In 45% of all test cases, LLMs introduced vulnerabilities classified within the OWASP Top 10.

LLMs failed to secure code against log injection (CWE-117) in 88% of cases

Over 5,000 highly convincing fake pharmacy websites were uncovered (April-June 2025), scamming people seeking high-demand prescriptions.

6% of Canadians reported their stolen identity was used by a criminal to open a financial account (approximately 8 million victims), an increase from 5% in 2023 and 5.6% in 2020.

58% of security teams report frequent false positives from application security scanners.

11% of security teams say application security false positives happen constantly.

66% of security services providers primarily use a GRC or compliance automation platform.

Nearly 90% of organizations allocate just 11–20% of their security budgets to application security.

Only 36% of organizations involve security at the planning stage of software development.

36% of companies spend more on network security than AppSec.

Rapidly expanding attack surfaces are cited by 38% of cybersecurity and cyber risk leaders as a reason for increased difficulty in managing cyber risk today vs five years ago.

83% of organizations are considering outsourcing AppSec functions.

Just 28% of organisations say they are "very effective" at communicating cyber risk to leadership.

31% of security services providers report an average or lower ability to differentiate.

Just 1% of organizations invest more than 20% of their total security budget into AppSec.

Spreadsheet usage among security services providers is up 50% year over year (as a secondary tool).

Cybersecurity and cyber risk leaders at organizations without full threat visibility have a burnout rate of 63%.

62% of organizations knowingly release insecure code to meet delivery deadlines.

The Dragon RaaS emerged in 2024.

57% of organizations wait until just before deployment to involve security.