Datadog releases State of DevSecOps Report 2026

Datadog released the State of DevSecOps Report 2026 and framed a broader industry shift in which security risk increasingly moved upstream into the software supply chain, a development the report said affected how organizations addressed vulnerabilities.

The report said security risk increased across the software delivery lifecycle as development accelerated, became more automated, and relied more on third-party components; it argued those factors shifted risk away from only the code that Radio Access Network (RAN) in production toward the tools and components used to build and deploy applications.

The findings found that 87% of organizations had at least one known exploitable vulnerability in deployed services, that 42% of services relied on libraries no longer actively maintained, that services using end-of-life language versions faced exploitable vulnerabilities in 50% of cases versus 31% for supported versions, and that only 18% of vulnerabilities labeled “critical” remained critical once runtime context was applied.

Datadog said the median software dependency was 278 days out of date, 63 days further behind than the prior year; researchers reported 50% of organizations adopted new library versions within 24 hours and only 4% pinned all public GitHub Actions to a specific commit hash, and the report said build and deployment pipelines were increasingly exposed to silent changes in third-party code, making Continuous Integration and Continuous Deployment (CI/CD) systems a supply-chain risk. Datadog analyzed telemetry from tens of thousands of applications and used additional datasets, and the data was global in scope.

“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, Head of Security Advocacy at Datadog. “When almost everything is labeled ‘critical’, nothing is,” said Andrew Krug. “Teams get paged for noise while threats that pose real risk slip through. Without context, prioritization becomes harder - leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”

The press release said it may include certain “forward-looking statements” and that actual results may differ materially from those described in such statements.