"The backlog isn't a process problem anymore; it's a math problem,” said Eran Kinsbruner, vice president at Checkmarx.
Checkmarx: 75% of organizations knowingly ship vulnerable code
On May 21, Checkmarx published data showing that 75% of organizations often or sometimes deploy code they know is vulnerable. That figure is an improvement from 81% reported last year, but Checkmarx framed the remaining rate as dangerously high given shifts in adversary capability.
Researchers on Checkmarx’s Zero team said the window from disclosure to exploit has collapsed: what took an average of 840 days to exploit in 2018 now takes less than two days in 2026. The team predicts time-to-exploit will shrink further, to one minute by 2028. Checkmarx’s analysis links that acceleration in part to the rise of unvetted, AI-generated code; Kinsbruner argued that AI-produced code is outpacing manual remediation models.
Verizon DBIR: vulnerability exploitation now a leading initial access vector
Verizon’s latest Data Breach Investigations Report (DBIR), published this week, complements the Checkmarx findings. Verizon said vulnerability exploitation accounted for nearly a third — 31% — of initial access in data breaches over the past year, up from 20% in last year’s DBIR.
Verizon also reported that “the median threat actor researched or used AI assistance in 15 different documented techniques,” and that some actors leveraged as many as 40 or 50 AI-assisted techniques. The report suggested adversarial use of AI could be contributing to the uptick in vulnerability exploitation.
QBE: UK firms are worried but slow to audit suppliers’ AI
UK insurer QBE released a separate study this week finding that 75% of UK businesses are worried about vendors and suppliers using AI. QBE said the proportion of respondents experiencing “a cyber event in the past 12 months” rose from 53% in 2025 to 59% in 2026, and that 22% of respondents claimed “all or most” of the attacks they suffered involved a supplier.
Despite those concerns, QBE reported that only 28% of businesses using AI have taken steps to assess or audit their third‑party suppliers’ AI systems, and only 35% have a formal AI usage or governance policy.
How technologists, procurement leaders, and insurers are responding
- Technologists and security teams: Checkmarx’s findings — including the shift from 840 days to under two days for exploitation — underscore a growing urgency. Teams will be watching the pace of AI-generated code production and the Checkmarx Zero team’s projection that time‑to‑exploit could reach one minute by 2028.
- Procurement and enterprise leaders: QBE’s survey highlights a gap between concern and action: 75% of firms worry about supplier AI use, yet only 28% have audited third‑party AI systems. Procurement leaders will need to reconcile supplier risk with those low audit rates.
- Insurers: QBE’s own data show rising incident rates — 59% reporting a cyber event in the past year — and that a notable share of breaches involve suppliers. Those trends will inform underwriting and coverage conversations within the insurance market.
The tension between speed and governance
The three studies together sketch a distinct dynamic: AI appears to be both a force multiplier for defenders and a rate‑accelerant for attackers. Checkmarx characterizes the problem as mathematical — unvetted AI code increasing the volume of potentially vulnerable software faster than traditional remediation can handle. Verizon’s DBIR documents that vulnerability exploitation is rising as an initial access route, and that threat actors are adopting AI in multiple documented techniques. QBE shows commercial concern but limited governance action around supplier AI.
The result is a set of stark numbers: 75% of organizations admitting to shipping vulnerable code; vulnerability-based initial access rising to 31% of breaches; and only a minority of AI‑using firms auditing supplier AI or operating under formal AI governance policies. Those figures map a widening gap between tools that can produce code at scale and institutional practices meant to vet it.
For now, the record is clear on two points offered by the sources: the speed of exploitation has collapsed, and worry about supplier AI is high even where audit and governance are limited. Whether remediation practices and third‑party controls can close that gap before Checkmarx’s projected one‑minute exploit timeline arrives is the pressing question left by these studies.
Original reporting: https://www.infosecurity-magazine.com/news/threequarters-knowingly-ship/




