Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in
Back
Security News

Static vs. Runtime Reachability: Insights from Latio’s On the Record Podcast

The Latio podcast explores how static and runtime reachability help teams prioritize exploitable vulnerabilities and streamline AppSec workflows.

Static vs. Runtime Reachability: Insights from Latio’s On the Record Podcast

Sarah Gooding

August 13, 2025

Reachability analysis has become a hot topic in vulnerability management for good reason. With a record-breaking surge in vulnerability disclosures in 2025, most of which will never be exploitable in your environment, knowing which ones actually matter can save huge amounts of time and effort.

That is the focus of a recent episode of the On the Record, a podcast from Latio that digs into cloud and application security. Host James Berthoty is joined by two leaders in the reachability space: Martin Torp, who now leads Socket's reachability product after co-founding Coana (acquired by Socket last year), and Omer Yair, co-founder of Raven.io, which develops runtime software composition analysis tools.

What Reachability Really Means

At its simplest, reachability answers the question: does an application ever touch the vulnerable code?

In the conversation, the guests noted that reachability can serve as triage for vulnerabilities, helping teams focus on CVEs that actually affect their application. They also discussed how reachable does not always mean exploitable. Even if a vulnerable function is in use, there may be safeguards in place that prevent an attacker from taking advantage of it.

Two Ways to Get There

The conversation walks through the two main approaches:

  • Static reachability analyzes application and dependency code without running it, mapping out call graphs to determine whether the vulnerable path is in use. It can be run anywhere, even in highly restricted environments, and gives developers feedback early in the development cycle.
  • Runtime reachability observes the application in production to see exactly what functions are executed. This delivers high-confidence results based on real-world behavior with minimal performance overhead.

Static and runtime reachability can be complementary. Static is ideal for shift-left workflows and early triage, while runtime provides accuracy based on production behavior. Together, they give teams a clear picture of what is truly exploitable.

Watch the Full Episode

This episode covers more detail including language support, function-to-CVE mapping quality, scan performance, and how compliance frameworks are starting to embrace reachability-driven workflows.

If you have been wondering how to make sense of reachability and apply it in your own AppSec program, this is a great place to start.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a Demo

Related posts

Back to all posts
New Website “Is It Really FOSS?” Tracks Transparency in Open Source Distribution Models

Security News

New Website “Is It Really FOSS?” Tracks Transparency in Open Source Distribution Models

A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.

By Sarah Gooding  -  Aug 15, 2025
SocketSocket SOC 2 Logo

Product

About

Packages

Explore npm
Explore Cargo
Explore Go
Explore Maven
Explore NuGet
Explore PyPI
Explore Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc

U.S. Patent No. 12,346,443 & 12,314,394. Other pending.