Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

If you’re like our team, the morning after the Claude Mythos announcement brought more questions than answers. Among them: “Serious question. Do customers still need SAST?” It’s a fair question if you stop at the headline. Claude Mythos, Anthropic’s frontier AI model currently gated to vetted partners through Project Glasswing, had autonomously identified thousands of zero-day vulnerabilities across major operating systems and browsers . No rule books, no checklists.

Software risk has always existed. What’s changed is the scale, speed, and economics of it. For decades, organizations operated under a relatively stable set of assumptions: humans write code, security teams scan it, vulnerabilities get prioritized and patched. The process was slow, imperfect, and often underfunded — but it was manageable. AI has dismantled those assumptions. And if your security program is still calibrated to the old model, you’re already behind.

There’s a conversation happening in boardrooms, security operations centers, and developer standups that I find both thrilling and concerning: the conversation about AI-assisted development. Engineering teams are shipping features in hours that once took months. Products that would have required six-month roadmaps are being prototyped in a weekend.

Modern software is not written from scratch. It’s assembled. Developers pull from open-source repositories, import third-party libraries, accelerate development with AI coding assistants, and deploy across multi-stage CI/CD pipelines that span dozens of tools, services, and vendors.

Twenty years ago, the idea of continuously scanning software for vulnerabilities at scale was ambitious. Today, it’s essential. As Veracode marks its 20th anniversary, we’re not just looking back at what we’ve built; we’re looking forward at what the data tells us about where software security needs to go next. And the data says a lot.

The rules of software security have changed. For years, the dominant threat narrative centered on stolen credentials and compromised accounts. Today, attackers have shifted strategies — and the data proves it. According to the 2026 Verizon Data Breach Investigations Report, exploitation of vulnerabilities now accounts for 31% of all initial access vectors, surpassing credential abuse, which has fallen to just 13%. Attackers aren’t just knocking on the front door anymore.

Every year, the Verizon Data Breach Investigations Report sets the tone for how the industry understands the threat landscape. And every year, the most important question isn’t what’s changed — it’s whether organizations are keeping up. Based on the 2026 Verizon DBIR, the honest answer is: not fast enough.

The security landscape has fundamentally changed, and many organizations haven’t caught up. If you’re still relying on quarterly scans, annual penetration tests, or spreadsheet-based vulnerability tracking to manage risks within your applications, you’re not managing risk. You’re documenting it after the fact.

May 19, 2026 What the 2026 Verizon DBIR Reveals About the State of Application Security Read More Natalie Tischler May 14, 2026 How to Manage Risks Within Your Applications Read More Natalie Tischler May 12, 2026 AI Coding Tools Are Creating a Security Gap We Must Close Immediately Read More Natalie Tischler.

Developers love AI coding tools. And why wouldn’t they? After all, they write code faster. They reduce repetitive work. They help junior engineers ship features that used to take days. But there’s a problem no one wants to talk about at the planning meeting. AI coding tools are producing insecure code at massive scale. And the industry is running out of time to fix it.