How IRIS ADR module uses WAF to Prioritize Real Risk

Today, more security teams than ever are focused on high-priority vulnerabilities, but here’s the truth: Not every “high” is actually high.

Severity alone doesn’t tell the full story. A vulnerability marked as ‘critical’ in a scanner might already be blocked by your firewall. Others might be buried in low-severity findings but pose a real risk to your environment.

That’s where context becomes everything. And that’s why we built Application Detection & Response (ADR) into IRIS, our unified application security platform.

And now, with native integration into Web Application Firewall (WAF) rules, IRIS does something few others can:

👉 It tells you whether a vulnerability is actually exploitable right now, in your environment.

Why Traditional Vulnerability Management Falls Short

Legacy tools treat every ‘critical’ vulnerability the same without asking if this is actually exploitable? The result? Security teams waste time on low-risk issues while real threats hide in the noise.

A 2024 study found that although over 25,000 CVEs are reported annually, only about 20% are ever exploited. Yet most tools still push alerts without context.

Gartner and Forrester now urge security teams to adopt risk-based vulnerability management and Continuous Threat Exposure Management (CTEM) approaches that factor in exploitability, asset criticality, and control validation.

As CodeEye's CEO, Robert Howes put it:

“Most executives in security are now compensated and measured by the board on vulnerability management... Their evaluation is directly tied to it.”

Today’s security leaders are focusing on how effectively they manage risk, not on how many issues they fix.

Introducing IRIS AutoResponse: ADR that Prioritizes with Real Context

IRIS AutoResponse connects security signals from IRIS modules to SIEM/SOAR tools and web application firewalls (WAFs), enabling real-time detection and automated response to threats across your application landscape.

When a vulnerability is detected, IRIS doesn't just show you severity scores or compliance flags. It analyzes the context around that finding:

●      Is the affected application internal or external?

●      Does it handle sensitive data (e.g. credit card or health info)?

●      Is the vulnerability exploitable based on real-world threat intel?

●      And now: is there a WAF rule in place mitigating that risk already?

“If there's mitigating control on the WAF,” Robert explained, “the severity of the finding goes down. If there isn't... the severity goes up to ‘ fix this now.’”*

This is what real risk-based remediation looks like. IRIS doesn’t just show vulnerabilities, it checks if these vulnerabilities pose a threat to your business.

WAF-as-a-Lens: The Last Gate Before Escalation

Robert uses a simple analogy to explain it:

“Think of a firewall as the perimeter around an airport... There are gates, checkpoints, and security rules. Our technology checks whether there's a control in place to protect against the finding, just like checking if unauthorized people can get past security.”

Before escalating a vulnerability to critical, IRIS checks the actual WAF configuration. If your defenses are already blocking or neutralizing the exploit path, IRIS deprioritizes it, saving your team time, budget, and stress.

ADR + WAF, A New Standard for Modern AppSec

This is not just a feature. It’s a new approach to vulnerability management, one that aligns with how modern enterprises work: cloud-native, fast-moving, and resource-constrained.

If you're a CISO, a security lead, or part of an AppSec team, you no longer have to ask, “Is this finding real?”

Instead of chasing after every vulnerability, IRIS automatically checks your WAF to see if a protective control is already in place, so your team doesn’t waste time, money, or energy on issues that don’t pose a real risk.

Let’s talk about how IRIS can help your team focus on what’s exploitable, urgent, and actually worth your time.

Book a demo with us and see IRIS in action