OX Security recently analyzed 216 million security findings across 250 organizations over a 90-day period. The key takeaway is that outstanding alert volume increased by 52% year-over-year, while high-priority critical risks increased by nearly 400%.
The proliferation of AI-assisted development is creating a “velocity gap” where the density of high-impact vulnerabilities grows faster than remediation workflows. The ratio of critical findings to outstanding alerts almost tripled from 0.035% to 0.092%.
Key findings from the 2026 analysis:
CVSS and business context: Technical severity scores are no longer the primary driver of risk. The most common promotion factors were high business priority (27.76%) and PII processing (22.08%). In modern environments, it’s less about what the vulnerability is and more about where the vulnerability exists. AI Fingerprinting: We observed a direct correlation between the adoption of AI coding tools and 4x more significant results (on average 795 per organization, up from 202). Increased code speed has led to more complex and context-sensitive defects that bypass basic linting and legacy scanners. Sector diversification: Risk profiles are not homogeneous. Insurance companies had the highest density of critical findings (1.76%), while the automotive sector generated the highest volume of alerts. This is likely due to the extensive codebase expansion in software-defined vehicles.
This is the second year that OX has conducted this analysis to benchmark the state of application security.
The full report, including methodology and industry-specific benchmarks, is available here.
Source link
