Modern enterprises operate at a breakneck pace, building applications that rely heavily on open-source dependencies while running workloads in complex, multi-cloud environments. Securing these applications requires a holistic perspective that covers both application security (AppSec) and cloud security (CloudSec). Historically, these two domains have operated in silos: AppSec teams focus on code scanning and secure development practices, while CloudSec teams concentrate on cloud infrastructure posture, runtime controls, and threat detection.

Today, Microsoft Defender for Cloud and Endor Labs are bridging this divide with a native integration that delivers true code-to-runtime reachability. By combining Software Composition Analysis (SCA) with Cloud-Native Application Protection Platform (CNAPP) capabilities, security teams can pinpoint exploitable vulnerabilities from the moment code is written to the time it’s deployed in the cloud.

Why Bringing AppSec and CloudSec Together Matters

1. A Unified Approach to Vulnerability Management

Organizations often discover the same vulnerabilities at different stages in the software development lifecycle (SDLC). AppSec flags them in code repositories, and CloudSec flags them again once they’re running in production. By unifying AppSec and CloudSec in a single platform, customers can:

• Eliminate redundant alerts: Address the root cause of vulnerabilities when they’re first discovered in code, rather than letting them reach production.
• Streamline communication and collaboration: Ensure AppSec and CloudSec teams share the same data and priorities.

2. Complete Visibility and Prioritized Remediation

Security teams need to see not just which vulnerabilities exist, but also how they can be exploited in the cloud. Defender for Cloud and Endor Labs integrate code-level vulnerability scanning with runtime visibility, showing full attack paths from developer commits to actively running workloads.

3. Reduced Risk Through Early Intervention

Only a small percentage of vulnerabilities are exploitable, but it can be labor-intensive to distinguish real threats from theoretical ones. Endor Labs’ function-level reachability surfaces truly exploitable flaws, and Defender for Cloud correlates that data with running cloud workloads to help teams prioritize and fix high-impact issues quickly.

How the Microsoft Defender for Cloud + Endor Labs Integration Helps

1. Function-Level Reachability Analysis

Endor Labs employs a precise method of SCA that identifies whether a vulnerable function in an open-source library is actually called by your application’s code. This drastically reduces false positives and helps developers focus on real risks.

By surfacing these exploitable vulnerabilities natively within Defender for Cloud, AppSec teams can act on high-severity issues without needing multiple tools or extensive manual triage.

2. Code-to-Runtime Exploitability

Even if a vulnerability is reachable at the function level, it may or may not be running in production. Microsoft Defender for Cloud correlates the results from Endor Labs with container images, Kubernetes clusters, and other runtime contexts. This helps CloudSec teams:

• Visualize full attack paths: Understand exactly how a vulnerability could be exploited in a running application.
• Implement mitigating controls: Deploy firewall rules, network segmentation, or access restrictions while developers work on permanent fixes.

Example: If you have an application with a reachable vulnerability in an open-source library, CloudSec teams see where the vulnerable container is running and whether it’s exposed to the internet. They can then take immediate action to reduce risk by limiting internet exposure while AppSec teams work to patch or upgrade the dependency.

3. Streamlined Communication & Collaboration

By displaying Endor Labs findings directly in Defender for Cloud, development and security teams work with a common set of data, facilitating faster, more transparent remediation on the most critical vulnerabilities.

Using the Integration in Defender for Cloud

After you connect Endor Labs to Defender for Cloud, you can explore the data in two main locations: Cloud Security Explorer and Attack Paths.

Cloud Security Explorer

Cloud Security Explorer provides an interactive query experience to search, filter, and correlate security information from your connected environments. Once Endor Labs findings are ingested, you can write queries to pinpoint exploitable vulnerabilities and prioritize remediation efforts. To get started, you can use these sample queries:

• Code repository with critical or high severity reachable vulnerabilities
• Code repository with critical severity reachable vulnerabilities creates a container image
• Code repository with critical severity vulnerabilities that are reachable at the function level

Cloud Security Explorer query for code repositories that contain critical reachable function vulnerabilities

Attack Paths

One of the most powerful features of combining Endor Labs with Defender for Cloud is the ability to see Attack Paths—the end-to-end chain of how a vulnerability in code can be exploited when deployed in your cloud environment. Defender for Cloud automatically correlates the vulnerability details (from Endor Labs) with runtime data to show how it could be exploited in your environment. The attack path view provides a graphical representation from the vulnerable function in your source code to the specific runtime asset.

The example below illustrates an attack path involving an internet-exposed running container with reachable vulnerabilities. Endor Labs identified these vulnerabilities within the code repository, and Defender for Cloud traced a container image containing the same vulnerabilities back to that repository. Together, these insights indicate that an attacker could exploit the vulnerabilities during runtime.

Attack path analysis showing an internet exposed container with reachable vulnerabilities

Conclusion

By unifying AppSec and CloudSec, organizations gain a complete view of their security posture—from code commits in GitHub or Azure DevOps to production workloads running in Azure, Amazon Web Services, or Google Cloud Platform. The Microsoft Defender for Cloud + Endor Labs integration delivers reachability-based SCA, reducing noise from false positives and helping teams prioritize and remediate real threats faster.

Ready to Get Started?

1. Request a Demo from Endor Labs.
2. Connect your Endor Labs tenant to Defender for Cloud.
3. Begin seeing rich, prioritized vulnerability findings directly from Defender for Cloud.