AI-Driven Hybrid SAST–DAST–SCA–IAST Framework for Risk-Based Vulnerability Prioritization in Microservice Architectures

Microservice-based architectures introduce highly distributed and rapidly evolving attack surfaces that overwhelm traditional vulnerability management processes with excessive security findings lacking actionable prioritization. This paper presents an AI-driven hybrid security testing framework that unifies Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Interactive Application Security Testing (IAST) into a single risk-centric vulnerability analytics pipeline. By jointly leveraging abstract syntax tree semantics, taint propagation reasoning, runtime exploit traces, and SBOM-derived dependency exposure, the proposed system constructs a rich, multi-dimensional representation of each vulnerability. A machine-learning prioritization model then infers exploit likelihood and business impact, reducing false positives by 46–57%, improving prioritization accuracy by up to 115% over CVSS and 48.9% over EPSS, and eliminating duplicate or unreachable findings. Practical deployment in DevSecOps workflows demonstrates 44–52% reductions in Mean Time To Remediate (MTTR) and 88–93% stabilization in CI/CD risk drift, enabling efficient remediation of vulnerabilities that pose the highest real-world threat. A privacy-preserving IRX processing mechanism further ensures secure cloud-side analytics without exposing proprietary code. Extensive experiments on benchmark and industrial microservice systems validate that the proposed approach provides actionable, exploitability-aware, and operationally impactful vulnerability prioritization for modern distributed architectures.