What is Black Duck Signal?

Signal is Black Duck's agentic AI overlay across the AppSec stack. It performs reachability analysis to confirm which vulnerabilities are exploitable through direct and transitive dependencies, runs CVSS 4.0 and EPSS-grounded prioritization, and embeds inside AI code-assistant workflows for pre-commit open-source risk identification. Signal augments the Coverity, SCA, and Polaris analysis engines rather than replacing them. Merito sells the license and operates the reachability rollout, prioritization tuning, and agentic SCA integration.

What is reachability analysis?

Reachability analysis traces direct and transitive dependencies to confirm which vulnerabilities are actually exploitable from production entry points. Findings in unreachable code paths get demoted in the prioritized backlog. On portfolios with deep dependency trees, the difference between a backlog of every vulnerable line and a backlog of actually-reachable findings is meaningful. Reachability is the most actionable insight Signal produces for programs with mature SCA or SAST deployments.

How does Signal use CVSS 4.0 and EPSS?

Signal grounds prioritization in real-world exploit likelihood rather than raw severity. CVSS 4.0 captures exploitation context and threat-actor capability beyond CVSS 3.1. EPSS (Exploit Prediction Scoring System) data adds a probability score for whether each vulnerability is being exploited in the wild. The combined scoring drives a backlog ordered by what attackers are actually targeting rather than what scanners theoretically flag as critical.

What is agentic SCA for AI code assistants?

Agentic SCA embeds inside AI code-assistant workflows like GitHub Copilot, Cursor, and Claude Code. As the AI assistant generates code, Signal identifies open-source dependencies and snippet matches in the generated code at generation time and resolves the open-source risk before the commit lands. The architecture moves AppSec further left than build-gate scanning can reach. Programs with significant AI code-assistant adoption get the most value from this capability.

Does Signal replace Coverity Static, Black Duck SCA, or Polaris?

No. Signal augments the underlying analysis engines rather than replacing them. The reachability and prioritization capabilities apply across Coverity, SCA, and Polaris findings. Programs without an underlying Black Duck analysis engine deployment get less value from Signal because there is nothing for the overlay to operate on.

How does Signal compare to other agentic AppSec products?

Several vendors ship reachability and prioritization overlays. Signal differentiates on the integration depth with the Black Duck KnowledgeBase (10 million open-source projects), on the agentic SCA capability inside AI code-assistant workflows, and on the close coupling to Coverity and Polaris findings. Programs already running Black Duck analysis engines get the most value from Signal because the integration is native rather than third-party.

How is Signal licensed?

Signal is licensed by application count and the analysis-engine surface (Coverity, SCA, Polaris) it overlays. Agentic SCA for AI code assistants is sold as an add-on. Pricing scales with the analysis-engine deployment breadth Signal augments. Merito sells the license and scopes implementation, reachability rollout, and agentic SCA integration as separately priced services.

Black Duck • Application security

Black Duck Signal

Signal is the agentic AI overlay across the Black Duck AppSec stack. Reachability analysis confirms which vulnerabilities are exploitable through direct and transitive dependencies. CVSS 4.0 and EPSS scoring grounds prioritization in exploitability rather than raw severity. Agentic SCA inside AI code-assistant workflows identifies and resolves open-source risks before commit.

Merito sells Signal and operates the reachability rollout, prioritization tuning, and agentic AI integration across AI code-assistant workflows that turn the platform into developer-trusted AppSec automation.

Get Signal pricing Talk to a Merito Signal specialist

Best for: AppSec leaders running mature analysis-engine deployments who want triage automation, Programs adopting AI code assistants (Copilot, Cursor, Claude Code) at scale, Security teams overwhelmed by Coverity, SCA, or Polaris finding volume that lacks reachability context
Hosting: SaaS
Time to value: Reachability analysis live across existing Coverity, SCA, or Polaris findings in two to four weeks. Agentic SCA in AI code-assistant workflows live in four to eight weeks depending on assistant adoption.
Security posture: GDPR, HIPAA-aligned design, SAML SSO
Last reviewed: 2026-04-27

What it is

Black Duck Signal in the enterprise stack

Signal is Black Duck's agentic AI overlay across the AppSec stack. The platform combines twenty-plus years of AppSec intellectual property with LLM-powered analysis to detect, prioritize, and remediate vulnerabilities autonomously inside the customer's existing analysis-engine surface. Signal does not replace Coverity Static, Black Duck SCA, Polaris, or Continuous Dynamic. It augments them.

