False Positives
TL;DR
In security, a false positive occurs when a tool reports a problem that does not actually exist.
What Is a False Positive?
A false positive is when a security tool reports a problem that does not actually exist.
Simple example:
- Real problem: The smoke alarm goes off because there’s a fire.
- False positive: The smoke alarm goes off because of steam from cooking.
The alert is real, but there is no actual danger.
Why False Positives Are a Problem
False positives do more than waste time. They can lead to real problems as time goes on.
They lead to:
- Wasted time fixing problems that don’t exist
- Frustration between security and development teams
- Higher risk because real problems get ignored
Why False Positives Happen
Security tools are designed to be careful. It is safer for them to give too many warnings than to miss a real attack.
Common reasons:
-
No context
A tool sees a hardcoded password, but it’s only in a test file.
-
Complex code
The tool thinks user input is unsafe, but the code already cleans it.
-
Old rules
New, safe software looks like an old threat.
-
Rules that are too broad
For example, flagging every use of eval() even when it’s safe.
The Real Cost of False Positives
The real problem comes when too many alerts build up.
- Teams stop paying attention to alerts.
- Builds and releases slow down.
- Skilled engineers waste time reviewing fake issues.
False Positives vs False Negatives
| Term | What It Means |
|---|---|
| True Positive | A real problem is correctly found |
| False Positive | A problem is reported but isn’t real |
| True Negative | Safe code is correctly ignored |
| False Negative | A real problem is missed (this is dangerous) |
Related Terms
- Alert Fatigue
- SAST
- Triage
- EPSS
FAQ
How do I know if an alert is a false positive?
You should review the code to determine whether a real user could trigger the issue.
Can tools have zero false positives?
No. The goal is to reduce them, not remove them completely.
Should I stop using a tool with many false positives?
Not immediately. Most tools need tuning to match your codebase.