2027 Outlook Report · The Future of Application Security in the Era of AI

The Blindfold Is
Self-Applied.

AI is off the leash — and the industry is blindfolding itself. Based on a global survey of 2,350 CISOs, AppSec managers, and developers across 14 countries.

Download the Full Report ↓ Explore the Main Findings

AI is now the development environment

Human-written code
is no longer the norm.

of production code is now AI-generated

of organizations embed AI components in their applications

of developers say AI-generated code introduced more vulnerabilities than manual code

Development accelerated dramatically.
So did exposure.

The confidence paradox

AI code doesn't just increase risk.
It multiplies it. By 3.4×

Organizations where 81–100% of code is AI-generated ship vulnerable code at 3.4× the rate of those at 1–20%.

% Often Deploying Vulnerable Code — By AI Code Volume

Based on cross-tabulation of 2,350 respondents by AI code volume

Confidence is high.
The numbers disagree.

The organizations sitting at the top of that curve are the ones that rate themselves "highly mature."

They report the highest AI code volumes (60%), the highest rate of shipping vulnerable code (42%), and breach rates barely distinguishable from everyone else.

Confidence isn’t protecting them. It’s blinding them.

A self-reinforcing loop

The data reveals
a closed loop.

49%

AI-generated code

3.4×

More vulnerable code shipped at high AI-code volumes

93%

Breached via their own apps

More code
More risk
More breaches

AI code volume correlates directly with vulnerable deployment — which contributes to breach frequency.

The industry is normalizing risk

Risk isn’t missed.
It’s sidelined — on purpose.

of CISOs report being pressured to suppress or delay compliance-related security findings

of organizations knowingly deploy vulnerable code — driven by deadlines, complexity, and compensating controls

ship vulnerable code hoping the vulnerability won't be found

Visibility improved.
Action didn’t.

Three roles, three realities

Nobody inside the org
sees the same picture.

Share of each role who believe their organization had zero breaches in the past 12 months:

CISOs

Furthest from the code. Most optimistic.

Developers

Writing it. Slightly less sure.

AppSec

Closest to the risk. Almost none believe it.

The closer you sit to the code, the worse the picture gets.

The tools work — the system doesn’t

Detection isn’t the problem.
Action is.

0.0%

of developers say their in-IDE AI security tooling is effective

of developers apply security only at checkpoints — only 18% fix continuously as code is written

of organizations fix more than 90% of vulnerabilities within 90 days

The tools do the work.
The system doesn’t act on it.

A note on timing

The window between
vulnerability and exploit collapsed.

Months

Yesterday

Minutes

Post-Mythos

A third of organizations leave half their known vulnerabilities unfixed for 90 days. Every one of them is now a potential zero-day.

What actually needs to change

Six structural shifts needed to
survive the post-Mythos Era

The organizations that thrive in the agentic era won't have the best detection. They’ll be the ones that stopped letting known risks survive the decision chain.

Prioritize risk, not volume

In the report

Embed security into workflows

In the report

Reduce tool & ownership fragmentation

In the report

Strengthen governance — especially AI

In the report

Align accountability with capability

In the report

Move from insight to execution

In the report

The full playbook — every imperative, every benchmark — is in the report.

The path forward