven triage that traces attacker-controlled inputs from real ingress points to potential impact and verifies which controls prevent exploitation&nbsp;\u2013&nbsp;and which do not.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The result is triage based on&nbsp;demonstrated&nbsp;exploitability, not theoretical reachability.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">What Reachability Actually Tells You&nbsp;<\/h2>\n\n\n\n<p>Most SCA tools define reachability at the function level:&nbsp;is there a path from your code to the vulnerable function? If yes, the finding is flagged as reachable. If not,&nbsp;it&#8217;s&nbsp;deprioritized.&nbsp;<\/p>\n\n\n\n<p>That\u2019s&nbsp;useful, but&nbsp;it\u2019s&nbsp;also incomplete.&nbsp;Here\u2019s&nbsp;what reachability&nbsp;doesn\u2019t&nbsp;tell you:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Whether the input reaching that function is attacker-controlled, or only comes from trusted internal sources&nbsp;<\/li>\n\n\n\n<li>Whether&nbsp;there&#8217;s&nbsp;a real ingress point (a public API, a webhook, a file upload) that a real attacker could use&nbsp;<\/li>\n\n\n\n<li>Whether required preconditions exist, like a specific protocol behavior or a privileged network position&nbsp;<\/li>\n\n\n\n<li>Whether controls on the path, such as a safe parser, an authentication check, or an allowlist, already break the exploit chain&nbsp;<\/li>\n\n\n\n<li>What the actual impact would be: RCE, data exposure, privilege escalation, or something else<\/li>\n<\/ul>\n\n\n\n<p>A finding can be technically reachable yet completely unexploitable in production.&nbsp;When that happens, engineering&nbsp;time&nbsp;is wasted&nbsp;for no&nbsp;reason, and&nbsp;real risk competes for attention.&nbsp;<\/p>\n\n\n\n<p>Security teams&nbsp;don\u2019t&nbsp;need to know \u201ccan this function run?\u201d&nbsp;they need to know&nbsp;\u201c<strong>can an attacker exploit this in our application, given our ingress points, our controls, and our runtime environment?\u201d<\/strong>&nbsp;<\/p>\n\n\n\n<p>That\u2019s&nbsp;the difference between reachability and&nbsp;attackability.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">How&nbsp;Attackability&nbsp;Works&nbsp;<\/h2>\n\n\n\n<p>Checkmarx&nbsp;Triage Assist&nbsp;introduces&nbsp;Attackability: AI-driven triage that traces attacker-controlled input from real ingress points to&nbsp;potential&nbsp;impact,&nbsp;and&nbsp;validates&nbsp;which controls prevent exploitation and which do not.&nbsp;<\/p>\n\n\n\n<p>Attackability&nbsp;follows a consistent five-step flow regardless of the scanner type:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<strong>Identify&nbsp;the vulnerable capability and candidate sink.<\/strong>&nbsp;Confirm what the vulnerable library, pattern, or API surface is, and form&nbsp;an initial&nbsp;hypothesis about how exploitation would occur.&nbsp;<\/li>\n\n\n\n<li>\n<strong>Prove or disprove a real execution path.<\/strong>&nbsp;Trace whether the vulnerable code path is reachable in the repository, including direct calls, indirect framework behavior, and configuration-driven invocation.&nbsp;<\/li>\n\n\n\n<li>\n<strong>Validate&nbsp;attacker control and real ingress.<\/strong>&nbsp;Identify&nbsp;how data enters the system (API endpoints, file uploads, queues, webhooks, scheduled jobs) and whether an external attacker can&nbsp;actually influence&nbsp;the data that reaches the sink.&nbsp;<\/li>\n\n\n\n<li>\n<strong>Validate&nbsp;controls and preconditions.<\/strong>&nbsp;Check whether security controls apply on the relevant path: safe parsing, allowlists, auth boundaries, sanitization, runtime hardening. Document any required preconditions, such as a MITM position or specific deployment settings.&nbsp;<\/li>\n\n\n\n<li>\n<strong>Conclude exploitability and explain impact.<\/strong>&nbsp;Give a clear verdict (exploitable, not exploitable, or risk accepted with rationale),&nbsp;state&nbsp;the concrete impact, and provide a minimal-disruption remediation<\/li>\n<\/ol>\n\n\n\n<p>This moves the conversation from \u201cis this reachable?\u201d to \u201cis this exploitable?\u201d&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Not Just&nbsp;for&nbsp;SCA&nbsp;<\/h2>\n\n\n\n<p>Attackability&nbsp;isn\u2019t&nbsp;limited to dependency&nbsp;finding;&nbsp;it&nbsp;applies&nbsp;the same&nbsp;reasoning&nbsp;across&nbsp;most&nbsp;scanner types.