Reachability analysis is the core capability. Signal traces direct and transitive dependencies to confirm which vulnerabilities are actually exploitable from production entry points. Findings in unreachable code paths get demoted so the AppSec backlog reflects what an attacker can reach rather than every theoretically vulnerable line. Combined with CVSS 4.0 and EPSS exploitability scoring, the prioritization grounds in real-world exploit likelihood rather than raw severity.

Agentic SCA inside AI code-assistant workflows is the more recent capability. As Copilot, Cursor, and Claude Code generate substantial portions of new code, the open-source dependencies and snippet matches in AI-generated code need to be identified and resolved before the commit lands. Signal embeds inside AI development workflows and resolves open-source risks at generation time rather than at scanner time. The architecture moves AppSec further left than build-gate scanning can.

Ideal use cases

Reachability analysis layered across Coverity, SCA, or Polaris findings
CVSS 4.0 and EPSS-grounded prioritization replacing raw severity
Agentic SCA inside Copilot, Cursor, and Claude Code workflows
Pre-commit open-source risk identification and resolution
Triage automation for AppSec backlogs that exceed analyst capacity

What it is best at

Where Black Duck Signal earns its seat

Reachability analysis grounded in exploitability

Direct and transitive dependency tracing demotes findings in unreachable code paths. The backlog reflects what attackers can reach rather than every vulnerable line. On portfolios with deep dependency trees the difference is meaningful.

CVSS 4.0 and EPSS prioritization

Prioritization grounds in real-world exploit likelihood rather than raw severity. CVSS 4.0 scoring combined with EPSS exploitability data drives a backlog ordered by what is actually being exploited in the wild.

Agentic SCA in AI code-assistant workflows

Embeds inside Copilot, Cursor, and Claude Code workflows. Open-source dependencies and snippet matches in AI-generated code get identified and resolved before commit. Moves AppSec further left than build-gate scanning can.

Core capabilities

Black Duck Signal capabilities, grouped by outcome

Reachability analysis

How Signal grounds findings in real-world exploitability.

Direct dependency reachability
Traces whether vulnerable functions in direct dependencies are actually called from the customer's application code.
Transitive dependency reachability
Extends reachability tracing through transitive dependency chains so vulnerabilities deep in the dependency graph get evaluated for actual exploit paths.
Unreachable finding demotion
Findings in code paths that cannot be reached from production entry points get demoted in the prioritized backlog.

Risk prioritization

The scoring model that orders the AppSec backlog.

CVSS 4.0 scoring
Modern vulnerability scoring that captures exploitation context and threat-actor capability beyond CVSS 3.1.
EPSS exploitability data
Exploit Prediction Scoring System data grounds the backlog in real-world exploit likelihood rather than theoretical severity.
Business-impact filtering
Findings filter against business-criticality data so the backlog reflects what is operationally important rather than every theoretically vulnerable component.

Agentic AI for AI code assistants

How Signal integrates into AI-augmented development workflows.

Copilot, Cursor, Claude Code integration
Embeds inside AI code-assistant workflows. Open-source dependencies and snippet matches in AI-generated code get identified at generation time.
Pre-commit risk resolution
Resolves open-source risks before the commit lands rather than catching them at build-gate scanning.
Developer-context grounding
Recommendations ground in the customer's specific codebase context, dependency posture, and policy rather than generic AI guidance.

Cross-product integration

How Signal layers across the rest of the Black Duck stack.

Coverity Static layering
Reachability and EPSS prioritization apply across Coverity SAST findings to ground prioritization in exploitability.
Black Duck SCA layering
Reachability tracing demotes SCA findings in unreachable dependency paths, materially reducing the open-source backlog volume.
Polaris layering
Signal capabilities apply across the Polaris findings surface for unified prioritization across SAST, SCA, DAST, and IaC.

