In a system for detecting composite vulnerabilities associated with a process or a context, individual defects/vulnerabilities in a software system/application are identified and clustered into two or more classes of defects, where each class includes one or more defects of related types. Given a pattern of defects of different types, where the pattern represents a composite vulnerability, it is determined by searching in the clusters, if the software system/application includes all of the defects/vulnerabilities associated with that pattern.