Applications continue to ship with known weaknesses even as development workflows speed up. A new Datadog State of DevSecOps 2026 report examines how dependency management and pipeline practices are influencing exposure across cloud native environments.

Across the environments studied, 87% of organizations run at least one exploitable vulnerability in production services, affecting 40% of those services. This condition points to a persistent accumulation of security debt inside deployed software stacks.

Dependency lag continues to grow

Third party libraries remain a central source of drift between development velocity and security posture. The median dependency now trails its latest major version by 278 days, compared with 215 days last year. This year over year change reflects a widening delay in adoption cycles.

Dependency age connects directly to exposure. Older components accumulate known issues that are difficult to remediate once embedded into production workflows. Teams often defer large upgrades because of integration risks and regression testing demands.

Development cadence influences this drift. Services that deploy less frequently tend to accumulate larger update gaps across their software supply chain.

Updates introduce new exposure

Organizations are also introducing risk at the opposite end of the lifecycle by adopting new releases too quickly. Half of organizations use third party libraries within one day of release.

This pattern increases the likelihood of introducing malicious code that has not yet been identified by the broader ecosystem. Fast adoption has become routine across automated pipelines.

Supply chain exposure extends beyond libraries into build systems. GitHub Actions usage remains widespread across development environments.

“Organizations that strike the right balance treat dependency updates as a continuous engineering practice, not an occasional security event. By integrating rigorous, automated test suites directly into their CI/CD pipelines, these teams can confidently treat dependency updates as standard code commits,” Kennedy Toomey, Application Security Researcher & Advocate at Datadog, told Help Net Security.

“In contrast, organizations that struggle rely on manual security processes and allow dependencies to become significantly outdated. This increases the likelihood of breaking changes when upgrades finally occur, making updates more time-consuming and complex, which in turn leads to further deprioritization,” Toomey added.

Pipeline controls remain limited

Most organizations are not implementing available safeguards to limit supply chain risk. Seventy one percent never pin the hash for any of their GitHub Actions.

Pinning an action to a specific commit prevents automatic updates from introducing unexpected changes into workflows. The absence of this practice leaves pipelines open to compromise through modified dependencies.

The risk expands further when examining marketplace actions that are not maintained by GitHub. Eighty percent of organizations use at least one marketplace action that is neither managed by GitHub nor pinned to a commit hash.

Unpinned actions can be altered upstream without visibility inside consuming environments. This creates a direct path for malicious updates to enter production pipelines.

Criticality shifts under context

Vulnerability severity changes when runtime context is applied. Only 18% of critical dependency vulnerabilities remain critical after adjustment.

This reduction reflects differences between theoretical severity and actual exploit likelihood. Contextual scoring can lower alert volume by focusing attention on vulnerabilities that intersect with active attack paths.

Toomey said, “CISOs should measure whether reprioritization improves mean time to remediate (MTTR), as vulnerabilities with higher adjusted severity scores should decrease meaningfully over time. Because engineering teams are no longer overwhelmed by large volumes of nominal “high” or “critical” findings, they can focus their efforts on truly important issues and remediate them faster.”

Toomey added, “CISOs should also use historical incident data to measure risk reduction. By tracking the number of security events linked to known but unpatched vulnerabilities and the frequency of emergency patch cycles, leadership can better quantify whether reprioritization is actually reducing real-world risk, not just lowering alert volume.”

The shift does not remove exposure. It changes prioritization by identifying which vulnerabilities intersect with production workloads and active threats.

Signs of improvement in remediation load

The volume of high or critical vulnerabilities per affected application has declined. Applications that contain at least one software composition analysis issue now average 8 high or critical vulnerabilities, down from 13.5 in the previous year.

This change suggests some progress in vulnerability management practices. It may reflect improvements in prioritization or increased focus on remediating higher impact issues first.

Fewer high severity findings can ease operational pressure across security and development teams. Alert fatigue has long complicated remediation workflows.

Exposure remains widespread

Development practices continue to emphasize speed. AI-assisted coding and automated deployment pipelines are reinforcing fast release cycles.

Security teams are working within these conditions to identify which exposures demand immediate action. The coexistence of outdated dependencies and update behavior reflects competing priorities across engineering teams.

Software supply chain practices remain uneven. Many organizations have access to controls that could reduce risk but have not implemented them consistently.

The report indicates that operational habits around dependency management and pipeline governance are still evolving. Vulnerabilities persist across production environments even as tooling and automation expand.

Balancing update speed with verification discipline remains an ongoing challenge. Organizations are adopting new software quickly while carrying forward older components that have accumulated risk. This dual dynamic continues to define DevSecOps exposure patterns across cloud-native ecosystems.

