Datadog has released its new State of DevSecOps Report 2026, revealing an industry‑wide rise in software supply chain risk. The study finds that 87% of organizations are running at least one known exploitable vulnerability in their production services, underscoring the widening gap between accelerating development pipelines and static security practices.
According to the report, security risk is increasingly shifting upstream. As teams adopt rapid, automated development workflows and depend more heavily on open-source components, vulnerabilities in dependencies, build tools, and CI/CD pipelines now shape risk as much as flaws in production code.
The research highlights several convergence points: 42% of services depend on libraries no longer actively maintained, while organizations using end‑of‑life programming languages face exploitable vulnerabilities in half of all deployments a stark contrast to 31% for supported versions. Meanwhile, 50% of companies adopt new library releases within 24 hours, increasing exposure to potentially compromised software. Only 4% fully pin GitHub Actions to commit hashes, leaving pipelines open to silent upstream code changes.
“The way software is built has changed but security practices haven’t kept up. Teams aren’t struggling with speed they’re struggling with clarity.”
— Andrew Krug, Head of Security Advocacy, Datadog
Security exposure is rising at both ends of the lifecycle. The median software dependency is now 278 days out of date, widening by more than two months year over year. At the same time, rapid adoption of third‑party code is pushing risk into build systems that many teams implicitly trust but seldom monitor. “DevSecOps teams are caught between moving too slowly and moving too fast,” Krug said. “Go slow, and outdated code piles up. Go fast, and automation pulls in unvetted software.”
Datadog also warns that rising alert volumes are obscuring real threats. Only 18% of vulnerabilities initially labeled “critical” remain critical when runtime context is applied, leaving teams overwhelmed by noise and fatigued by false urgency.
The full report examines how organizations can use contextual security, AI‑assisted workflows, and modern supply chain safeguards to prioritize true business risk.