AppSec Research & Data Studies
Original studies built on primary data I collected and analyzed ourselves. No vendor surveys, no sponsored content.
The Rise of AI Pentesting Agents: A Technical Analysis (2026)
I dug into 39+ open-source AI pentesting agents, read 8 academic benchmarks, and tracked every commercial company from PentestGPT to Anthropic Mythos. A technical look at how autonomous pentesting actually works.
Supply Chain Attack Statistics 2026
65+ software supply chain attack statistics from Sonatype, Black Duck OSSRA, Verizon DBIR, JFrog, and original research. Malicious packages, open source risk, SBOM adoption, and breach costs. Every stat sourced.
Software Vulnerability Statistics 2026
60+ software vulnerability statistics from NVD, Verizon DBIR, IBM, Veracode, Edgescan, and original research. CVE trends, exploitation speed, remediation timelines, and breach costs. Every stat sourced.
API Security Statistics 2026
55+ API security statistics from Salt Security, Wallarm, Verizon DBIR, OWASP, and original research. API attacks, BOLA vulnerabilities, shadow APIs, breach costs, and market data. Every stat sourced.
AI Security Statistics 2026
70+ AI security statistics from IBM, Gartner, HiddenLayer, OWASP, Snyk, and original research. AI code vulnerabilities, prompt injection, deepfake fraud, agentic AI risks, and defense costs. Every stat sourced.
MCP Server Security Audit 2026
I analyzed 33 MCP servers using mcp-scan and Cisco mcp-scanner. YARA flagged 27 patterns across 10 servers — but ~78% were false positives. Full breakdown of what pattern-based scanning catches and misses.
DevSecOps Statistics 2026
60+ DevSecOps statistics from industry reports and original research. Covers adoption rates, market growth, supply chain risks, vulnerability data, and breach costs. Every stat sourced.
Application Security Statistics 2026
50+ application security statistics from original research. AI code vulnerabilities, security header adoption, open-source tool health, and more.
AI-Generated Code Security Study 2026
I asked 6 LLMs to write Python and JavaScript code for common development tasks, then scanned the output with 5 open-source SAST tools. See which models produce the most secure code.
State of Open Source AppSec Tools 2026
I analyzed GitHub data for 64 open-source application security tools across 8 categories. See which projects have the most community traction, healthiest maintenance, and strongest adoption.
Security Headers Adoption Study 2026
I scanned 10,000+ websites to measure adoption rates of CSP, HSTS, and other security headers. See which headers are widely deployed and which remain rare.
CandyShop: Open-Source Security Tool Benchmark 2026
Real scan results from 12 open-source security tools tested against 6 intentionally vulnerable applications. Compare SAST, DAST, SCA, container, and IaC scanners with actual detection data and F-measure accuracy scores.
DAST Benchmark Project
Test your applications with multiple DAST tools and receive a comparative benchmark report to select the most suitable tool with confidence.