When Checkmarx launched DAST in early 2023, we assumed most teams primarily needed it for compliance requirements.

However, as we engaged with our customers, we consistently heard how teams viewed DAST as a critical pillar of their AppSec programs – not just a compliance checkbox. They wanted broad deployment and meaningful security coverage across their entire application portfolio, and DAST filled that role. This insight shaped our strategy and ultimately led to the ZAP team joining Checkmarx in late 2024. 

ZAP’s expertise combined with Checkmarx’s enterprise platform enabled us to rapidly elevate our DAST into the robust, enterprise-grade solution our customers needed – and positioned us to innovate even faster going forward. 

Where DAST Is Headed

With the AI disruption well underway and AI-development already considered the new norm, where exactly does DAST fit into the new SDLC? Is DAST even needed?  

The short answer is yes – and longer answer is hell yeah! At its core, DAST dynamically tests your running application for security vulnerabilities. With source code becoming more secure out-of-the-gate due to the improvements of the various models, dynamic testing will play a new, more strategic role in modern AppSec programs. 

To understand this shift, we first need to recognize that core activities in the SDLC, especially within AppSec, are evolving. Agentic AI alone is revolutionizing how tasks are performed and redefining what effective security testing looks like in an AI-first future.  

Think about code reviews. Agentic AI has the potential to significantly improve one of the biggest bottlenecks in development. If AI can reduce review time by 30-40% by handling basic tasks automatically, developer velocity will skyrocket and TTM will accelerate. This frees developers and team leaders to focus on the code logic of the apps instead of managing other tasks. Soon every aspect of a code review – functional, non-functional, testing – will be automated. We’re not there yet, but we’ll get there faster than you think.  

Another core activity that’s about to change is pen testing. With adversarial agents constantly and continuously testing your running application at any stage, pen testing will need to shift from periodic manual assessments to continuous automatic testing. Your applications will be under constant scrutiny by AI agents, delivering more thorough and frequent security testing than traditional manual approaches ever could. If you are worried about compliance and regulations – those will eventually catch up.  

DAST In an AI World

In an AI-first world, DAST becomes even more critical to test your AI-powered apps.  

Since developers are less familiar with AI-generated code, thorough dynamic testing is essential. ּBecause AI-powered applications also introduce entirely new attack vectors that DAST solutions are needed to address. This includes testing for prompt injections (AI equivalent of SQL injections), data poisoning attacks (like Erez Yalon’s demonstration at RSA 2025, where the poisoned LLM added rat poison to a shopping list), and data manipulation risks. Most importantly, DAST ensures that your AI-powered apps don’t overshare any sensitive or confidential information with your users.  

The biggest change that DAST introduces in the AI era is the move from a scanning tool to a security agent. This will impact everyone involved in the development process, from the single developer working on a feature branch and to the CISO.

Think of Luke the developer looking to work on a new functionality – the DAST agent can identify, at any given point, a running application and autonomously and continuously dynamically test it for any vulnerabilities – both new and traditional ones. After finding the issues, it can also interact with the local code-generator to fix the issues. All of that without the developer knowing the issues even happened in the first place.  

DAST Is a Gamechanger

This is a gamechanger in dynamic testing. Why? Because while previously viewed as a burdensome task completed at the end of a cycle, DAST now enables everything you develop – from a feature branch, to staging, and all the way to production. Combined with the new correlation use case, it can be a powerful agent that accompanies the entire SDLC.  

This also means that the way teams and programs approach DAST will have to adapt as well, and we will cover those aspects in our next set of blogs. Stay tuned! 

Gartner’s latest research points to a major disruption in how software gets built and maintained. Autonomous or agentic AI agents are software entities that can plan, act, and adapt independently, and they are now entering the mainstream. These agents don’t just assist humans. They operate on their own, collaborating with other agents or systems to drive forward tasks across the software development life cycle.

The appeal is clear: software that once took weeks can now be prototyped, tested, and pushed in a matter of days. Agentic AI systems can code, write documentation, generate tests, and even flag bugs or compliance issues. They reduce manual effort and allow engineers to focus on more creative and strategic work.

But there’s a catch.

The same autonomy that speeds up software delivery also introduces new kinds of risk, many of which security leaders have never had to plan for before. Traditional AppSec safeguards no longer offer full coverage when agents are writing, shipping, and learning in real time.

According to Gartner, AI agents represent more than just technical evolution. They signal a structural change in how engineering teams will operate, how business value will be created, and how risks must be managed. The time to get ahead of this shift is now.