Where it fits in the stack

How Black Duck Signal connects to the rest of your landscape

Black Duck platform (native)

Native

Coverity StaticReachability and EPSS prioritization layered across Coverity SAST findings.
Black Duck SCAReachability analysis across direct and transitive dependencies in the SCA findings surface.
PolarisSignal capabilities layered across Polaris findings for unified prioritization across SAST, SCA, DAST, and IaC.

AI code assistants (certified)

Certified

GitHub CopilotAgentic SCA embedded in Copilot workflows for pre-commit open-source risk identification.
CursorPre-commit dependency identification and resolution inside Cursor AI workflows.
Claude CodeAgentic SCA inside Claude Code workflows surfaces open-source risk at generation time.

Custom integrations

Custom

Internal AI assistant frameworksCustom integration into customer-built AI code assistants and proprietary developer tools.
Custom prioritization policyPer-customer prioritization weighting tied to business criticality, regulatory scope, and asset inventory.

Deployment and implementation

How it rolls out

Hosting: SaaS (Global SaaS)
Implementation complexity: Moderate
Typical time to value: Reachability analysis live across existing Coverity, SCA, or Polaris findings in two to four weeks. Agentic SCA in AI code-assistant workflows live in four to eight weeks depending on assistant adoption.
Prerequisites: Existing Coverity, SCA, or Polaris deployment
AI code-assistant adoption posture documented
Triage operating model owner named
Prioritization policy decision
What Merito usually handles: Signal runs as SaaS overlay across the customer's existing Black Duck analysis-engine deployments. Merito handles tenant configuration, reachability rollout, EPSS prioritization tuning, and the agentic SCA integration into AI code-assistant workflows.

Licensing and packaging

How it is bought

Model: Subscription
What to expect: Signal is licensed by application count and analysis-engine surface (Coverity Static, Black Duck SCA, Polaris) it overlays. Agentic SCA for AI code assistants is sold as an add-on. Pricing scales with the breadth of the analysis-engine deployment Signal augments. Merito sells the license and scopes implementation, reachability rollout, and AI code-assistant integration as separately priced services.
Editions and modules: Signal core
Reachability analysis and CVSS 4.0 / EPSS prioritization across Coverity, SCA, or Polaris findings.
Best for: Programs with mature analysis-engine deployments seeking triage automation.
Signal Agentic SCA add-on
Agentic SCA embedded in Copilot, Cursor, Claude Code, or custom AI code-assistant workflows.
Best for: Programs with significant AI code-assistant adoption.
Common expansion areas: Extend reachability across additional Coverity Static, SCA, or Polaris deployments
Add Agentic SCA integration to additional AI code assistants
Pair with Software Risk Manager for ASPM correlation across multi-vendor findings
Extend prioritization policy to business-criticality and asset-inventory scoring

Merito services

How Merito helps you win with Black Duck Signal

Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.

Signal Implementation

Tenant configuration, reachability rollout across existing Coverity, SCA, or Polaris deployments, EPSS prioritization tuning, and agentic SCA integration.

Explore service 02

MAPS Assessment

AppSec program scoping for Signal adoption alongside reachability tools from competing vendors and AI-augmented triage platforms.

Explore service 03

DevOps Consulting

Signal integration into CI/CD prioritization workflows and AI code-assistant adoption across developer cohorts.

Explore service 04

Premium Support

Named engineer, priority SLAs, and release-window coverage for Signal in production.

Explore service 05

Managed Services

Long-term run support including reachability tuning, EPSS prioritization maintenance, and agentic SCA workflow evolution.

Explore service 06

Training and Enablement

Role-based training for AppSec architects, security engineers, and developers using Signal output.

Explore service

Signal licensing

Buy Signal from the partner that grounds reachability in your AppSec policy.

Reachability and EPSS prioritization only produce value when paired with a triage operating model. Buy Signal through Merito and get the rollout, the policy, and the agentic SCA integration together.

Request Signal pricing

Merito point of view

Reachability is real. Agentic AI marketing oversells autonomy. The triage operating model still matters.

Reachability analysis genuinely improves the AppSec backlog. Programs running Coverity or SCA without it accept finding volumes that include unreachable code paths, which dilutes signal and erodes developer trust. Signal's reachability rollout is the practical way to ground prioritization in real exploit paths rather than syntactic vulnerability counts.