&nbsp;<\/p>\n\n\n\n<p>For&nbsp;<strong>SAST findings<\/strong>, it connects a detected code pattern to a real exploit chain by asking whether&nbsp;there&#8217;s&nbsp;a genuinely attacker-controlled source, whether the data flow reaches a dangerous sink, and whether controls on the path already prevent exploitation. A tainted data flow that never crosses an authentication boundary, or&nbsp;that&#8217;s&nbsp;constrained by an allowlist, can be reachable in code without being attackable in production.&nbsp;<\/p>\n\n\n\n<p>For&nbsp;<strong>IaC&nbsp;and cloud misconfigurations<\/strong>, it evaluates whether a configuration issue is externally accessible and whether it creates a realistic path to impact, factoring in exposure surfaces, identity controls, and network controls.&nbsp;<\/p>\n\n\n\n<p>For&nbsp;<strong>container findings<\/strong>, it assesses whether a vulnerable package is used at runtime, whether the container runs with elevated privileges, and whether the affected&nbsp;component&nbsp;is exposed through a reachable service.&nbsp;<\/p>\n\n\n\n<p>For&nbsp;<strong>secrets&nbsp;detection<\/strong>, it evaluates whether the credential is valid, scoped, and exposed in a way an attacker can&nbsp;actually leverage, factoring in repository visibility, rotation state, and downstream blast radius.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">What Makes the Output Credible&nbsp;<\/h2>\n\n\n\n<p>The&nbsp;Attackability&nbsp;data&nbsp;is useful precisely because&nbsp;it\u2019s&nbsp;verifiable. It includes concrete code references showing how the library or sink is used, a path narrative describing the chain from ingress to sink to impact (including where the chain breaks if the finding&nbsp;isn&#8217;t&nbsp;exploitable), explicit control validation, and a precise impact statement.&nbsp;<\/p>\n\n\n\n<p>This&nbsp;matters&nbsp;more than triage speed. It means developers can see exactly how the issue is triggered and what minimal change breaks the chain. It means risk acceptance decisions are documented with&nbsp;evidence, so security and engineering teams are&nbsp;aligning on&nbsp;facts (not assumptions).&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Reachability Is&nbsp;Just&nbsp;a Starting Point&nbsp;<\/h2>\n\n\n\n<p>Reachability made&nbsp;vulnerability&nbsp;data&nbsp;more relevant.&nbsp;But&nbsp;reachability&nbsp;is not enough.&nbsp;<\/p>\n\n\n\n<p>Checkmarx&nbsp;Triage Assist\u2019s&nbsp;Attackability&nbsp;adds attacker context, environmental context, and control validation, turning a reachability result into something a team can&nbsp;actually make&nbsp;a decision on.&nbsp;<\/p>\n\n\n\n<p><em>Ready to go deeper? Read the\u00a0<a href=\"https:\/\/checkmarx.com\/the-agentic-ai-buyers-guide\/\"><strong>Agentic AI Buyer\u2019s Guide<\/strong><\/a> to understand what separates decision-grade triage from theoretical analysis or watch the\u00a0<a href=\"https:\/\/checkmarx.com\/product\/triage-and-remediation\/#video\">Checkmarx\u00a0Triage Assist demo video<\/a> to see\u00a0Attackability\u00a0in action.<\/em><\/p>","protected":false},"excerpt":{"rendered":"<p>Reachability is not exploitability.\u00a0Modern software development requires more than execution analysis.<\/p>\n","protected":false},"author":32,"featured_media":107715,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[84],"tags":[1272,455,1429,412,1452],"class_list":["post-107714","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-agentic-ai","tag-ai","tag-ai-generated-code-2","tag-checkmarx-one","tag-developer-assist"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0<\/title>\n<meta name=\"description\" content=\"Reachability is not exploitability.\u00a0AppSec needs Attackability, triage based on\u00a0demonstrated\u00a0exploitability, not theoretical reachability.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0\" \/>\n<meta property=\"og:description\" content=\"Reachability is not exploitability.\u00a0AppSec needs Attackability, triage based on\u00a0demonstrated\u00a0exploitability, not theoretical reachability.