“A completely new model is required,” said Sandeep Johri, CEO of Checkmarx, summing up a finding that has become a practical dilemma for security leaders: business pressure is routinely pushing vulnerable code into production.
Pressure on CISOs and the scale of suppressed reporting
Checkmarx’s report, released on Jun 8 and based on responses from 2,350 CISOs, AppSec managers and developers across 14 countries, finds that pressure to deprioritize or delay reporting of security issues is near-universal. Ninety-five percent of CISOs said they faced such pressure from other parts of the business. That pressure has a measurable result: 75% of those surveyed said their organization had knowingly deployed vulnerable code into a production environment.
Why vulnerable code reached production
The report breaks down the proximate reasons organizations pushed flawed code live. Thirty percent of respondents said they believed compensating controls sufficiently mitigated the risk. Twenty-seven percent said code was pushed to meet a business, feature or security-related deadline. A further 27% said the vulnerability was not detected until after deployment. The survey also captured a worrying mix of resignation and resource limits: 30% said they simply hoped the vulnerability would not be discovered, while 27% said the vulnerability was too difficult or time-consuming to fix.
Remediation performance and the “post-Mythos” era
Fixing vulnerabilities has not kept pace with discovery. Only 9% of organizations reported that they fix over 90% of vulnerabilities within 90 days. Almost a third remediate fewer than half of their vulnerabilities in the same 90-day window. The report frames this shortfall against a backdrop it calls the “post-Mythos era,” where new vulnerabilities are being uncovered faster than before. “Every day a known vulnerability sits unpatched is a day the door is unlocked. The mean time to exploit has collapsed to minutes. Most organizations are still leaving their gates wide open for months,” the report warns.
AI-generated code and the limits of automation
Respondents reported increasing use of AI-generated code to boost efficiency, but Checkmarx cautions that relying solely on AI introduces additional risk. As Johri put it, “Just like the student cannot grade their own exam, AI alone cannot secure code – and, as the research shows, it adds risk.” The report argues that security needs “deterministic precision with probabilistic reasoning” and better human-guided remediation to both identify novel exploitable patterns and close the gap between finding a vulnerability and fixing it.
What this means for technologists, policymakers, and enterprise leaders
- Technologists and security teams: they will likely remain under pressure to balance release schedules and risk, and the survey suggests many will continue to accept compensating controls or delayed fixes as a trade-off.
- Policymakers and regulators: the data—showing limited remediation within 90 days and routine suppression of reporting—may inform questions about disclosure expectations, compliance timelines and governance around AI-generated code.
- Enterprise procurement and leadership: organizations are already responding by strengthening governance (particularly around AI) and seeking to reduce fragmentation across tools, teams and processes, reflecting an intention to mend the gap between detection and remediation.
The report’s final note is cautiously optimistic: organizations are implementing efforts to improve governance and reduce fragmentation, and many expect their security processes to rise to the AI-era challenge. Yet the metrics present a stark trade-off: widespread pressure to delay or suppress reporting, three-quarters of surveyed organizations having deployed vulnerable code knowingly, and relatively slow remediation timelines. Checkmarx’s conclusion — that “a completely new model is required” — leaves a pointed question hanging over boardrooms and security teams alike: will the incremental steps being taken be enough to close a gap that, the report says, already leaves “the door unlocked” for months?
