Known vulnerabilities behind most application security incidents
Eight in ten organizations took an application security hit during the past year tied to a vulnerability their team had already cataloged, according to a survey of 902 IT and security professionals conducted by the Cloud Security Alliance. The pattern points to a structural condition across the industry, where the window between identifying a flaw and closing it in production stays open long enough for attackers to act.
Which of the following best describes your organization’s visibility into the runtime behavior of Al-powered application components? (Source: CSA)
The National Vulnerability Database logged more than 40,000 CVEs in 2025, and VulnCheck recorded exploitation activity following disclosure within days. Frontier AI systems capable of generating working exploits at machine speed, including one called Mythos, have compressed that window further, raising the operational stakes for any organization carrying unresolved findings in live environments.
The patch gap measured in days
Most organizations close critical and high-severity flaws somewhere between one and seven days after identification. Very few manage remediation inside 24 hours. The bulk fall into the multi-day range, and that range is where the trouble compounds.
Remediation speed correlates strongly with outcomes. Among organizations taking four to seven days, nearly all experienced a known-vulnerability incident in the past year. The rate falls sharply for teams closing flaws within one to three days. Most organizations that take several days to close a known exposure end up experiencing it as an incident.
Disagreement inside the organization slows the process further. Disputes over vulnerability relevance or exploitability surface in roughly a third of cases. Concerns about disrupting application functionality or business operations rank as the leading reason for delay, named by nearly half of respondents.
Production keeps absorbing incidents
Pre-production tooling is widespread. Static Application Security Testing is in place at most organizations, and Web Application Firewalls and Dynamic Application Security Testing are common. Despite that coverage, 80 percent of respondents had at least one application security incident in the past year.
Among organizations that experienced a production incident, the breakdown splits almost evenly between two failure modes. In roughly half of cases the issue escaped pre-production detection entirely. In the other half the vulnerability was identified before release and still reached production. Even respondents who described themselves as very confident their current strategy will hold up under AI-driven attack surfaces saw production bypass rates above 90 percent. Confidence in upstream strategy does not change the operational picture.
AI components in production, oversight in retrospect
Seven in ten organizations run AI-powered application components in production. The deployment picture is split. Half of that group reports limited or no current security concerns. The other half is operating AI components with active concerns.
Runtime oversight of those components lags behind deployment. Half of respondents described their AI runtime visibility as fully auditable after an incident. Another quarter reported partial or incomplete logging, and fewer than one in five have real-time visibility. For most organizations, AI oversight today means reconstructing what happened after the fact.
Proof of exploitability is the requested capability
When investigating a suspected production risk, more than half of respondents named the ability to distinguish real threats from non-exploitable or low-risk findings as their top challenge. Prioritization came second. Staffing and skill limitations registered near the bottom of the list.
The same pattern appeared when respondents named what would most help with remediation. The leading requests were proof that a vulnerability can be exploited in production, the ability to contain risk without an immediate code change, and visibility into the exact code paths and data flows affected. Additional staffing again came in low. The signal across both questions points away from capacity and toward the runtime evidence that converts a finding into an actionable risk.
Appetite for blocking exceeds confidence in current controls
Nearly three-quarters of organizations said they would be likely or very likely to use virtual patching controls that could reliably block production exploits with minimal false positives. Current deployments fall short of that standard. Only a small share have their WAF configured to automatically block application-layer attacks. Most operate in more conservative modes, blocking only well-understood patterns, running primarily in alert mode, or limiting controls to logging.
The reasons for conservative configuration are operational. The leading concern, named by a majority of respondents, is the lack of application-level context needed to make safe blocking decisions. Fear of disrupting business-critical functionality and the burden of tuning and maintenance round out the top objections. Nearly half of teams struggle to explain unusual application behavior in production at least monthly.
Investment intent shifts toward production
Roughly half of organizations plan to invest more heavily in pre-production security over the next 24 months. A close 42 percent plan to increase investment in runtime security, a figure that signals movement in spending priorities even where pre-production retains the lead.
Budget expectations remain mixed. For runtime security, projections divide roughly evenly across growth, flat allocations, and decreases. AI security budgets show a similar split, with the largest single share of respondents expecting a decrease over the next 12 to 24 months. Current AI and agentic security spending typically falls between 6 and 20 percent of the security budget, a share now under pressure from competing demands inside production defense.
Guide: What automated pentesting alone cannot see