Application security has entered a dangerously paradoxical new phase: Organizations now have more visibility into application security risk than at any point in history. AI-powered detection tools are in virtually every developer’s IDE. Breach data is abundant. The threat landscape is well-documented. And yet, the industry’s response to all of this visibility has been to build structures that neutralize it, filtering, delaying, and deprioritizing risk at every decision layer.
That is the central finding of The Future of Application Security in the Era of AI, a global research conducted annually by Censuswide on behalf of Checkmarx and published today.
The report is based on a survey of 2,350 CISOs, AppSec managers, and developers across 14 countries – our largest sample to date – and it describes an industry that has solved detection but can’t close the gap between finding a vulnerability and fixing it.
Up until April, this tension was barely viable. Then Anthropic disclosed Mythos — a model capable of discovering and exploiting long-standing vulnerabilities across major operating systems and browsers, producing working exploits nearly 100 times more frequently than its predecessor.
A world where a third of organizations leaving half their vulnerabilities unfixed for 90 days cannot survive a reality where Mythos and the models to follow it exist. The clock now runs in minutes, not months.
What the Data Reveals
Two years after AI code generation went mainstream, the development environment has fundamentally changed. But the systems responsible for securing it have not.
Most code isn’t really yours anymore. 49% of production code is now AI-generated. 67% of organizations report that open-source components make up at least half their codebase. Human-written first-party code is no longer the norm. The developer role has shifted from author to editor, and the security model built for human-authored code hasn’t shifted with it.
More AI code means more risk — and the correlation is linear. We segmented all 2,350 respondents by how much of their production code is AI-generated, then compared each group’s rate of shipping known-vulnerable code. Organizations where 81-100% of code is AI-generated ship vulnerable code at 3.4x the rate of those at 1-20%. The pattern is clear across every bracket: 14% → 19% → 23% → 36% → 47%. And 70% of developers themselves confirm that AI code generation tools introduced more vulnerabilities in 2025.
Risk is normalized — from the bottom up and the top down. 75% of organizations knowingly deploy vulnerable code. 30% ship hoping the vulnerability won’t be found. At the leadership level, 95% of CISOs report being pressured to suppress or delay compliance-related security findings — 47% frequently. Budgets are growing (46% increased year-over-year), but only 19% of CISOs say their budget allows them to proactively reduce risk. The rest are operating in reactive or constrained modes where known risk is tolerated by design.
Three roles, three realities. For the first time, this report analyzes how CISOs, AppSec managers, and developers diverge on the same questions — and the gaps are significant. CISOs say 11% of organizations were breach-free in the past year. Developers say 8%. AppSec managers — closest to the risk — say 1%. On shadow AI: CISOs see 5%, AppSec sees 18%. On whether AI coding is governed: CISOs and developers say 27-28% is “standardized and governed.” AppSec says 12%. The people responsible for security can’t agree on what’s happening inside their own organizations.
Confidence and outcomes move in opposite directions. 73% of CISOs and AppSec managers rate their security posture as advanced or highly mature. Yet 81% of organizations were breached twice or more in the past 12 months, and 48% three or more times. The most striking finding: organizations that rate themselves “highly mature” report the highest AI code volumes (60%), the highest rates of shipping vulnerable code (42%), and breach rates virtually identical to the rest of the industry.
The tools work. The system doesn’t. 96% of developers have AI-based security tooling in their IDE. Virtually all (99.6%) rate it effective. Yet only 18% apply security continuously as code is written — 82% still rely on checkpoints. Only 9% of organizations fix more than 90% of vulnerabilities within 90 days. A third leave half their known vulnerabilities unfixed within that window. Detection is solved. The organizational response is not.
Developers are set up to fail. Developers spend nearly half (49%) of their time on security and still ship vulnerable code at the highest rate of any group (32% “often”). When remediation fails, they face consequences on every front: post-mortems (39%), performance reviews (37%), escalation (36%), blocked releases (33%). Yet the systems contributing to that failure — tools generating low-value findings (37%), unclear guidance (38%), feedback arriving too late (38%) — remain unfixed. All of the accountability, none of the support.
What’s in the report
The full report goes deeper:
- Regional breakdowns across 14 countries and three regions — including why Europe leads on breach rates, budget increases, and slowest remediation simultaneously
- The complete cross-tabulation analysis linking AI code volume to vulnerable code deployment and breach frequency
- The three-way perception gap: how CISOs, AppSec managers, and developers report fundamentally different versions of the same reality
- The confidence paradox: why “highly mature” organizations sit at the top of every risk curve
- The developer burden data: time spent, friction sources, consequences, and why the current model is failing them
- Six strategic imperatives for closing the gap between detection and action — including the case for agentic security
From governance frameworks to the autonomy question to the case for agentic security, it’s not only the most comprehensive and up-to-date survey of how AppSec is practiced across the industry — it’s the playbook for what organizations need to do to stop letting known risks survive the decision chain.
2027
Agentic AppSec
AI generated code
CISO
Industry Reports
Vulnerability Remediation