Skip to main content
Snyk Blog

In this article

Exploitability Isn’t the Answer. Breakability Is.

Written by
Headshot of Bryan Sullivan

Bryan Sullivan

February 12, 2026

0 mins read

The AppSec paradox: Why aren’t we fixing more?

Why don’t developers fix every AppSec vulnerability, every time, as soon as they’re found? The most common answer? Time. Modern security tools can surface thousands of vulnerabilities in a given codebase. Fixing them all would take up a development team’s entire capacity, often competing with feature development and other priorities.

But the time required to remediate vulnerabilities has changed in recent years. Previously, investigating a finding, learning the remediation, and manually changing code were often all-day tasks. Today, automation and AI-assisted tools handle much of that work, readying code changes to merge in the time it takes to make a cup of coffee. For SCA vulnerabilities in particular, remediation is often just a matter of updating packages from known vulnerable versions to newer ones that fix the CVEs.

So, if time is no longer the bottleneck, what is? Trust. Developers don’t ignore fixes because they’re unwilling to address security issues. More often, they hesitate because they’re afraid of breaking their code.

To help teams prioritize with greater confidence, we’re introducing a new capability for Snyk Open Source: Breakability Risk.

The first phase of Breakability focused on the question developers ask every day: If I apply the fix Snyk recommended, will it break my app? Every dependency update carries some level of risk. A “simple” package reference update may introduce API changes that cause your code to fail compilation. Or worse, the API method signatures might stay the same, but subtle behavioral changes are introduced that mean your code still compiles but fails at runtime.

Often, two or more direct dependencies share a transitive dependency. When multiple direct dependencies rely on the same underlying package, updating one part of your dependency graph to fix a CVE might cause you to have a new incompatibility problem with another set of your dependencies. This is the dreaded “dependency hell” problem.

Breakability Risk identifies which updates are safe to apply now and which require a deeper dive.

Trust drives security

We’ve been running experiments on breakability analysis, and the patterns are consistent. When developers understand that the risk of breaking their applications is low, they are significantly more likely to merge a fix. In our experiments, low breakability updates were merged at four times the rate of higher risk changes.

Our analysis shows that about one-third of all fixes fall into the low breakability category. For the average Snyk customer, prioritizing these lower-risk updates could translate into remediating thousands of additional vulnerabilities each year.

Breakability in action: Low vs. high risk

Snyk now provides a merge risk tag directly within your pull request to guide your prioritization and accelerate fixing. Snyk Open Source provides details, contextual risk scoring, and educational resources through Snyk Learn for developer upskilling.

Scenario 1: The “Easy win.”

Snyk comment indicating low merge risk for libxmljs2 upgrade. Support for Node.js versions 10, 12, 15, and 17 is removed. No breaking API changes reported.

In this scenario, Snyk Open Source has raised a pull request for a team to move to a newer version of [libxmljs2] in order to fix multiple regular expression denial of service (ReDoS) vulnerabilities.

  • Analysis: The upgrade primarily drops support for end-of-life Node.js versions

  • Breakability Risk: Snyk flags this as a Merge Risk: Low, as there are no significant behavioral changes

  • Verdict: Press the button. Secure the code. Move on.

Scenario 2: The “Proceed with caution.”

Snyk high-risk merge alert: Version 0.12.0 switches to an instance-based setup (new I18n()). Version 0.14.0 drops support for Node.js < 10. Review initialization code to avoid errors.

Here, an update for [i18n] fixes prototype pollution but introduces an architectural shift from a global singleton to an instance-based setup.

  • Analysis: The library’s fundamental usage pattern has changed.

  • Breakability Risk: Snyk flags this as Merge Risk: High due to breaking architectural changes in the library.

  • Verdict: Don’t merge until you’ve reviewed your own code and made appropriate changes.

A new hierarchy of remediation

We believe the first question in any remediation workflow should be simple: Can I fix this problem with minimal effort and minimal risk?

If the answer is yes, do the fix. Breakability enables teams to address low-risk updates first, opening the door to fixing a third or even as much as half of your backlog of CVEs with a single click. Removing the fear of “breaking things,” empowers teams to confidently clear a significant portion of their backlog, fixing security debt that has plagued development teams for years, reducing security risk without increasing engineering workload.

Snyk is not abandoning Reachability or Risk Score.

As valuable as reachability is as a prioritization lens, there’s a big difference between saying “This vulnerability absolutely, definitively cannot be reached” and “A reachable path for this vulnerability has not been found”. The latter condition is vastly more common than the former. It’s just not safe for you to assume that “no reachable path found” means there is no reachable path, especially in today’s world where attackers use AI hacking tools to find weaknesses and exploit them faster than ever. Instead of accepting package risk from potentially unreachable vulnerabilities, we’re making it easier for you just to fix it - again, all without the risk of negative side effects.

Breakability and the Snyk AI Security Fabric

This new remediation paradigm is key to driving the AI Security Fabric. As described in the Prescriptive Path to Operationalizing AI Security, breakability helps you optimize risk reduction by building confidence in suggested fixes, moving beyond just prioritization lenses, and creating a predictable, confidence-driven process, enabling teams to merge more fixes faster, with less fear of a breaking change.

Get started with Breakability

The first phase of Breakability is available now as a Snyk Preview feature for all Snyk Open Source customers. Enable it to start seeing breaking change risk assessments on your Snyk-generated pull requests today. We’d love for you to try it out and let us know what you think!

Snyk UI showing the Breakability - Breaking Change Analysis for Pull Requests feature enabled with a toggle switch.

Rethinking how to prioritize and remediate vulnerabilities with greater confidence? Learn how AI-driven insights help teams move beyond detection and toward predictable, scalable risk reduction. Download, our eBook, From Shift Left to Secure at Inception today. 

New to CTFs?

Prepare for Snyk’s Fetch the Flag CTF competition on February 27 by watching our Capture the Flag 101 Workshop

Watch now

Posted in:
AIApplication SecurityCode SecurityDevSecOpsOpen Source SecuritySupply Chain SecurityVulnerability Insights