Reachability vs Exploitability
Reachability tells you a vulnerable function could run. It does not tell you whether it actually did. Runtime evidence confirms whether a vulnerable component was opened, read, loaded into memory, and invoked in production, the difference between a theoretical finding and a confirmed one. See where reachability, EPSS, and runtime-confirmed exploitability diverge, and why that gap decides what belongs on a fix list.
Severity and reachability alone still leave the wrong list
Static analysis surfaces every vulnerability it can find. Reachability analysis narrows that list to functions that sit on a possible code path. Both are useful. Neither tells you whether the vulnerable code actually ran where an attacker could touch it.
So teams inherit a queue ordered by CVSS or by "reachable," and most of it never executes in production. The work feels endless because the list was never the right list. The problem was never a lack of findings. It was a lack of context about which findings matter.
Three signals get used interchangeably. They answer different questions.
Reachability is a prediction. Reachability analysis uses call-graph analysis to determine that a vulnerable function can be reached from your code. It is a strong static signal, and it is now standard across the category. A reachable function is not necessarily a loaded, executed, or exposed one.
EPSS and CVSS are probability and severity. EPSS estimates the likelihood a CVE is exploited somewhere in the wild. CVSS scores theoretical severity. Both are population-level signals. Neither knows anything about what is running in your specific environment.
Exploitability, confirmed at runtime, is evidence. Kodem observes the live application to confirm whether the vulnerable component was opened, read, loaded into memory, and invoked during execution. That is the difference between a finding that might matter and one that demonstrably does. Reachability and EPSS narrow the field. Runtime evidence settles it.
Reachability vs exploitability, side by side
| Question the buyer is really asking | Reachability / EPSS answer | Runtime evidence answer |
|---|---|---|
| Can this vulnerable function be reached? | Yes, statically (a prediction) | Yes, and here is whether it was loaded and invoked |
| Did the vulnerable code actually execute in production? | Unknown | Confirmed by memory analysis |
| Is the path exposed where an attacker could trigger it? | Inferred | Correlated with live runtime behavior |
| What should we fix first? | A severity or reachability-ranked queue | The set that is reachable, executed, and exposed |
| What can we safely defer? | Hard to defend | Findings with no execution evidence |
How Kodem confirms exploitability
- Collect across code, container, and runtime. Kodem C.O.R.E. maps dependencies and call graphs from source, inspects container images, and uses an eBPF sensor to observe runtime behavior with low overhead and no code instrumentation or application restarts.
- Correlate static findings with live behavior. Findings from code and dependencies are tied to what the running application actually does, so a theoretical risk and a live one are no longer treated the same.
- Confirm via memory analysis. Kodem validates whether the vulnerable file was opened or read, whether the vulnerable function was loaded into memory, and whether it was invoked during execution. That is the evidence that turns a maybe into a yes.
- Act on the few that matter. Teams remediate the confirmed-exploitable set, prioritized with Kai, and detect the first malicious action at runtime where it is needed instead of waiting for a downstream symptom.
What this looks like in practice
At Rapyd, the AppSec team shifted from chasing volume to proving impact by prioritizing only vulnerabilities with runtime evidence of execution, not static predictions. Focusing on what actually ran cut AppSec triage time by 40% and confirmed that 90% of scanner-detected CVEs were not exploitable in their environment, work that used to sit on an engineering backlog by default.
"Most security tools are gym memberships. Kodem is the personal trainer actually helping us get fit." Nir Rothenberg, CISO, Rapyd.
The full mechanics of how memory analysis turns kernel-level signals into function-level proof are in From Reachability to Reality. For teams building a prioritization workflow around this distinction, see automating vulnerability management with runtime evidence.
Frequently asked questions
Is reachability the same as exploitability?
No. Reachability means a vulnerable function can be reached along a code path. Exploitability means that function actually loaded into memory and executed in your running application, where an attacker could trigger it. Reachability is a prediction. Exploitability is evidence.
Does reachability analysis replace runtime evidence?
No. Reachability is a valuable static filter. Runtime evidence confirms what the static filter can only predict, which is why the two are strongest together.
How is exploitability confirmed without instrumenting my code?
Kodem uses an eBPF-based sensor and memory analysis to observe execution from the kernel level, without code changes or application restarts.
What should we fix first, the reachable list or the exploitable list?
Start with the set that is reachable, executed, and exposed. It is smaller than either a severity-ranked or a reachability-ranked queue, and every item on it has evidence behind it instead of a prediction.
Related blogs
From Reachability to Reality: Proving Vulnerable Code was Executed & Exploited in Production
Memory analysis plays a critical role in turning kernel-level signals into function-level proof of execution. See which vulnerable functions actually run in your environment, cut noise and prioritize risk that exists (and is exploitable) in your running application.

Kodem just built the world’s only Dev to Prod Agentic Taskforce in Cyber
At RSAC 2025, we launched Kai, the first AI-native application security engineer. Today, we’re expanding it into a fully agentic task force that truly performs AppSec tasks from start to finish.
Multi-Agent Architectures: The Next Leap in Application Security
Most security tools today, static analyzers, fuzzers, even single-agent LLMs, struggle to find complex, multi-step vulnerabilities. But the emerging model of multi-agent collaboration can fundamentally transform vulnerability discovery. Argusee’s recent results are just a glimpse of what's possible.
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.
