Safeguard
DevSecOps

Annual DevSecOps maturity benchmark report

Safeguard's 2026 DevSecOps Maturity Benchmark finds detection at an all-time high but remediation stuck at a 19-day median — here's what separates the top-quartile programs.

Safeguard Research Team
Research
7 min read

Security and engineering leaders enter the second half of 2026 with a familiar problem: everyone agrees DevSecOps maturity matters, and almost no one can say with precision how mature their own program actually is. Safeguard's research team spent January through May 2026 analyzing anonymized telemetry from 412 engineering organizations — ranging from 50-person startups to Fortune 500 enterprises — alongside a survey of 1,180 security and platform engineers, to produce this year's DevSecOps Maturity Benchmark Report. The headline finding: the median organization still takes 19 days to remediate a critical vulnerability once it's flagged, barely improved from 21 days a year earlier, even as the volume of findings pushed into security backlogs grew by 34% year over year.

That stagnation sits at the center of this year's report. Tooling adoption has never been higher — 91% of surveyed organizations now run some form of SAST, and 78% have SCA or dependency scanning wired into CI — yet the metrics that actually indicate maturity (time to remediate, percentage of findings triaged with business context, and reachability-informed prioritization) have moved only marginally. The gap between "we have the tools" and "the tools are changing outcomes" is this year's defining theme.

The Headline Numbers

Four data points from the benchmark set the tone for where the industry stands in mid-2026:

  • 19 days median time-to-remediate for critical/high findings, down only 2 days from last year's 21-day median.
  • 34% increase in total findings volume per organization, driven largely by expanded SCA coverage and the growth of AI-assisted code generation.
  • 61% of organizations report having a documented SBOM practice, up from 44% in 2025 — but only 23% say they can consume and act on a third-party SBOM they receive, versus one they generate themselves.
  • 12% of organizations report using reachability or exploitability analysis to prioritize findings, despite 68% saying they consider "reducing noise" a top-three security priority for the year.

Taken together, the numbers describe an industry that has solved for detection and is now stuck at triage. Organizations are finding more than ever and fixing at roughly the same pace as before — a mismatch that compounds every quarter unless prioritization logic improves.

Where Maturity Stalls: The Detection-to-Remediation Gap

The report's maturity model scores organizations across five levels, from Level 1 (ad hoc scanning, no consistent policy) to Level 5 (automated, risk-weighted remediation integrated into developer workflow). The distribution this year:

  • Level 1: 9%
  • Level 2: 31%
  • Level 3: 38%
  • Level 4: 17%
  • Level 5: 5%

The plurality of organizations sit at Level 3 — they've standardized tooling and have written policy, but remediation still depends on manual triage by a security team that is chronically outnumbered by developers. Safeguard's data shows the average security-to-engineer ratio at Level 3 organizations is roughly 1:87, compared to 1:34 at Level 4 and above. That staffing gap is arguably the single strongest predictor of maturity level in the entire dataset — stronger than budget, stronger than industry vertical, and stronger than company age.

The organizations that broke into Level 4 and 5 this year share one operational trait: they've shifted triage decisions away from severity scores (CVSS alone) and toward exploitability and reachability signals. Respondents at Level 4+ organizations were three times more likely to say "a finding's reachability in our running application" was their primary prioritization signal, versus CVSS score alone, which remained the default at Level 2 and 3 organizations.

SBOM Adoption Climbs, But Trust Lags

SBOM practice is the fastest-growing category in this year's benchmark, and also the one with the widest gap between adoption and utility. Generation is up sharply — 61% of organizations now produce an SBOM for at least their primary applications, driven in large part by continued federal procurement pressure and customer security questionnaires that now ask for one by default.

But generating an SBOM and using one are different maturity stages, and the report finds most organizations stuck on the former. Only 23% of respondents said they have a workflow for ingesting a vendor or open-source SBOM and matching it against active advisories automatically. The rest either don't request SBOMs from suppliers at all (29%) or receive them and store them without automated analysis (48%) — effectively treating a machine-readable artifact as a compliance PDF.

This "SBOM theater" problem is compounding as the software supply chain gets deeper. The average application in the benchmark dataset now pulls in 187 transitive dependencies, up from 156 last year. Without automated SBOM ingestion and continuous matching against new advisories, organizations are accumulating supply chain debt faster than they can audit it manually — a gap that showed up repeatedly in open-ended survey responses as the top reason security teams cited for missing a subsequently disclosed critical vulnerability in a dependency they technically already had inventoried.

AI-Generated Code and the New Attack Surface

This year's report includes a new section on AI-assisted development, reflecting how quickly it has become a material factor in supply chain risk. 74% of surveyed organizations report that a meaningful share of new code (self-estimated at 20% or more) is now AI-generated or AI-assisted. Of those organizations, only 31% have adjusted their scanning or review policy specifically to account for it.

The concern isn't hypothetical: organizations with high AI-code adoption and no policy adjustment showed a 22% higher rate of newly introduced hallucinated or non-existent package references making it into pull requests — the "slopsquatting" pattern where an AI coding assistant recommends a dependency that doesn't exist (or that an attacker has since registered to exploit exactly this behavior). Organizations that added automated dependency-existence and provenance checks to their PR pipeline saw this category of finding drop by more than half within two quarters.

What Separates Level 4 and 5 Programs from the Rest

Beyond staffing ratios and reachability-based triage, three practices consistently distinguished top-quartile programs in this year's data:

  1. Fix delivery is automated, not just flagged. Level 4+ organizations were roughly twice as likely to have auto-generated fix PRs merged with minimal manual editing, versus lower-maturity organizations where a finding routes to a ticket queue and waits for developer bandwidth.
  2. Griffin-style AI triage assistance is in the loop. Programs using an AI reasoning layer to correlate findings, code context, and exploitability before a human ever looks at the ticket cut their mean-time-to-triage by 58% compared to programs relying on manual severity sorting.
  3. SBOMs are living artifacts, not point-in-time exports. Top-tier organizations regenerate and re-match SBOMs continuously against new CVE disclosures rather than on a quarterly or release-based cadence — catching newly disclosed risk in dependencies they already shipped, not just in new code.

Notably, none of these three practices require a bigger security headcount — they require different tooling logic. That's a meaningful finding for CISOs building next year's budget case: the data suggests maturity gains are increasingly a function of automation quality, not team size.

How Safeguard Helps

This benchmark data maps directly onto the gaps Safeguard is built to close. Our reachability analysis engine determines whether a flagged vulnerability sits in code paths your application actually executes, so teams can cut through the noise that keeps Level 2 and 3 organizations stuck in manual triage. Griffin, our AI security analyst, correlates findings with code context and exploitability signals automatically — the same triage acceleration this year's top-quartile organizations report, without requiring additional headcount. Safeguard generates and continuously ingests SBOMs, matching every component against newly disclosed advisories in real time rather than at a point-in-time snapshot, turning SBOM practice from a compliance artifact into an operational one. And where a fix is available, Safeguard opens an auto-fix pull request with the remediation already applied, directly shrinking the 19-day median time-to-remediate that this year's benchmark identifies as the industry's most stubborn number. Teams that want to see where they land on next year's benchmark can start by measuring these four metrics inside their own pipeline today.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.