2026

State of AI in Security & Development

Our new report captures the voices of 450 security leaders (CISOs or equivalent), developers, and AppSec engineers across Europe and the US. Together, they reveal how AI in cybersecurity and software development is already breaking things, how tool sprawl is making security worse, and how developer experience is directly tied to incident rates. This is where speed and safety collide in 2026.

Key Findings

Abstract digital artwork featuring red, blue, and white colors with a grid overlay and gradient effects.

AI Adoption

1 in 5 suffered a serious incident linked to AI code

Semi-circular chart showing responses to security vulnerabilities from AI-generated code: 49% minor issue, 20% serious incident, 20% not aware, 11% no.

“Whilst organisations battle to leverage the benefits of AI, there is often a hidden associated battle going on, and that’s to keep their organisation safe from an increase in cyber risk that AI presents. The role of the CISO is to ensure the security posture scales as quickly as the technology does.”

Smiling woman with long brown hair, wearing pearl earrings and an olive-green top.

Christelle Heikkilä

Former CIO/CISO, Arsenal FC

53% blame the security team for incidents linked to AI code

Q. If a vulnerability introduced by GenAI code later caused a security incident‚ who would ultimately be held accountable in your organization? Select all that apply

“There's clearly a lack of clarity among respondents over where accountability should sit for good risk management”

Man with long, wavy gray hair wearing black rectangular glasses and a white collared shirt against a plain background.

Andy Boura

CISO, Rothesay

Abstract digital illustration of dark blue and purple textured shapes overlaid with a translucent white grid.

Developer Experience

15%
of engineering time is lost to triaging alerts

That's $20m per year for a 1000-dev organization

$ wasted on false positives

Remainder $ wasted on triage

Estimated annual cost of developer time spent on triaging

Bar chart comparing costs of 50 developers ($280k), 250 developers ($1.4m), and 1,000 developers ($5.6m) against labels $1M, $5M, and $20M.

$720k

$3.6m

$14.4m

2/3 of respondents bypass security, dismiss findings or delay fixes

44%

37%

35%

34%

32%

22%

Q: How has dealing with false positives from security tools affected your development practices? Select all that apply.

“When security tools overwhelm developers with noise, they drift into risky workarounds. We aim to restore balance by removing false positives, strengthening guardrails, and improving Developer Experience, so teams can focus on what truly matters”

Man with short black hair, beard, and glasses wearing a black shirt standing indoors with arms crossed.

Darshit Pandya

Senior Principal Engineer - Platform, Serko

Tools built for both dev and security teams saw far fewer incidents

Teams using tools designed for both developers and security teams were more than twice as likely to report zero incidents compared to those using tools made for only one group.

Line chart showing percentages reporting no incidents: 21% for tools for security, 23% for tools for developers, and 55% for tools for both.

“Giving developers the right security tool that works with existing tools and workflows, allows teams to implement security best practices and improve their posture”

Young man with a trimmed beard and short hair wearing a navy blue shirt indoors with ambient lighting.

Walid Mahmoud

DevSecOps Lead, UK Cabinet Office

Abstract digital background with a grid overlay and red glowing textured patterns on a purple gradient.

Security reality

"It's a bit ironic that the industry talks so much about replacing people with AI, but in security, we worry much more about not having enough security people"

Igor Andriushchenko,

CISO, Lovable

Bar chart showing impacts if a top security engineer leaves: 40% delays to incident response, 40% slower product development, 37% key tools break, 35% delayed fixes, 34% compliance risk, 28% likely serious attack, 12% no impact.

Teams using separate AppSec and CloudSec tools are 50% more likely to face incidents

Bar chart comparing incident percentages: 31% of incidents use separate tools, while 20% use combined AppSec and CloudSec tools.

"It's clear that we need to combine our AppSec and Cloud Security programs into a single product security team. For companies where infrastructure is defined as code, cloud security fundamentally is code security, and it drives better results."

James Berthoty

Founder, Latio Tech

The Future of AI

96% believe AI will write secure, reliable, code

Within 1 - 2 years

20%

3-5 years

44%

24%

6-10 years

+10 years

never

But only 21% think it will be without human oversight

9 in 10 organizations expect AI to take over penetration testing, with an average timeline of 5.5 years.

9/10 organizations

If you work in software security, you need to read this.