75% of Companies Ship Vulnerable Code On Purpose: Checkmarx
▼ Summary
– 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year.
– Time to exploit a vulnerability has dropped from 840 days in 2018 to under two days in 2026, with a prediction of one minute by 2028.
– Unvetted AI-generated code is a major contributor to the vulnerability backlog, outpacing manual remediation.
– Verizon’s DBIR found vulnerability exploitation caused 31% of data breach initial access, up from 20% last year, potentially due to adversarial AI use.
– 75% of UK businesses worry about vendors using AI, but only 28% assess third-party AI systems and 35% have a formal AI governance policy.
Three out of every four organizations admit to knowingly shipping vulnerable code, even as AI-powered threats accelerate risks across the software supply chain. That is the central finding from two new studies released this week, underscoring a persistent and dangerous gap between security awareness and action.
On May 21, Checkmarx published data revealing that 75% of organizations often or sometimes deploy code they know is flawed. While this marks a slight improvement from last year’s 81%, the figure remains alarmingly high given how quickly attackers can now weaponize weaknesses. Advanced AI models are enabling threat actors to locate and exploit vulnerabilities with unprecedented speed.
According to Checkmarx, what took an average of 840 days to exploit in 2018 now takes less than two days in 2026. Researchers on its Checkmarx Zero team project that time-to-exploit will shrink to just one minute by 2028.
Eran Kinsbruner, Vice President at Checkmarx, pointed to unvetted AI-generated code as a major driver of the problem. “The backlog isn’t a process problem anymore; it’s a math problem,” he said. “AI-generated code is outpacing every manual remediation model in existence.”
The Checkmarx findings align with other recent warnings. Verizon’s 2026 Data Breach Investigations Report (DBIR) found that vulnerability exploitation now accounts for nearly a third (31%) of initial access in data breaches over the past year, up from 20% in the previous report. Verizon attributed the rise partly to adversarial use of AI, noting that “the median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50.”
Separately, a study from UK insurer QBE released this week shows that 75% of UK businesses are worried about vendors and suppliers using AI. Concerns are well-founded: QBE reported that the share of respondents experiencing a cyber event in the past 12 months jumped from 53% in 2025 to 59% in 2026. This year, over a fifth (22%) said that “all or most” of the attacks they suffered involved a supplier.
Yet despite these worries, only 28% of AI-using businesses have taken steps to assess or audit their third-party suppliers’ AI systems, and just 35% have a formal AI usage or governance policy, according to QBE. The gap between concern and action remains wide, even as the window for exploitation narrows dramatically.
(Source: Infosecurity Magazine)
