Safeguard
Industry Analysis

The State of Cloud Native Application Security survey

New 2026 survey data reveals a widening gap between vulnerability alert volume and remediation capacity — and what security teams say actually helps.

Safeguard Research Team
Research
7 min read

SAN FRANCISCO — Security leaders are drowning in cloud native alerts, and a growing body of survey data released across the first half of 2026 shows the gap between the volume of findings and the capacity to act on them has never been wider. Safeguard's own 2026 State of Cloud Native Application Security survey, fielded in Q2 2026 across 412 security and platform engineering leaders at organizations running Kubernetes, containers, and serverless workloads in production, found that 78% of respondents say their teams triage more vulnerability alerts today than they did twelve months ago — while only 22% report a corresponding increase in headcount. The result is a widening backlog that is reshaping how enterprises think about application security tooling heading into 2027 budget cycles.

The findings track closely with parallel data from industry peers. Aggregate figures compiled from vendor and analyst reports published between January and June 2026 put the average enterprise's open critical-and-high vulnerability count at over 1,400 findings per 100 production services, with a mean time-to-remediate hovering north of 60 days for issues rated "critical" by CVSS score alone. That number matters because it is functionally unchanged from 2024 and 2025 survey cycles, despite three straight years of double-digit growth in security tooling spend. More scanners are running. Fewer things are actually getting fixed.

The Alert Volume Problem Has a Name: Noise

Safeguard's survey asked respondents to identify the single biggest obstacle to closing out vulnerability findings. The top answer, cited by 61% of respondents, was not lack of tooling or lack of budget — it was an inability to tell which findings actually matter. Nearly two-thirds of security teams reported that their scanners flag vulnerabilities in packages that are present in a container image or dependency tree but never loaded, imported, or executed at runtime. Teams described spending entire sprints chasing CVEs that, on inspection, sat in dead code paths or in libraries pulled in transitively for a feature the application never invokes.

This is the well-documented "reachability gap" that has dogged software composition analysis (SCA) tooling since it first scaled to cloud native environments. Traditional SCA answers the question "is this vulnerable package present?" It does not answer "can an attacker actually reach the vulnerable function through any code path my application executes?" Survey respondents who had adopted some form of reachability or call-graph analysis reported a 68% reduction in tickets routed to engineering teams for remediation — not because fewer vulnerabilities existed, but because far fewer of them were provably exploitable in their specific deployment.

SBOMs Went From Compliance Checkbox to Operational Requirement

A second major theme in the 2026 data is the maturation of software bill of materials (SBOM) practices from a regulatory afterthought into daily operational infrastructure. Following the continued rollout of executive-order-driven procurement requirements in the U.S. federal supply chain and equivalent obligations under the EU Cyber Resilience Act, 71% of surveyed organizations said they now generate SBOMs for every production build, up from 44% in the equivalent 2024 survey wave. But generation is outpacing use: only 29% of respondents said they actively ingest and cross-reference SBOMs from third-party vendors and open source dependencies against live threat intelligence feeds. The rest are producing documents that satisfy an auditor but sit unused operationally — a gap that becomes acute during incident response, when security teams need to answer "are we affected by this newly disclosed CVE" in minutes, not days.

Respondents at organizations with automated SBOM ingestion pipelines reported answering that question in a median of 4 hours. Organizations relying on manual spreadsheet-based inventories reported a median of 6 days — a difference that, during a fast-moving event like the xz-utils backdoor disclosure of 2024 or any of the several high-severity npm and PyPI supply chain compromises reported through 2025 and into 2026, is the difference between a contained incident and an open-ended exposure window.

AI-Generated Code Is Now a Majority Practice — and a Majority Concern

Perhaps the most consequential shift in this year's data is around AI-assisted and AI-generated code. 83% of respondents said their engineering organizations now use AI coding assistants in some production capacity, up sharply from prior years. At the same time, 58% said they have no automated process to distinguish AI-generated code from human-written code in their security review pipeline, and 47% said they had directly observed AI-suggested code introducing a vulnerability class — most commonly injection flaws, hardcoded secrets, and insecure deserialization — that made it past initial code review.

This matters for application security posture management because it changes the shape of the problem. It is no longer sufficient to scan committed code for known-bad patterns after the fact; the volume and velocity of AI-assisted commits means vulnerable patterns are being introduced faster than manual review can catch them. Security teams surveyed said they are increasingly looking for tooling that can act at the pull request stage — flagging exploitable issues and proposing validated fixes before code merges, rather than opening a ticket weeks later against code already running in production.

The Skills and Ownership Gap Persists

Finally, the survey reinforces a structural finding that has held steady across multiple years of cloud native security research: ownership of vulnerability remediation remains contested. 54% of security teams said they lack a clear, enforced process for routing a confirmed exploitable finding to the correct engineering owner, and 39% said the average finding sits unassigned for more than a week before anyone begins work on it. DevSecOps maturity models continue to promise "shift left," but the survey data suggests many organizations have shifted the scanning left without shifting the remediation workflow, ownership model, or developer tooling to match — leaving security teams as the sole custodians of a growing backlog they have no direct ability to fix.

Taken together, the 2026 data paints a picture of an industry that has scaled its detection capability considerably faster than its remediation capability. More scanners, more SBOMs, more AI-written code, and more compliance mandates have all arrived — but the fundamental question every CISO is now asking their board is not "how many vulnerabilities do we have" but "which of these can actually hurt us, and who is going to fix them by when."

How Safeguard Helps

Safeguard is built directly around the gap this survey exposes. Our reachability analysis engine traces actual code execution paths through your services to determine whether a flagged CVE sits on a path an attacker can reach, cutting through the noise that 61% of survey respondents identified as their top obstacle and letting teams prioritize the small fraction of findings that are truly exploitable. Griffin, Safeguard's AI security analyst, continuously correlates reachability, exploit intelligence, and runtime context to explain why a finding matters — or doesn't — in plain language, so the ownership and triage friction described by more than half of surveyed teams stops being a manual, meeting-driven process. Safeguard generates and ingests SBOMs automatically on every build, keeping a live, queryable inventory of every dependency across your fleet so that "are we affected" questions get answered in minutes rather than days when the next supply chain incident breaks. And for the fixable findings that remain, Safeguard opens auto-fix pull requests with validated patches and dependency upgrades directly against the offending code, closing the loop from detection to remediation without waiting on an already-stretched engineering team to find the time.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.