Application Security

Critical Security Findings Nearly Quadrupled YOY: OX Security

by PR Newswire

Second annual report analyzes 216 million security findings across 250 organizations, identifying AI-assisted development as a key driver of accelerating application security risk

Critical application security findings rose nearly 4x year-over-year, according to OX Security’s 2026 Application Security Benchmark Report, based on analysis of more than 216 million security findings across 250 organizations. The report identifies AI-assisted development as a key driver of the growing volume of vulnerabilities entering software pipelines.

Published today, the second annual OX Security Application Security Benchmark Report finds that the average organization now faces 865,398 security alerts, up 52% from 569,354 a year earlier. After prioritization, the average organization is left with 795 critical findings, up from 202 last year — nearly 4x higher.

The critical issue ratio also rose from 0.035% to 0.092% of raw findings. That means real risk is growing faster than overall alert volume.

“The data makes the trajectory impossible to ignore,” said Neatsun Ziv, CEO of OX Security. “We’re not just seeing more alerts. We’re seeing materially more real risk year-over-year. AI-assisted development is accelerating code output at a pace security teams were never built to handle, and the window to get ahead of that is narrowing.”

Key findings include:

  • Alert volume rose 52% year-over-year: Average raw alerts per organization increased from 569,354 to 865,398.
  • Critical findings nearly quadrupled: After prioritization, the average organization now manages 795 critical issues, up from 202 in 2025. These are findings that require immediate attention.
  • The critical issue ratio nearly tripled: Critical findings increased from 0.035% to 0.092% of raw findings, showing that meaningful risk is rising faster than total alert volume.
  • Business context drives risk more than technical severity: Across the 216 million findings analyzed, the most frequently applied risk-elevating factor was High Business Priority (27.76%), followed by PII Processing (22.08%) and CVSS High Severity (20.55%), underscoring that what a vulnerability affects often matters more than its score.
  • Industry risk varies widely: Insurance organizations show the highest proportion of critical findings (1.76%), while Automotive organizations face the highest overall alert volumes.
  • Prioritization remains essential — but increasingly insufficient on its own: As development velocity accelerates, detection and remediation alone are struggling to keep pace with the volume of new vulnerabilities entering software pipelines.
PR Newswire

PR Newswire empowers communicators to identify and engage with key influencers, craft and distribute meaningful stories, and measure the financial impact of their efforts. Cision is a leading global provider of earned media software and services to public relations and marketing communications professionals.

PR Newswire empowers communicators to identify and engage with key influencers, craft and distribute meaningful stories, and measure the financial impact of their efforts. Cision is a leading global provider of earned media software and services to public relations and marketing communications professionals.

Related posts

Cigniti’s Digital Assurance Leadership Capabilities Recognized

Business Wire

Invicti Security Joins the AWS Marketplace

PR Newswire

cybersecurity Expert GuidePoint Security Launches New Offering

Business Wire