Risk Prioritisation

From 145 Findings to One Critical Fix Why Traditional Scanners Fail at Container Security

Learn how intelligent vulnerability prioritization transformed 145 container security findings into one actionable priority using context, reachability and exploit probability.

Written by Headshot of Ali Yazdani
Ali Yazdani
October 6, 2025
9 min read
From 145 Findings to One Critical Fix

Container security is meant to give teams clarity. Yet most security teams recognise the opposite experience. You scan a container image and receive a list so long that it feels impossible to act on. When everything looks urgent, nothing feels actionable. And when all you see is volume, you lose track of what truly puts your services at risk.

This is the central challenge of container security today. Scanners show what is broken. They rarely show what is important.

This article explores a real world case where one container image produced one hundred forty five findings ; yet only one deserved immediate attention. It illustrates why severity alone is not enough and how context, reachability and exploit probability can change the entire remediation strategy. Platforms such as ScanDog bring this intelligence into modern DevSecOps workflows.

The Real World Scenario: When Scanners Create Noise Instead of Clarity

When the nginx:stable-bookworm-perl container image was scanned using Trivy, the results reflected what many teams see daily:

  • 145 total findings
  • 13 HIGH severity vulnerabilities
  • 2 CRITICAL vulnerabilities
  • 1 P0 finding

On paper, nothing about this list indicates where to begin. Traditional scanners treat all unpatched vulnerabilities as static risk, leaving teams to make difficult prioritisation decisions with minimal context.

The surprising reality came later. Among the dozens of HIGH and CRITICAL findings, a single LOW severity CVE , CVE-2023-44487 , posed the only immediate threat. ScanDog’s prioritisation engine flagged it instantly because of its active exploitation and high probability of attack.

This is the gap intelligent prioritisation fills.

Understanding the Real Risk: CVE-2023-44487 and the HTTP/2 Rapid Reset Attack

CVE-2023-44487 represents a flaw in the HTTP/2 protocol that enables massive distributed denial of service attacks using minimal resources. Attackers abuse HTTP/2 stream multiplexing to open and immediately reset connections at scale, overwhelming servers in seconds.

Why traditional severity ratings miss the point

CVSS classifies the vulnerability as High with a score of 7.5.

But CVSS is a technical metric, not a risk metric. It does not consider:

  • Active exploitation by attackers
  • Availability of weaponised exploit code
  • Advisories from major cloud providers
  • Business impact of service downtime
  • Ease of execution by low skill actors

What the real world data shows

EPSS, the Exploit Prediction Scoring System, gives CVE-2023-44487 a probability of 94.42 percent for exploitation within thirty days.

Its percentile ranking: 99.98.

In other words, it is more likely to be exploited than almost every other known CVE. That is why ScanDog elevates it to P0 priority, regardless of its nominal severity.

Why Container Security Cannot Rely Solely on Scanners

The lesson is simple. Scanners generate valuable detection data, but they do not provide insight. They cannot understand:

  • Which vulnerabilities are actually exploitable
  • Which paths attackers are most likely to use
  • What your business impact would be
  • Which services face real exposure

This leads to misaligned priorities, delayed remediation and unnecessary engineering workload.

ScanDog supports teams by layering intelligence on top of scanner output, transforming raw findings into a clear, ranked list based on real threat signals.

How ScanDog Transforms Container Security

Traditional workflow:

Scanner → 145 Findings → Manual Triage → Guesswork → Delayed Response

ScanDog workflow:

Scanner → 145 Findings → Intelligent Prioritization → 1 P0 Finding → Immediate Action

This shift turns vulnerability management from reactive guesswork into a structured, intelligence driven practice.

The Four Pillars of Intelligent Prioritisation

Exploit intelligence

ScanDog monitors exploit availability, real world attack campaigns and weaponisation signals.

If attackers are actively using a vulnerability, it moves to the top of the queue.

Threat context

EPSS probability, percentile ranking and attacker behaviour patterns determine urgency.

This provides a more accurate picture than CVSS alone.

Business impact

Criticality of services, potential downtime and blast radius shape the prioritisation score.

Environmental factors

Exposure, authentication requirements and network pathways determine whether a vulnerability could actually be exploited in your environment.

Together, these factors reduce noise and elevate the handful of findings that truly matter for container security.

Measurable Impact for Security Teams

Organisations that move from volume based approaches to intelligence based prioritisation consistently report:

  • Eighty seven percent less time spent triaging
  • Three times faster remediation cycles
  • Sixty two percent fewer incidents caused by known vulnerabilities
  • Ninety five percent improvement in MTTR for P0 issues

These gains come from clarity, not from scanning more frequently.

What This Means for Your Container Security Strategy

Container security is about more than producing lists of vulnerabilities. It is about understanding which issues meaningfully threaten your organisation.

If you are still relying solely on scanner severity, consider asking

  • How many vulnerabilities are actively exploited today?
  • Which ones could bring down a critical service?
  • Do we know our P0 issues at any moment?

Modern attackers focus on vulnerabilities with low complexity and high impact, not necessarily those with the highest severity labels.

A LOW severity CVE under active exploitation is more dangerous than a CRITICAL CVE with no weaponised exploit.

A More Intelligent Path Forward

The case of CVE-2023-44487 shows what is at stake. Without intelligent prioritisation, the vulnerability would have been buried among dozens of other issues. With contextual analysis, it became the single highest priority with immediate action.

Platforms such as ScanDog help teams make this shift by providing:

Container security cannot be solved by scanning alone. It depends on intelligent prioritisation, meaningful context and the ability to act quickly when it matters most.

Stay Updated

Follow us on LinkedIn for the latest security insights and product updates

ScanDog logo
ScanDog

Technology, Information and Internet

Berlin, Germany

276 followers
About ScanDog

ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.

Explore ScanDog's Platform
Share

Shrink your AppSec debt by 95% in less than 2h