Why This Shift Is Happening Now

There are four primary reasons autonomous AI agents are gaining real traction in software engineering:

1. Generative AI has matured. Within minutes, it can now reliably generate production-grade code, complete test coverage, and create usable documentation.
2. Cloud scalability allows orchestration. Developers can now deploy and scale multi-agent workflows with minimal infrastructure friction.
3. Dev tooling is more open and flexible. IDEs, CI/CD systems, and infrastructure-as-code platforms support extensibility through APIs and plugins, making agent integration seamless.
4. Organizations face pressure to innovate faster with fewer resources. Engineering leaders are under immense strain to deliver more, cut costs, and retain talent in a highly competitive market.

In Gartner’s 2024 Software Engineering Leader survey, over 50% of respondents said they are currently using or actively planning to adopt generative or autonomous AI tools.

The top reasons? Productivity, time-to-market, and team efficiency.

What these numbers reflect is a mindset shift: AI agents are not just “nice to have” tools, they are becoming foundational to how modern development gets done.

Gartner Report

Scale Application Security With AI-Augmented Vulnerability Remediation

“Software engineering teams are increasingly using AI tools to generate code and build software, increasing the risk of security vulnerabilities. Invest in AI-augmented vulnerability remediation tools and practices to lower risk that apply code fixes and updates open-source packages with patched dependencies.”

Download the full Gartner report to explore how AI agents are reshaping software engineering.

Get Complimentary Report

From Productivity to Developer Partnership

The promise of AI agents goes beyond time savings. They are also transforming the way developers experience their work.

When repetitive or boilerplate tasks like writing unit tests or managing code formatting are offloaded to agents, developers gain mental space. That space translates into higher creativity, more time for strategic thinking, and fewer interruptions. Teams that adopt agentic workflows report improved morale and stronger technical ownership because developers are no longer bogged down by repetitive work that doesn’t move the business forward.

At the same time, having well-governed agents in place can improve onboarding and collaboration. For instance, new hires can rely on AI agents to flag risks or recommend implementation patterns early, reducing their ramp-up time and enabling better knowledge transfer.

But this only works when the AI is aligned with business goals and secure by design.

Security Must Evolve with Agentic Speed

While AI agents bring immense efficiency, they also introduce new threats, often in places traditional AppSec strategies don’t cover.

Gartner outlines several critical risks that engineering and security leaders must prepare for:

• Prompt injection: Where agents are manipulated by malicious instructions embedded in input.
• Data leakage: Where sensitive internal data is unintentionally surfaced through generated output.
• Supply chain drift: When agents pull unverified packages or dependencies from public registries.
• Denial-of-wallet: When poorly scoped agent tasks spin out of control and rack up significant compute costs.

The common thread across these threats is the autonomy of the AI agents deployed. Once agents can act independently, security controls must move closer to the source. You can’t afford to catch vulnerabilities only after code reaches staging or production.

Forward-looking organizations are already implementing strategies to close these gaps, like:

• Real-time scanning inside IDEs: Ensuring insecure code never leaves the developer’s machine.
• Policy-as-code at every step: Enforcing security rules during merge requests and build pipelines.
• Agent behavior monitoring: Watching for abnormal activity, model drift, or resource spikes.
• Secure prompt engineering: Teaching developers how to frame instructions in ways that prevent misuse.

Security is no longer a final checkpoint. In the age of agents, it must be a continuous feedback system embedded across the entire life cycle.

The Skills and Mindset Shift That’s Required

Adopting AI agents isn’t only about tooling. It requires a cultural shift in how teams think about software creation, accountability, and risk.

Gartner emphasizes that teams must move from being AI “users” to AI “orchestrators.” This means developers need to understand not just how to prompt an agent, but how to guide, monitor, and evolve it over time. Skills like prompt engineering, human-agent collaboration, and governance modeling are rapidly becoming core competencies.

Checkmarx has seen success where teams invest in structured training, run internal experiments, and build playbooks for secure AI integration. This approach doesn’t just reduce mistakes. It increases developer confidence and improves the organization’s ability to scale AI adoption responsibly.

Psychological safety also plays a key role. Developers must feel empowered to test, fail, and iterate without fear. At the same time, security and compliance teams need to shift from enforcement to enablement, thereby becoming partners in innovation instead of blockers.

Five Strategic Moves to Make This Quarter

If your team is preparing to adopt or already piloting AI agents, here are five critical actions that align with both Gartner guidance and Checkmarx field experience:

1. Pilot a small, low-risk agent use case. Choose a workflow like test generation, documentation, or code linting. Measure the time, effort, and outcomes before and after.

2. Establish security baselines now. Know your current vulnerabilities, dependency maps, and deployment behaviors so you can measure the impact of agentic change.

