Software is now being created faster than most organizations can secure it.
AI coding assistants are helping developers move at unprecedented speed. But that same speed is creating a new security reality: more code, more vulnerabilities, faster exploitability, and a growing backlog that traditional AppSec processes were never designed to handle.
That tension shaped the conversation at the second annual Agentic AppSec Unleashed Summit, held on June 16. Across six main sessions and four exclusive early-access discussions, CISOs, customers, and product leaders explored how security teams can adapt to the AI-driven software supply chain.
One message came through clearly: Agentic development demands security that moves at the same pace.
The teams that succeed will not be the ones that slow down development. They will be the ones that learn how to secure software as fast as AI can create it.
The Future of AppSec: Deterministic Security Meets Frontier AI
Checkmarx CEO Sandeep Johri opened the summit by framing the challenge facing security teams today. AI is helping enterprises write code two to three times faster, but that acceleration is also producing more vulnerable code than traditional AppSec programs can absorb.
According to Johri, AI-generated code has a much higher concentration of vulnerabilities than human-written code, contributing to a threefold increase in the overall vulnerability backlog. Left unchecked, that backlog could slow the very innovation AI was meant to accelerate.
At the same time, attackers are also using AI. Exploit creation is becoming faster, cheaper, and more scalable. In 2018, exploiting a zero-day vulnerability could take roughly two years. Today, that window has shrunk to just one or two days, and it continues to narrow.
Given that speed, it may seem logical to fight AI with AI by relying on frontier models to find vulnerabilities faster. But Johri made clear that an “LLM-only” approach is not enough. Frontier models can uncover novel exploit paths, but they can also be inconsistent. Their results may change depending on the prompt, they can produce false positives, and they can still miss known critical vulnerabilities.
That is where deterministic security remains essential. Unlike LLMs, deterministic tools apply consistent rules and proven detection logic, producing repeatable results that teams can trust and verify.
The answer, Johri argued, is not AI or deterministic tooling – it’s both. Modern application security needs a hybrid platform that pairs deterministic ground truth with probabilistic AI reasoning, combining the consistency of traditional security with the speed and creativity of frontier models.
Johri also made an important architectural point: a the same model producing the code should not be trusted to secure it. Just as a system should not manage its own permissions or store its own master keys, the security control plane must remain independent of the AI it evaluates. He called it a “separation of church and state.”
That separation is central to the platform Checkmarx is building: one that combines deterministic ground truth with AI-powered reasoning while keeping security validation independent, consistent, and verifiable. The result is already showing impact, including a 60–70% reduction in false positives.
Beyond the False Choice: How AI and AppSec Win Together
The second session brought Johri together with other security leaders who are already navigating this shift:
Michael Schrank, former Group CISO, Adidas; CEO, Three Rivers Advisory
Joseph Wilson, SVP & CIO, CSG
Laurent Donnay, SVP IT Sales and Platforms, Deutsche Telekom
The central question in this session was simple: If AI can write code, find vulnerabilities, and generate exploits, what is left for AppSec to do?
The answer was not that AppSec becomes less important. It becomes the layer of trust, governance, and execution that makes AI-driven development safe.
AI can accelerate coding, scanning, and even exploitation, but organizations still need deterministic security to validate results, prioritize real risk, and ensure findings lead to remediation.
That is where the operational challenge begins. Most teams are not struggling because they lack security signals; they are struggling because those signals are fragmented and overwhelming. To turn findings into remediation, they need a connected view of risk that brings together code, runtime, identity, and data context to show what is truly exploitable and what should be fixed first. Wilson captured the maturity challenge directly: “Discovery without mitigation is just inventory.”
From there, the panel focused on what mature AppSec programs need to do differently:
- Measure what matters. Maturity isn’t how many vulnerabilities you find. It’s MTTR (mean time to remediation), how fast you resolve them.
