The Real ROI of Function-Level Reachability

The Cost of Security Noise

Every ticket a security team sends to developers carries a price. Whether it’s $200 or $4,500, the fully loaded cost of triage, remediation, testing, and opportunity cost adds up quickly. Even at a conservative estimate of $800 per ticket, the waste is staggering.

One Fortune 500 customer reported that their teams opened more than 200,000 tickets in a single year. At that volume, whether the tickets are valid or not, the inefficiency adds up to millions before even touching real risk.

This is not unique. Across the industry, developers are drowning in tickets generated by tools that flood them with alerts but fail to answer the critical question: Is this vulnerability actually reachable in our code?

The Broader Context: Open Source Risk Is Accelerating

With AI-driven development accelerating code creation, the dependency surface is expanding faster than ever. Developers are shipping more code but know less about what’s inside their applications. Combined with the documented surge in vulnerabilities and malicious packages, enterprises can’t afford ineffective tools.

Recent research highlights the scale of the challenge:

• 98% annual growth in open-source vulnerabilities, nearly four times faster than the 25% growth in OSS packages.
• 85% increase in vulnerability lifespan, meaning they persist longer before being fixed.
• Malicious packages are rising sharply: nearly half (48%) of vulnerabilities in NPM and 14% in PyPI stem from intentionally malicious code.

This is not a wave that can be managed with more alerts. The volume is accelerating, the persistence is lengthening, and attackers are exploiting structural weaknesses in ecosystems themselves.

Function-Level Reachability as the ROI Lever

Traditional SCA and package-level reachability approaches flood developers with noise. Function-level reachability changes the economics by filtering vulnerabilities at the function call level, cutting away the 93% of false positives that never touch the application’s execution path.

Instead of triaging thousands of non-issues, security teams focus only on vulnerabilities that are truly exploitable. The ROI is tangible:

• Noise Reduction — 93% fewer false positives.
• Time to Remediation (MTTR) — up to 10× acceleration.
• Developer Productivity — Hours and days returned to revenue-generating work.
• Revenue Protection — Avoided downtime and reduced breach exposure.
• Collaboration — Shared evidence developers trust and auditors validate.

Even auditors are validating this shift. FedRAMP’s July 2025 RFC calls for exploitability analysis over raw counts. 

Industry research shows organizations are already spending millions per year just managing CVEs. Not fixing real risk, but handling the overhead of triage, patching, and compliance. One recent study found companies waste over $2M annually on remediation alone, and described the “CVE doom cycle” of alerts, triage, and rework that drains innovation. And that research focused only on container base image vulnerabilities — the easiest type to fix. Application-level vulnerabilities are far more complex and costly. Function-level reachability breaks this cycle by ensuring teams only act on vulnerabilities that truly matter.

The Business Impact of Reachability

Hewlett Packard Enterprise (HPE)

‍

See the details behind HPE’s results here. 

Across the enterprises we work with at Hopper, the pattern is consistent: less noise, faster fixes, stronger collaboration, and millions saved.

The Executive Lens

Security ROI isn’t measured in dashboards. It’s measured in developer hours returned, revenue protected, incidents avoided, and collaboration strengthened.

For CISOs and executives, the ROI of reachability is clear:

• Security as an Enabler: Guardrails, not roadblocks, so the business can move fast without compromise.
• Clarity Over Counts: Show boards and regulators how you’ve eliminated real exploitable risk, not how many vulnerabilities you’ve found.
• Safe AI Adoption: Companies are moving fast with AI, but they need to make sure they’re doing it safely. That means protecting both the open-source code they rely on and the AI-powered applications they’re building.
• Confidence in the Future: With AI accelerating both code creation and attacker velocity, precision-driven security isn’t optional; it’s the only sustainable path forward.

The Bottom Line

Function-level reachability isn’t just a better scanner. It’s the shift enterprises need to balance flat budgets with accelerating risk.

Security should be the accelerator with guardrails, not the brake. That’s the real ROI of function-level reachability.

‍

Appendix: Research and Industry Reports

1. Original OSS Vulnerability Growth Research (arXiv, 2025)
   Summary: A longitudinal study of 31,000 vulnerabilities across 14,000 packages and 10 ecosystems found a 98% year-over-year increase in open-source vulnerabilities, nearly 4× faster than the growth of open-source packages. The research also showed an 85% increase in the lifespan of vulnerabilities and a sharp rise in malicious packages, especially in NPM and PyPI.
2. Mandiant M-Trends 2025 Report
   Summary: Mandiant reported that exploits remain the most common initial attack vector for breaches, underscoring the need for exploitability-driven vulnerability management.
3. IBM X-Force Threat Intelligence Index 2025
   Summary: IBM identified software exploits as the top cause of breaches, reinforcing the urgency of shortening MTTR and focusing on vulnerabilities that truly matter.
4. Chainguard: The Cost of CVEs 2025
   Summary: Based on interviews with customers, this report estimates that managing vulnerabilities in-house can cost organizations millions annually, mostly due to overhead associated with triage, patching, and compliance. Chainguard describes a “CVE doom cycle” where alert noise and remediation efforts consume engineering time and erode innovation.