Known Vulnerabilities Fuel Majority of Application Security Incidents, Survey Finds

A significant majority of organizations, precisely 80%, experienced an application security incident directly linked to a known vulnerability within the past year, according to a recent survey of 902 IT and security professionals conducted by the Cloud Security Alliance (CSA).

This pervasive issue underscores a systemic challenge within the cybersecurity industry: the persistent gap between the discovery of a vulnerability and its effective remediation in production environments. Attackers are adept at exploiting this window, turning known weaknesses into successful breaches. The sheer volume of disclosed vulnerabilities, with the National Vulnerability Database logging over 40,000 CVEs in 2025 alone, exacerbates the problem. Furthermore, the advent of AI-powered tools capable of generating exploits at machine speed, such as Mythos, has dramatically compressed the timeline for exploitation, increasing the operational risk for any organization carrying unresolved findings.

The survey indicates that while most organizations aim to patch critical and high-severity flaws within one to seven days, very few achieve remediation within 24 hours. The multi-day remediation window is where most incidents originate. Organizations taking four to seven days to address flaws reported near-universal incidents, a rate that sharply decreases for those resolving issues within one to three days. This correlation between remediation speed and incident occurrence is stark, suggesting that even a few days of exposure can be enough for an attack to succeed.

Internal organizational friction also contributes to the delay. Approximately one-third of cases involve disputes over a vulnerability's relevance or exploitability. Concerns about disrupting application functionality or business operations are the primary reasons cited for delays, affecting nearly half of respondents. This highlights a tension between security imperatives and operational continuity.

Despite widespread adoption of pre-production security tools like Static Application Security Testing (SAST), Web Application Firewalls (WAFs), and Dynamic Application Security Testing (DAST), 80% of respondents still reported at least one application security incident in the past year. The incidents were split almost evenly between vulnerabilities that escaped pre-production detection entirely and those identified before release but still reached production. This suggests that current pre-production strategies, while common, are not foolproof.

The survey also sheds light on the growing adoption of AI-powered application components. Seven in ten organizations now run AI components in production, with a split between those having security concerns and those who do not. However, runtime oversight of these components lags significantly behind deployment. Half of organizations only have visibility that is fully auditable after an incident, with fewer having real-time monitoring capabilities. This reactive approach to AI security is a growing concern.

When investigating potential production risks, the primary challenge identified by respondents is distinguishing real threats from non-exploitable findings, followed closely by prioritization. The most requested capabilities for remediation include proof of exploitability in production, methods to contain risk without immediate code changes, and detailed visibility into affected code paths. This indicates a need for more actionable, evidence-based security intelligence rather than simply more staff.

Finally, while nearly three-quarters of organizations are open to using virtual patching to block production exploits, current deployments are conservative. The lack of application-level context needed for safe blocking decisions and the fear of disrupting business operations are major barriers. This suggests a need for more intelligent, context-aware security controls that can operate effectively without causing undue operational disruption.