Critical Security Findings Nearly Quadrupled Year-Over-Year, OX Security's 2026 Application Security Benchmark Finds
Second annual report analyzes 216 million security findings across 250 organizations, identifying AI-assisted development as a key driver of accelerating application security risk
NEW YORK, March 17, 2026 /PRNewswire/ -- Critical application security findings rose nearly 4x year-over-year, according to OX Security's 2026 Application Security Benchmark Report, based on analysis of more than 216 million security findings across 250 organizations. The report identifies AI-assisted development as a key driver of the growing volume of vulnerabilities entering software pipelines.
Published today, the second annual OX Security Application Security Benchmark Report finds that the average organization now faces 865,398 security alerts, up 52% from 569,354 a year earlier. After prioritization, the average organization is left with 795 critical findings, up from 202 last year — nearly 4x higher.
The critical issue ratio also rose from 0.035% to 0.092% of raw findings. That means real risk is growing faster than overall alert volume.
"The data makes the trajectory impossible to ignore," said Neatsun Ziv, CEO of OX Security. "We're not just seeing more alerts. We're seeing materially more real risk year-over-year. AI-assisted development is accelerating code output at a pace security teams were never built to handle, and the window to get ahead of that is narrowing."
Key findings include:
- Alert volume rose 52% year-over-year: Average raw alerts per organization increased from 569,354 to 865,398.
- Critical findings nearly quadrupled: After prioritization, the average organization now manages 795 critical issues, up from 202 in 2025. These are findings that require immediate attention.
- The critical issue ratio nearly tripled: Critical findings increased from 0.035% to 0.092% of raw findings, showing that meaningful risk is rising faster than total alert volume.
- Business context drives risk more than technical severity: Across the 216 million findings analyzed, the most frequently applied risk-elevating factor was High Business Priority (27.76%), followed by PII Processing (22.08%) and CVSS High Severity (20.55%), underscoring that what a vulnerability affects often matters more than its score.
- Industry risk varies widely: Insurance organizations show the highest proportion of critical findings (1.76%), while Automotive organizations face the highest overall alert volumes.
- Prioritization remains essential — but increasingly insufficient on its own: As development velocity accelerates, detection and remediation alone are struggling to keep pace with the volume of new vulnerabilities entering software pipelines.
About the Report
The 2026 OX Application Security Benchmark Report is based on 216 million application security findings collected from 250 organizations over a 90-day period in Q4 2025. Findings were aggregated from organizations' existing security tools, including SAST, secrets detection, SCA, and others, alongside open-source intelligence feeds and vulnerability databases, then enriched with contextual data and prioritized using OX's multi-factor risk methodology incorporating exploitability, reachability, and business impact.
The full report is available here.
About OX Security
OX Security is a leader in application security, providing comprehensive coverage across the entire software development lifecycle — from AI code generation to cloud runtime. OX centralizes security across the entire code journey, tracing every risk back to its source so security teams can move from fragmented tooling and blind spots to unified product security built for prevention.
SOURCE OX Security
Share this article