Agentic AI marketing tends to overstate autonomy. Signal augments developer and security workflow but does not replace the triage operating model. AppSec leaders adopting Signal expecting the platform to autonomously close findings without human review are setting up the wrong expectation. The autonomy applies to specific narrow cases (clearly unreachable findings, well-understood remediation paths). Complex business-logic decisions still require human judgment.

Agentic SCA inside AI code-assistant workflows is the right architecture for programs with significant Copilot, Cursor, or Claude Code adoption. Pre-commit risk identification moves AppSec further left than build-gate scanning can reach. Programs without significant AI code-assistant adoption get less value from this capability. Merito recommends adoption sequencing based on the customer's actual AI development posture.

What buyers usually underestimate

Adopting Signal without an underlying Coverity, SCA, or Polaris deployment to overlay
Expecting agentic AI to replace human triage rather than augment it
Treating reachability findings as gospel without periodic policy review of the prioritization weights
Skipping AI code-assistant integration on programs that have significant Copilot or Cursor adoption
Not staffing the operating model that consumes Signal-prioritized findings

Related from Merito

Continue exploring Black Duck Signal on Merito

Black Duck Signal FAQs

Consultation request

Talk to Merito about Signal

Share your existing analysis-engine deployment, AI code-assistant adoption, and triage operating model. A Merito Signal specialist follows up within one business day.

Reachability analysis

Findings grounded in real exploit paths

Direct and transitive dependency tracing demotes unreachable findings. The backlog reflects what attackers can actually reach.

Agentic SCA

Pre-commit risk in Copilot, Cursor, Claude Code

Open-source dependencies and snippet matches in AI-generated code get resolved at generation time rather than at scanner time.

Next step

Ground prioritization in exploitability before the next backlog review.

A Signal engagement with Merito starts with reachability rollout across existing analysis-engine deployments. Prioritization grounded in real exploit paths beats raw severity every backlog cycle.

Book a Signal consultation

Black Duck Signal

How it rolls out

Hosting

SaaS (Global SaaS)

Implementation complexity

Moderate

Typical time to value

Reachability analysis live across existing Coverity, SCA, or Polaris findings in two to four weeks. Agentic SCA in AI code-assistant workflows live in four to eight weeks depending on assistant adoption.

Prerequisites

Existing Coverity, SCA, or Polaris deployment
AI code-assistant adoption posture documented
Triage operating model owner named
Prioritization policy decision

What Merito usually handles

Signal runs as SaaS overlay across the customer's existing Black Duck analysis-engine deployments. Merito handles tenant configuration, reachability rollout, EPSS prioritization tuning, and the agentic SCA integration into AI code-assistant workflows.

How it is bought

Model

Subscription

What to expect

Signal is licensed by application count and analysis-engine surface (Coverity Static, Black Duck SCA, Polaris) it overlays. Agentic SCA for AI code assistants is sold as an add-on. Pricing scales with the breadth of the analysis-engine deployment Signal augments. Merito sells the license and scopes implementation, reachability rollout, and AI code-assistant integration as separately priced services.

Editions and modules

Signal core
Reachability analysis and CVSS 4.0 / EPSS prioritization across Coverity, SCA, or Polaris findings.
Best for: Programs with mature analysis-engine deployments seeking triage automation.
Signal Agentic SCA add-on
Agentic SCA embedded in Copilot, Cursor, Claude Code, or custom AI code-assistant workflows.
Best for: Programs with significant AI code-assistant adoption.

Common expansion areas

Extend reachability across additional Coverity Static, SCA, or Polaris deployments
Add Agentic SCA integration to additional AI code assistants
Pair with Software Risk Manager for ASPM correlation across multi-vendor findings
Extend prioritization policy to business-criticality and asset-inventory scoring

Talk to Merito about Signal

Share your existing analysis-engine deployment, AI code-assistant adoption, and triage operating model. A Merito Signal specialist follows up within one business day.

Reachability analysis

Findings grounded in real exploit paths

Direct and transitive dependency tracing demotes unreachable findings. The backlog reflects what attackers can actually reach.

Agentic SCA

Pre-commit risk in Copilot, Cursor, Claude Code

Open-source dependencies and snippet matches in AI-generated code get resolved at generation time rather than at scanner time.