OX Security recently analyzed 216 million security findings across 250 organizations over a 90-day period. The primary takeaway: while raw alert volume grew by 52% year-over-year, prioritized critical risk grew by nearly 400%.
The surge in AI-assisted development is creating a “velocity gap” where the density of high-impact vulnerabilities is scaling faster than remediation workflows. The ratio of critical findings to raw alerts nearly tripled, moving from 0.035% to 0.092%.
Key Findings from the 2026 Analysis:
- CVSS vs. Business Context: Technical severity scores are no longer the primary driver of risk. The most common elevation factors were High Business Priority (27.76%) and PII Processing (22.08%). In modern environments, where a vulnerability lives is now more important than what the vulnerability is.
- The AI Fingerprint: We observed a direct correlation between the adoption of AI coding tools and the quadrupling of critical findings (averaging 795 per org, up from 202). Increased code velocity is yielding more complex, context-dependent flaws that bypass basic linting and legacy scanners.
- Sector Variance: Risk profiles are not uniform. Insurance firms showed the highest density of critical findings (1.76%), while the Automotive sector generated the highest raw volume of alerts—likely due to the massive scale of codebase expansion in software-defined vehicles.
This is the second year OX has conducted this analysis to benchmark the state of Application Security.
Full report, including methodology and industry-specific benchmarks, is available here.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.