- Integrate, don’t interrupt. Remediation belongs inside the existing SDLC, with agents proposing fixes directly in the pull request.
- Let agents do the grunt work. Triage and remediation that could take hours for developers can be completed by an LLM in two to three minutes.
The Vulnerabilities Were Always There: Now What?
In my session with Jonathan Rende, Chief Product Officer at Checkmarx, we put numbers behind the problem.
AI is not just changing how quickly software is written; it is changing how quickly security debt accumulates.
AI-generated code is introducing more defects per unit of code, with defect rates up 1.7x. When that increase is multiplied across the growing volume of AI-generated software, it compounds into roughly 5x more exploitable flaws. In other words, organizations are not just writing more code. They are also creating more risk for security teams to manage.
At the same time, attackers are moving faster and more cheaply than ever. A working CVE exploit can now cost as little as $1 and only minutes of compute. That means the window between disclosure and exploitation is no longer long enough for slow, manual response processes.
The result is a widening gap between what teams find and what they fix. Over the last year, vulnerability submissions increased while monthly fixes fell 46%. Discovery has scaled with AI, but remediation has not. Critical vulnerabilities are now piling up faster than most teams can resolve them.
The solution isn’t to replace traditional tooling with AI, but to combine both deliberately.
AI is fast and creative, which makes it useful for surfacing novel patterns that traditional scanners may miss. Deterministic security is consistent and repeatable, which makes it essential for catching known vulnerabilities, validating findings, and producing the evidence auditors require.
Put simply, AI casts the wide net, while deterministic logic confirms what is real.
That combination produces better signal. In Checkmarx labs, the hybrid engine reached an F1 score of 0.64, compared to roughly 0.20 for a pure frontier model like Claude Opus 4.7. That difference matters because it turns a noisy alert pile into findings teams can actually trust and act on.
Our conclusion was clear: discovery is no longer the hardest part. The teams that lead will be the ones that improve remediation throughput – their ability to fix vulnerabilities quickly, accurately, and consistently across both new code and the existing backlog.
Getting to High Fidelity
Checkmarx VP of Product Ori Bendet continued the case for a hybrid model by pointing to the limits of LLM-only security. In the BaxBench benchmark, even the best frontier models returned solutions that were incorrect or insecure more than 45% of the time. “If you go all-in on LLMs, you’re going to have missing results,” he said, “and those missing results create risk for your organization.”
Cost is another important factor. Scanning millions of lines of code with premium models can become expensive quickly, especially at enterprise scale. Security teams need an approach that is not only accurate, but also scalable, repeatable, and cost-effective.
Frank Emery, Senior Director of Product Management, then explained how Checkmarx’s next-generation SAST engine is built to deliver that balance. It combines three core capabilities: a deterministic, rules-based foundation for consistency and trusted ground truth; an AI-based, language-agnostic scanner that expands coverage to frameworks and languages traditional tools may not support; and a Findings Analysis Engine that reviews findings in context and removes false positives before they reach developers.
Together, these capabilities feed the Checkmarx ASPM platform, which helps teams understand where risk lives. From there, AI-powered agents, including Developer Assist, Triage Assist, and Remediation Assist, can identify issues earlier, triage zero-day and backlog vulnerabilities faster, and support remediation before risks escalate.
The result is less noise, broader language support, and stronger fidelity than traditional SAST. Just as importantly, this approach is grounded in two decades of Checkmarx research, detection logic, and AppSec expertise.
Remediation at AI Speed: From AI Vibe Coding to Verified, Governed Code
The next session shifted from strategy to practice in a discussion moderated by Checkmarx VP of Product Management Harshil Parikh. He was joined by two PatientPoint security practitioners: Femi Oyesanya, application security engineer, and Lily Leith, application security risk analyst. Together, they explored a practical question facing many AppSec teams today: remediation has always mattered, but how does AI’s speed change the way teams approach it?
