Table of contents

Today, we’re excited to release the 2026 State of Application Security Report, which reveals deep insights uncovered by the Orca Cloud Security Platform across real production environments and modern software delivery pipelines. This year’s report highlights the most prevalent and consequential application security risk trends that organizations face today.

This research is based on data compiled by the Orca Research Pod, analyzing data from more than 1,000 production organizations, spanning billions of cloud assets, CI/CD workflows, infrastructure-as-code deployments, containers, and source code repositories across AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud environments. 

In this blog, we provide an overview of the key findings, explore the trends shaping application risk, and share practical recommendations for reducing exposure across the modern software supply chain.

Report

2026 State of Application Security Report

The Orca Research Pod’s report presents several critical findings, including:

  • 78% of organizations run packages with critical vulnerabilities in production
  • 77% retain high or critical container vulnerabilities for more than 90 days
  • 31% expose valid secrets in source code and 30% retain them in Git history
  • 43% have exposed AI/ML credentials
  • 11% run publicly known malicious packages in production
  • 75% deploy infrastructure via code, but 84% use unencrypted storage and 80% lack logging

Below, we break down what these trends mean for modern application risk and how to reduce exposure.

“Application security has fundamentally changed, but many programs still operate as if it hasn’t. Software is built on open-source dependencies, automated pipelines, and infrastructure as code, while AI is increasing both scale and risk.

This report helps organizations understand where traditional approaches fall short and how to focus on the changes that materially reduce risk.”

Gil Geron, CEO and Co-founder of Orca Security

Rapid AI Adoption: Why 43% of Organizations Have Exposed AI/ML Credentials

AI-assisted development is increasing code generation, dependency usage, and service integration at a pace that traditional security controls were not designed to govern. It is also introducing a new class of high-impact exposures across modern application environments.

Our research found that 43% of organizations have exposed AI or machine learning credentials, including tokens for model hosting, inference APIs, and MLOps platforms. These credentials often grant access to proprietary models, sensitive datasets, and usage-based services, creating both security and financial risk through intellectual property theft, model manipulation, and large-scale GPU abuse.

The Remediation Gap: Why 77% of Critical Vulnerabilities Persist for 90+ Days

The primary challenge in application security is no longer discovery. It is prioritization and action. Organizations are identifying vulnerabilities early in the lifecycle, but without production context they struggle to determine which issues are truly exploitable.

As a result, 77% of organizations retain high or critical container vulnerabilities for more than 90 days, and those that remain unpatched for 30 days are unlikely to be remediated at all. Over time, vulnerability backlogs become accepted operational risk rather than actionable remediation work.

Software Supply Chain Security: Defending the Primary Attack Surface

Modern applications inherit risk from the dependencies, build systems, and automation workflows they rely on. Attackers increasingly target these trust relationships to achieve broad downstream impact across multiple services and environments.

The report found that 11% of organizations are running publicly known malicious packages in production. Combined with the continued presence of Log4Shell in nearly half of environments, this shows that supply chain risk is widespread and slow to remediate. A single compromised dependency can propagate across environments, making supply chain attacks a scalable path from one intrusion to widespread compromise.

Infrastructure as Code (IaC) Security: Preventing Misconfiguration at Scale

Infrastructure is defined and replicated through code, which enables speed and consistency across cloud environments. However, when security controls are missing, this same automation replicates misconfigurations at scale.

75% of organizations manage infrastructure through code, yet 84% deploy unencrypted storage and 80% lack logging in IaC-managed environments. Overly permissive IAM roles and open network rules are frequently embedded in templates, allowing insecure configurations to be deployed repeatedly across production systems.

Secrets Detection: Closing the Direct Path to Cloud Compromise

Secrets remain one of the most reliable entry points for attackers because they grant immediate authenticated access to cloud services and internal systems. Hardcoded credentials, tokens in Git history, and secrets embedded in CI/CD workflows are routinely found in production code.

31% of organizations expose valid secrets in repositories, and 30% retain recoverable secrets in commit history, even after they appear to be removed. Because many of these credentials remain active, they create persistent and low-effort access paths into critical environments.

2026 AppSec Roadmap: Tactical Recommendations for Reducing Risk

The report outlines a clear, practical roadmap for reducing risk:

Immediate Security Actions: Priority Tasks for Days 0–30

  • Rotate exposed secrets
  • Patch actively exploitable CVSS 10 vulnerabilities
  • Restrict CI/CD token permissions

Short-Term Hardening: Security Controls for Days 30–90

  • Enforce dependency and malicious package controls
  • Harden repositories with branch protection, MFA, and signed commits
  • Add IaC security gates in CI/CD

Strategic Governance: Long-Term Initiatives for 90+ Days

  • Standardize container base images and rebuild pipelines
  • Adopt ephemeral credentials and Zero Trust for CI/CD
  • Implement continuous runtime monitoring 

These controls are not theoretical, they are the most direct ways to reduce real-world exposure across the software supply chain.

Application security must become a development competency

The data makes one thing clear: application security can no longer operate as a separate, downstream function. Every commit, dependency, and configuration change shapes risk across the software delivery lifecycle.

Organizations that succeed embed security directly into development workflows, prioritize issues based on real production context, and treat remediation as an operational process rather than a static backlog. In practice, this makes application security a core component of software quality owned jointly by development, security, and platform teams.

Unifying AppSec, CNAPP, and AI with the Orca Platform

The findings in the 2026 State of Application Security Report are based on data from the Orca Platform, which enables organizations to identify, prioritize, and remediate application risks across the software delivery lifecycle, from source code and dependencies to CI/CD pipelines, containers, and infrastructure as code. By unifying SCA, SAST, secrets detection, SCM and CI/CD security with runtime context, Orca helps teams focus on the vulnerabilities and exposures that actually matter. Orca’s agentless SideScanning™ technology delivers this coverage across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes.

Read the full 2026 State of Application Security Report to explore the complete data, trends, and recommended roadmap for reducing real production exposure.

Table of contents