3. Create a multidisciplinary governance team. Include engineering, AppSec, legal, and platform ops so decisions are informed and balanced.

4. Train developers in secure prompt design. Poorly phrased prompts are one of the most overlooked risk vectors in generative and agentic workflows.

5. Monitor everything agents do and act fast on anomalies. Logging, real-time alerts, and cost tracking are essential for sustainable operations.

These actions will set the foundation for a more secure, scalable adoption path and help you avoid expensive missteps down the road.

Download the Research That Helps You Lead This DevSecOps Shift

AI agents are here. They are reshaping how work gets done, how software is built, and how organizations compete.

Gartner’s latest research offers a practical, executive-ready view of what’s changing, what’s at risk, and what high-performing teams are doing to stay ahead. The frameworks, examples, and timelines inside this report can help you chart a smarter course through the noise.

Download the full Gartner report now and take the next step in building a secure, agent-ready engineering organization.

As GenAI tools revolutionize how code is written, engineering leaders face a new wave of questions.

• Is AI-generated code safe?
• Who’s reviewing what GenAI suggests?
• Can the tool that generated the code be trusted to validate it?
  

According to a 2025 IDC report, the behavioral pattern of “vibe coding,” in which developers are using AI assistants, is a catalyst for increasingly accepting code with limited scrutiny and prioritizing speed over validation. While GenAI undeniably boosts developer productivity, this shift introduces real security risks. “Developers assemble or accept code with limited scrutiny,” Katie Norton, IDC.

It’s not just a theory, it’s happening at scale.

https://baxbench.com/ June 2025

The Rise of “Vibe Coding,” and Why It’s a Problem 

DC’s 2024 Generative AI Developer Study reports that developers using GenAI tools achieve a 35% productivity boost, often matching the output of 3–5 engineers. However, many of those AI-assisted outputs are deposited in the repository unchecked, some of which are insecure, some noncompliant, and some outright dangerous.
 
This risk is also validated by independent security benchmarks. In tests across multiple large language model developer assistants, up to 70% of AI-generated code was found to be insecure or flawed when evaluated using secure coding baselines (source: June 2025 BaxBench, 2025 ). At the same time, enterprise adoption is accelerating, with analysts projecting that 90% of enterprise engineers will use GenAI tools by 2028. Code volume is exploding, but validation isn’t keeping pace.

Code Generators Aren’t Built to Be Code Reviewers

Tools that generate code excel at accelerating development. They scaffold boilerplate, offer real-time completions, and help developers explore frameworks. But they weren’t built to perform secure code validation.

They don’t:

• Enforce your AppSec policies
•  Validate against known CVEs or malicious dependencies
•  Assess license compliance
•  Create audit trails or enforce remediation workflows
•  Block risky commits based on code context

Even GitHub makes it clear: Copilot suggests code but doesn’t secure it. Most GenAI tools optimize for speed, not secure validation, policy enforcement, or risk oversight. Even when layered with basic guardrails, they can’t guarantee protection at the scale or specificity required in real-world CI/CD environments.

AI code generation is creative; secure software demands consistency, not improvisation. The recent IDC Report puts it clearly: “As AI becomes part of the development process itself, organizations must adapt their security practices to keep pace with faster and less predictable workflows.” Security can’t be tacked on as an afterthought or handled by the same tool that wrote the code in the first place.

Checkmarx Assist: Agentic AI That Acts, Not Just Suggests

If you want your AppSec to be autonomous and proactive, this is where Checkmarx One Assist comes in. Unlike generative tools that suggest code, Checkmarx Assist is agentic AI built on the Checkmarx One platform, designed to evaluate, enforce, and remediate based on trusted security intelligence and organizational policy.

With Checkmarx Assist, you have:

•  Vulnerability detection directly in the IDE (even before code is committed)
•  Fix suggestions enriched with context and guided explanations
•  Auto-generated, compliant pull requests
•  Security actions aligned to policy, with audit trails and platform-wide oversight

And it’s not just one agent, it’s family:

• Developer Assist Agent: Works in the IDE to secure code pre-commit
•  Policy Assist Agent: Applies AppSec rules and gates across the CI/CD
•  Insights Assist Agent: Surfaces metrics like MTTR, risk posture, and fix rates

These capabilities are built on top of Checkmarx’s proven AppSec engines (SAST, SCA, IaC, and Secrets) and backed by a threat intelligence network that monitors over 400,000 known malicious packages.

