Reachability Analysis: Expanded for Faster, Smarter, & Broader Threat Intelligence

Finite State is excited to announce a major expansion to our Reachability Analysis feature, delivering broader coverage, smarter prioritization, and dramatically faster performance. These upgrades give product security, DevSecOps, and compliance teams an unmatched ability to cut through vulnerability noise and focus on the risks that matter most.

With this release, Reachability now provides actionable intelligence for more than 90% of detected CVEs, runs, on average, in under an hour, and introduces advanced input vector analysis to significantly improve accuracy, all enabled by default in the Finite State platform.

Release Highlight: Reachability Coverage Expanded to 90%+ of CVEs

Our expanded reachability dataset now includes 15,000 additional CVEs, selected based on real customer environments to ensure maximum impact.

What this means for you:

• Actionable reachability insights across the vast majority of your findings
• Greater clarity on what’s exploitable vs. what’s noise
• Higher-confidence prioritization backed by deep analysis
• Even more opportunities to auto-resolve unreachable vulnerabilities
  

This expansion enables teams to immediately understand where real risk exists — and eliminate the rest from their backlog.

Improved Accuracy With Input Vector Analysis

We’ve enhanced our analysis engine to deliver more precise, higher-quality insights.

Our new input vector analysis evaluates dataflow paths from external interfaces (network, file, console, etc.) to potentially vulnerable functions, identifying where exploitation is genuinely possible.

Why this matters:

• Fewer false positives
• Smarter prioritization scores
• Better visibility into real attack paths
• Clear, defensible triage decisions
  

These insights help teams quickly zero in on vulnerabilities that pose a real exploit risk.

Faster Results: Reachability Runs in Under One Hour — Enabled by Default

Previously, reachability analysis required opting into our more heavyweight binary SAST scan. With this release, Reachability is fully integrated into our core analysis pipeline and runs automatically.

Key improvements:

• <1 hour total execution (down from 4+ hours)
• Enabled by default for most scans
• No additional configuration or manual steps required
• Immediate insight into exploitable vs. non-exploitable vulnerabilities
  

This speed boost comes from a redesigned backend that replaces legacy tooling with a lighter, more efficient approach — drastically reducing memory usage and runtime.

Reachability + Exploit Intelligence = Maximum Triage Efficiency

Finite State’s exploit intelligence indicates whether a vulnerability is being exploited in the wild. When combined with expanded Reachability capabilities, teams get the most actionable view of risk possible.

You’ll now know:

• Is this CVE reachable?
• Is it actively exploited?
• Does it deserve immediate action — or can it be safely deprioritized?
  

This unified intelligence allows teams to confidently eliminate non-issues and rapidly escalate the vulnerabilities that pose true operational risk.

Why This Matters: More Coverage, Better Accuracy, Faster Decisions

These upgrades are designed to help teams:

• Reduce triage time with broader, more accurate coverage
• Prioritize faster with clear exploitable vs. non-exploitable insights
• Focus on real risks that require immediate remediation
• Accelerate release cycles by eliminating unnecessary developer rework
• Make smarter, more confident security decisions
  

With expanded reachability capabilities, Finite State now delivers one of the highest-quality vulnerability triage solutions in the connected device security space, differentiated by breadth, depth, and speed.

Want to See Reachability in Action?

If you’re a current customer, start a scan today to experience the expanded capabilities.

New to Finite State? Schedule a demo to see how Reachability can help your team prioritize risk with confidence and speed.