“Complex systems are intrinsically hazardous systems.”
—Dr. Richard Cook, How Complex Systems Fail
Software security has long leaned on a comforting fiction: if we catalogue every dangerous pattern in code, we can stamp out risk for good. Traditional Static Application Security Testing (SAST) tools—Veracode, Fortify, Semgrep, SonarQube, Snyk Code, CodeQL, and friends—were built on that deterministic promise. Yet real-world development is anything but deterministic. Humans and AI copilots continually remix frameworks, invent Domain Specific Languages (DSLs), and weave together services in ways no static rule set can fully anticipate.
DryRun Security’s Contextual Security Analysis (CSA) tackles that reality head-on. To understand why CSA outperforms rule-based scanners, it helps to frame security work in the language of risk epistemology: Known Knowns, Known Unknowns, and Unknown Unknowns. Each tells a different story about how (and whether) a tool can keep pace with modern code.
The Comfort Zone: Known Knowns
Known Knowns are the textbook vulnerabilities every developer learns on day one: raw SQL concatenation, strcpy() overflows, hard-coded secrets. Pattern-matching scanners function here because the threat is literally spelled out in the code. GitHub’s own primer describes SAST as scanning “for known vulnerable code patterns.”
But two structural flaws haunt this approach:
- Rule Inflation - New libraries and language idioms appear weekly; each demands fresh signatures. Most teams never catch up.
- Context Blindness - A pattern might be safe in one call path and disastrous in another. Without semantic context, the tool can’t tell.
Traceable’s review of legacy scanners captures the result: they “can detect dangerous code patterns only in libraries and functions they are familiar with” (ref) and routinely miss broken access control and business-logic flaws. Their research in 2021 spurred them on to create a runtime approach to solve the problem.
“Catastrophe requires multiple failures—single-point failures are not enough.” —Dr. Richard Cook
Pattern matching offers only single-point explanations. It cannot reason about how subtle design shifts combine into a vulnerability. In application security we generally lump these hard to reason about vulnerabilities into a class of “logic flaws” and we move on.
The Frontier: Known Unknowns
Known Unknowns are vulnerability classes we understand abstractly—authorization bypasses, confused-deputy flows, insecure deserialization—but whose concrete manifestations vary wildly across stacks. This is where context matters more than signatures.
The DryRun Security Contextual Security Analysis (CSA) approach uses the SLIDE framework to express this: Surface, Language, Intent, Design, Environment—to build a meta-context window around every pull request.
{{table7}}
Because CSA reasons over all five dimensions, it flags Known Unknowns that signature scanners never learned to name. In our 2025 SAST Accuracy Report DryRun Security CSA detected roughly 90% of the 26-payload corpus, including every multi-step logic flaw that slipped past pattern-based tools.
“People are the adaptable element of complex systems.” —John Allspaw
DryRun Security CSA treats developers—and their evolving code context—as first-class inputs, not noise to be abstracted away.
The Dark Depths: Unknown Unknowns
Unknown Unknowns are the hazards we haven’t yet imagined. Sidney Dekker reminds us that “people aren’t the problem; they’re the solution”—precisely because they adapt to surprises technology fails to foresee.
No tool can guarantee discovery of every future flaw (Gödel-esque limits apply), but DryRun Security CSA moves the conversation forward:
- Anomaly-Patterning: When a change resembles risky archetypes seen in incident post-mortems—e.g., introducing a bespoke crypto primitive—CSA (in DryRun Security’s implementation) raises an Unconfirmed Finding.
- Contextual Diffusion: By continuously learning from resolved alerts across thousands of repos, DryRun Security CSA refines its heuristics, nudging the boundary of what was formerly “unknown.”
The goal isn’t omniscience; it's an earlier signal. As Richard Cook writes, complex systems “are heavily and successfully defended against failure,” but only when humans get timely cues to adapt. 
DryRun Security CSA supplies those cues as your development team is creating, mending, or extending your system, which is often days or weeks before an attacker might exploit them.
Implications for Security Leaders
- Stop Rule-Chasing. Every regex you author (or your team authors) will age out. Invest instead in tools that synthesize context.
- Expect Surprise. Risk isn’t eliminated by ever-longer checklists; it’s mitigated by adaptive detection.
- Measure What Matters. Accuracy against logic flaws and authorization bypasses is the real benchmark, not just CWE coverage.
Ready to Move Beyond Pattern Matching?
Download the full 2025 SAST Accuracy Report to see the methodology, raw results, and why leading engineering teams are replacing deterministic scanners with Contextual Security Analysis.