Separation of Duties: Still Non-Negotiable in AppSec

You wouldn’t let a developer merge their own PR without a second pair of eyes. You wouldn’t let your accounting team audit their own numbers. If GenAI is the author, it shouldn’t be the reviewer. Checkmarx

Assist gives your team the security partner it needs:

• A second set of eyes
•  Independent risk detection
•  Policy-enforced action
•  Full coverage across the SDLC

Organizations using Checkmarx Assist report fewer vulnerabilities, higher remediation rates, and improved DORA metrics, such as lead time and change failure rate, without slowing delivery velocity.

Checkmarx One Assist not only remediates security issues like malicious packages and secrets in real time, it also suggests surrounding code fixes to resolve any breaking changes caused by the remediation.

What the Data Tells Us: Real ROI From Risk Reduction

Security is measurable, and the numbers speak volumes.

When teams rely solely on GenAI code assistants, they may accelerate output but miss critical context, governance, and enforcement. The results can be costly. From rework and regression to unpatched vulnerabilities and license violations, the downstream risks add up fast.

That’s why Checkmarx Assist was benchmarked not only for its security precision, but for its impact on real-world development and remediation economics.

Vulnerability Remediation

Engineering teams that rely only on GenAI tools often need to manually review and correct insecure suggestions, which increases time spent and risk exposure. Weekly developer time spent remediating vulnerabilities averages around $375 per developer, and without context-aware validation, 1 in 4 fixes still introduces a security flaw.

With Checkmarx Assist layered in, remediation becomes:

•  Faster, thanks to pre-commit detection in the IDE
•  More accurate, with secure-by-default code fixes aligned to policy
•  Less risky, dropping flaw rates from 25% to 5%

This translates into a risk-adjusted weekly savings of over $200 per developer, while materially improving your mean-time-to-remediate (MTTR).

Open Source Package Validation

Open source is foundational – but risky when mismanaged. License compliance violations, known-vulnerable packages, and malicious dependencies are easy to miss when code is accepted without inspection.

Teams using GenAI alone spend more than an hour per evaluation, often still missing critical red flags. The cost: up to $337.50 per developer, per week in risk-adjusted impact.

Close the Gap. Don’t Just Hope for the Best.

If your GenAI tool is the racecar, Checkmarx Assist is the seatbelt, speedometer, and crash test validation, all built in. The result is a 67% reduction in risk-adjusted cost, along with stronger coverage and less manual overhead. These gains aren’t just productivity-based, they’re risk-adjusted cost reductions that reflect fewer vulnerabilities, faster fixes, and fewer post-deployment fire drills.

Book a demo of Checkmarx Assist today and see how agentic AI gives your AppSec program the visibility, control, and automation it needs to stay ahead. In an era of vibe coding and machine-speed development, your security tooling can’t afford to watch from the sidelines. Empower it to act.

If your developers generate code with AI, consult a Checkmarx expert.

Request a personalized demo

Let’s take a look back at the highlights from the past 365 day.

Application Risk Management powered by Fusion 2.0 

The biggest challenge in security, and specifically application security, today, is the noise. Also known as “alert fatigue” or simply, “I have too many vulnerabilities – where do I start??” Development teams can get overwhelmed with the number of alerts they get, and often don’t have the ability to quickly discern which ones are the most critical. Enterprises already ship vulnerable code to production, so the challenge isn’t about fixing everything, it’s fixing what matters most to the business. 

We launched Application Risk Management as an answer to exactly that. Powered by Fusion 2.0, it allows enterprises to get a prioritized list of vulnerabilities, so they know where to start remediating. It also provides a risk indicator per application, so management will be able to assess and manage the risk of each application.

Codebashing 2.0 with Security Champions

Over the last couple of years we have truly seen how valuable developers are to effective application security. One way to help drive adoption across enterprises, is a security champion program that includes a robust education on security specifically for developers. Codebashing 2.0 was built with developers in mind. It brings a fresh look and feel, packaged with gamifications to help drive the competitive nature of developers, and the ability to train and certify anyone in the organization as a certified security champion.

CheckAI

With the introduction of ChatGPT in early 2023, everyone has been talking about GenAI. Developers use it to generate code, designers use it to create new graphics and my mother use it to get travel recommendations. It’s truly life-changing technology. As with many ground-breaking technologies, the risks are yet to be fully realized. As GenAI solutions started to rapidly spread through the industry, we started to see new types of attacks that utilize GenAI: everything from prompt injections to hallucinations to malicious LLMs. This is why we introduced, CheckAI, the industry first and only GPT plugin to scan GenAI generated code and protect against an AI hallucination attack. And we are just getting started here! Expect much more in 2024. 