\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-24T15:30:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-25T17:02:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Rebecca Spiegel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rebecca Spiegel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\"},\"author\":{\"name\":\"Rebecca Spiegel\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/a3ab30b42e891e3562aa46a70bbb0674\"},\"headline\":\"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0\",\"datePublished\":\"2026-03-24T15:30:14+00:00\",\"dateModified\":\"2026-03-25T17:02:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\"},\"wordCount\":1079,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp\",\"keywords\":[\"Agentic AI\",\"AI\",\"AI generated code\",\"checkmarx one\",\"developer assist\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\",\"url\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\",\"name\":\"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp\",\"datePublished\":\"2026-03-24T15:30:14+00:00\",\"dateModified\":\"2026-03-25T17:02:43+00:00\",\"description\":\"Reachability is not exploitability.\u00a0AppSec needs Attackability, triage based on\u00a0demonstrated\u00a0exploitability, not theoretical reachability.\u00a0\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp\",\"width\":2560,\"height\":1280,\"caption\":\"Attackability vs. Reachability\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/a3ab30b42e891e3562aa46a70bbb0674\",\"name\":\"Rebecca Spiegel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_32.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_32.jpg\",\"caption\":\"Rebecca Spiegel\"},\"url\":\"https:\/\/checkmarx.com\/author\/rebecca\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0","description":"Reachability is not exploitability.\u00a0AppSec needs Attackability, triage based on\u00a0demonstrated\u00a0exploitability, not theoretical reachability.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/","og_locale":"en_US","og_type":"article","og_title":"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0","og_description":"Reachability is not exploitability.\u00a0AppSec needs Attackability, triage based on\u00a0demonstrated\u00a0exploitability, not theoretical reachability.\u00a0","og_url":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2026-03-24T15:30:14+00:00","article_modified_time":"2026-03-25T17:02:43+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp","type":"image\/webp"}],"author":"Rebecca Spiegel","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Rebecca Spiegel","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/"},"author":{"name":"Rebecca Spiegel","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/a3ab30b42e891e3562aa46a70bbb0674"},"headline":"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0","datePublished":"2026-03-24T15:30:14+00:00","dateModified":"2026-03-25T17:02:43+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/"},"wordCount":1079,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp","keywords":["Agentic AI","AI","AI generated code","checkmarx one","developer assist"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/","url":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/","name":"Attackability: Why Context, Not Reachability, Should Drive Remediation\u00a0","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp","datePublished":"2026-03-24T15:30:14+00:00","dateModified":"2026-03-25T17:02:43+00:00","description":"Reachability is not exploitability.\u00a0AppSec needs Attackability, triage based on\u00a0demonstrated\u00a0exploitability, not theoretical reachability.\u00a0","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/ai-llm-tools-in-application-security\/reachability-was-a-breakthrough-but-now-its-not-enough\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/Blog-Banner-_4_.webp","width":2560,"height":1280,"caption":"Attackability vs. Reachability"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/a3ab30b42e891e3562aa46a70bbb0674","name":"Rebecca Spiegel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_32.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_32.jpg","caption":"Rebecca Spiegel"},"url":"https:\/\/checkmarx.com\/author\/rebecca\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/107714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=107714"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/107714\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/107715"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=107714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=107714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=107714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}