Datadog Report Reveals 87% of Organisations Are Running Software With Known, Exploitable Vulnerabilities

The State of DevSecOps Report 2026 highlights a broader industry shift as security risk increasingly moves upstream into the software supply chain

Sydney, 26 February 2026 – Datadog, Inc. (NASDAQ: DDOG), the AI-powered observability and security platform for cloud applications, today released its latest State of DevSecOps Report, finding that nearly nine in 10 organisations (87 per cent) have at least one known exploitable vulnerability in deployed services.

The report points to a broader industry shift, with security risk increasing across the software delivery lifecycle. As development accelerates, becomes more automated, and relies more heavily on third-party components, risk is increasingly shaped by the software supply chain and the tools used to build and deploy applications – not just the code that runs in production.

Key findings at a glance:

• 87 per cent of organisations have at least one known exploitable vulnerability in deployed services
• 42 per cent of services rely on libraries that are no longer actively maintained
• Services using end-of-life language versions face exploitable vulnerabilities in 50 per cent of cases, compared to 31 per cent for supported versions
• 50 per cent of organisations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software
• Only 4 per cent of organisations pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes

Security Risk Increasing at Both Ends of the Lifecycle

On one end, software is aging faster than teams can keep it up to date. The median software dependency is now 278 days out of date – 63 days further behind than last year.

At the same time, third-party software accelerates development but introduces risk when implicitly trusted. Datadog researchers found that half of organisations (50 per cent) adopt new library versions within 24 hours of release, and only 4 per cent pin all public GitHub Actions to a specific version using commit hashes.

As a result, build and deployment pipelines are increasingly exposed to silent changes in third-party code, making CI/CD systems a critical supply-chain risk.

“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, Head of Security Advocacy at Datadog. “DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn’t speed – it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”

Alert Volume Is Obscuring Real Risk

While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18 per cent of vulnerabilities labeled “critical” remain critical once runtime context is applied.

“When almost everything is labeled ‘critical’, nothing is,” Krug added. “Teams get paged for noise while threats that pose real risk slip through. Without context, prioritisation becomes harder – leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”

“In A/NZ, regulatory pressure from APRA CPS 234 and the Essential Eight has significantly lifted governance maturity. Boards understand cyber risk, and structured change control is firmly embedded,” said Yadi Narayana, CTO for APJ at Datadog. “The challenge now is execution. We still see Known Exploited Vulnerabilities in internet-facing and legacy systems because patch velocity can’t always keep pace with operational complexity.

“At the same time, cloud-native adoption is increasing reliance on open-source software and public package repositories, expanding the attack surface, often without equivalent controls across GitHub Actions and CI/CD pipelines. Add alert fatigue driven by severity-based prioritisation, and security teams are stretched thin. The next phase of maturity is pairing strong governance with contextual observability – focusing on what’s truly exploitable and reducing real business risk, not just compliance exposure.”

Read the full report, State of DevSecOps Report 2026, to see how these findings are shaping modern approaches to detecting, prioritising and remediating security risk.

— ENDS —

Report Methology

Datadog analyzed telemetry from tens of thousands of applications to assess security risk across modern software environments, along with additional datasets used for specific findings. The data is global in scope.

About Datadog

Datadog is the AI-powered observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, user experience monitoring, cloud security and many other capabilities to provide unified, real-time observability and security for our customers’ entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior and track key business metrics.

Forward-Looking Statements

This press release may include certain “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended including statements on the benefits of new products and features. These forward-looking statements reflect our current views about our plans, intentions, expectations, strategies and prospects, which are based on the information currently available to us and on assumptions we have made. Actual results may differ materially from those described in the forward-looking statements and are subject to a variety of assumptions, uncertainties, risks and factors that are beyond our control, including those risks detailed under the caption “Risk Factors” and elsewhere in our Securities and Exchange Commission filings and reports, including the Annual Report on Form 10-K filed with the Securities and Exchange Commission on February 18, 2026, as well as future filings and reports by us. Except as required by law, we undertake no duty or obligation to update any forward-looking statements contained in this release as a result of new information, future events, changes in expectations or otherwise.

PR Archives: Latest, By Company, By Date