A new supply-chain module in Checkmarx One

Checkmarx was the first vendor to include malicious detection as part of our SCA solution in 2022. Checkmarx now has the largest malicious packages database in the market, with over 8 million analyzed packages and over 250K malicious packages identified. However, the software supply-chain has much more to pay attention to than just malicious packages. Protecting the entire software supply-chain includes everything in your development process. From your CI/CD plugins and configurations, your compilers and, yes, your open-source packages. As part of Checkmarx One 3.0, we introduced a new dedicated module to the wider software supply-chain. Our goal is to help enterprises protect their entire software supply-chain. We introduced 2 new engines: enterprise secrets detection (which utilizes 2MS) and repo health (which utilizes the OSSF Scorecard) and we will continue to add more coverage throughout 2024.

Checkmarx One 3.0

 Probably the biggest launch of the year for us – Checkmarx One 3.0, marks 2 years of investment into our Checkmarx One platform. With close to 500 enterprise customers already using it, and over a 100B LOC which are being scanned every month, it’s the enterprise application security platform every enterprise needs. With over 660 new capabilities introduces in 2023, 8 solutions already on the platform, it was really a remarkable release. In the launch we had over 1500 registrants, which broadcasted around the globe to our customers, prospects, partners and analysts. 

Stay tuned to what is yet to come in 2024 and in version 4.0!

“If everything seems under control, you’re not going fast enough.”

With the recent rise in cloud-native technologies, everything is going faster than ever. Development cycles are shorter than before, and teams are deploying to production continuously. Business demands and time-to-market are the main drivers in the need for speed, and as development teams try to keep up, the risks are much higher since a simple change can reach your entire customer base within minutes.

One of those cloud-native technologies is Infrastructure-as-Code (IaC) which automates the entire process of provisioning and deploying your infrastructure at the speed of DevOps. Beside the known benefits, this presents major risks to your applications and underlying infrastructure. It means that a single change in your IaC will reach production in a matter of minutes and can expose you to new attack vectors as well.

Based on recent research, which was done by analyzing vast number of KICS scans, here are the top IaC misconfigurations you should be aware of.

Top 5 Misconfigurations

1. Open ports – open TCP/UDP ports remain the top misconfiguration to date. Those include HTTP ports, SSH ports, ELB ports, or any other unnecessary ports. The best example to give here is SSH (port 22), which is usually used for remote debugging and is notoriously known for being left open for no good reason. Probing through open ports is probably the first step of every attacker’s TTPs. We also know that attackers use bots to scan for open ports, and once they find an open one, they simply brute force the password and often gain access to servers and other devices. Make sure you leave unnecessary ports closed, or have a good reason for why they may be open.
2. Excessive permissions – as previously written in this blog, providing a cloud resource with the wrong permissions can create the attack surface attackers are hoping for. Configuring your S3 bucket with read permissions, attackers can probe into the bucket looking for unprotected content and gain access to private information. Make sure you understand what least-privilege permissions your cloud resources need, and don’t leave anything to chance.
3. Lack of proper definitions – this affects observability (e.g., lack of proper logging), encryption (e.g., S3 objects without server-side encryption), or anything in between. Make sure you understand which resource requires which property, and make sure they are configured correctly in all cases.
4. Hard-coded secrets (in your IaC) – while not limited to IaC only, this remains a top challenge for all code (application source code as well). Once exposed, attackers can leverage the keys to obtain sensitive information, shut down services, or create whatever resources they need.
5. IaC security drift – we have all been there, we work perfectly through the process, our pipelines are all green, then something happens in production, and we must make a “small” change. Those small changes can have a huge risk on your environment, and you should not make those directly but through code. Using drift detection tools (e.g., Terrarfomer or Driffty), you can get a static file which represents your current production environment, then scan it with KICS to make sure you didn’t introduce any new risk.

Leveraging Infrastructure-as-Code is a critical part of achieving true infrastructure agility, but you should be aware of all the risks. Running fast is important, but don’t become blind to what may surface from errors and omissions. Be aware of the potential misconfigurations listed above and make sure you tackle them from the very beginning.

If you want to automate your IaC security scanning – you can easily integrate KICS into your pipeline and make sure you are appropriately managing your IaC risks.

More about KICS

KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in popular IaC solutions and OpenAPI 3.0 specifications. KICS is open-source and always will be. Both the scanning engine and the security queries are clear and open to the software development community. With 2000+ fully customizable and adjustable heuristic rules, or queries, KICS can be easily edited, extended, and added to. What’s more, our robust but simple architecture allows for support of new IaC solutions.

Almost 500,000 people are already taking advantage of KICS. Download KICS for free here and start securing your IaC today!