For Oyesanya, the opportunity is clear. “We have a better, more reliable, faster way of doing it,” he said. But he also cautioned that automation brings new complexity. Risk does not come only from application code; it can also come from SCA vulnerabilities, compromised libraries, and other parts of the software supply chain. That means controls need to extend across the infrastructure, not just the code.
Leith described how PatientPoint has moved from a reactive model to a more anticipatory one. Instead of spending hours responding to the “attack of the day,” her team now uses automation to shorten response times. That includes monitoring new CVEs, checking whether GitHub packages are malicious, and using agents to determine what is actually exploitable.
The key, both speakers emphasized, is trusted context. By pulling in intelligence from sources like Checkmarx, teams can decide whether a vulnerability should trigger a break-build policy or move through another remediation workflow.
They also stressed that humans still need to stay in the loop. Developers remain the experts on their own codebases, so they need to review AI-generated fixes, catch hallucinations, and make sure suggested changes do not introduce new risk. For critical or externally facing systems, formal change management remains essential.
That is where governance becomes critical. Security gates, policies, and review processes keep AI-accelerated development accountable. Parikh closed on a note of hard-won optimism: the industry has been “notorious about not fixing things,” but he believes agentic remediation can finally help drive down MTTR with a solution built for practitioners.
Bring Visibility Across the Supply Chain
The final session focused on one of the biggest governance challenges in the AI era: visibility across the AI software supply chain. Checkmarx Product Director for SSCS David Dewaele and AWS Principal Solution Architect for ISV Security Paul DeLaria discussed how organizations can identify, assess, and govern the AI components now entering modern applications.
Most large organizations are familiar with shadow IT, where employees use tools that were never approved by the company. Security teams now face a newer and more complex version of the same problem: shadow AI.
Developers moving quickly may adopt unsanctioned AI tools, models, agents, MCP servers, or other AI components, creating risk that security teams cannot manage if they cannot see it.
DeLaria’s central point was simple and important: organizations cannot secure what they cannot see. Many leaders do not yet know which AI components are running inside their applications. Without that visibility, it becomes difficult to assess risk, enforce policy, or demonstrate compliance.
Visibility begins with the Shared Responsibility Model. Cloud providers are responsible for securing the cloud infrastructure itself, while enterprises are responsible for what they build and run on top of it. In the AI era, that includes identity and access management for agents, the AI tool supply chain, and observability into what those agents are doing.
Dewaele outlined a three-layer approach to AI supply chain governance.
- Detection: Identify every AI asset, from LLMs to agents to MCP servers, across the whole SDLC.
- Risk assessment: Run purpose-built scanners that catch new threats like malicious artifact injection and dangerous model loaders, alongside traditional scans.
- Governance and compliance: Generate AI Bills of Materials (AI-BOMs) to evidence security against frameworks like the EU AI Act, NIST, and ISO.
The goal is not only to detect risk. It is to create the visibility, context, and evidence organizations need to govern AI-driven development responsibly.
That’s a Wrap
The summit ended where it began: with the central idea that securing software at the speed of AI cannot be solved by one tool, one team, or one model. It requires a new AppSec discipline that is built layer by layer, from detection to remediation to governance.
That discipline starts with deterministic ground truth. It adds AI-driven reasoning where AI can provide speed, scale, and broader coverage. It uses agents to accelerate triage and remediation, and it creates visibility across the full software supply chain, including the new AI components that are quickly becoming part of modern applications.
AI has made it easier, cheaper, and faster for attackers to exploit software, but it has also created a new opportunity for defenders. With the right architecture, security teams can move faster without giving up trust. They can reduce noise without missing critical issues. They can govern AI-generated code without slowing innovation.
That is the blueprint Checkmarx laid out at Agentic AppSec Unleashed ’26: deterministic security and frontier AI, working together so organizations can secure software as fast as AI can build it.
The full sessions and slides are available on demand.
Agentic AI
Agentic AppSec
AI Agents
AppSec