Picture this: you ask an AI to write a novel and it can deliver it in under an hour. And that’s really impressive – until you read it closely. The plot drifts, key details contradict each other, some ideas vanish halfway through, while others appear out of nowhere. Now imagine handing that novel to a meticulous editor whose only job is to find every flaw. You’re in trouble. That’s the analogy Checkmarx CEO Sandeep Johri used in his recent conversation with the New York Stock Exchange (NYSE), and it captures what’s happening to modern codebases. AI is accelerating software creation at a staggering pace, but it’s also introducing inconsistencies, blind spots, and unintended behavior just as quickly. And unlike a novel, your code doesn’t get a friendly editor; it gets attackers actively searching for those gaps. According to Johri, the volume of AI-generated code is growing faster than the security programs designed to protect it. The result is that developers are no longer just building software, they’re also responsible for securing a much larger and more complex codebase. And the stakes are rising. With systems like Anthropic’s Claude Mythos reportedly capable of autonomously discovering and exploiting vulnerabilities at unprecedented speed and scale, the imbalance is only getting worse. The question isn’t whether your code has gaps; it’s whether your security can keep up with how fast they’re being created and how quickly someone else can find them. More Code, More Risk Johri’s core point is straightforward: AI coding agents are producing more code – and more vulnerabilities. In fact, AI-generated code can contain two to three times the density of vulnerabilities compared to code written solely by humans, and the overall volume is growing fast. Before AI, developers had a deep understanding of the code they wrote. Now, a single prompt can generate hundreds of lines instantly. The code works, but the context behind it – the decisions, trade-offs, and potential risks – is often missing. Open source adds another layer. Roughly 70% of a typical enterprise application is made up of open-source components. Developers rely on it to move quickly, trusting that the code has been properly maintained and secured upstream. Sometimes that trust is well placed, but other times vulnerabilities or malicious code slip through. The result is a growing backlog of risk. According to Checkmarx’s Future of Application Security report, 81% of organizations knowingly ship software with vulnerabilities they’ve already identified. These aren’t unknown threats or zero-days, they’re known issues that get deprioritized in favor of speed. Developers Are in the Crosshairs Developers are at the center of this problem because that’s where code begins. But most developers aren’t security experts – and they shouldn’t have to be. Their job and discipline is to build the functionality the business needs, and to build it fast. Security has historically been a separate discipline, applied after the fact, by a completely different team. But in the age of AI, later is really just too late. What’s changed is the level of exposure. Because now developers aren’t just introducing risk, they’re being directly targeted. Attackers go after their package registries, plant malicious open-source dependencies, and compromise their credentials to gain access to codebases. The developer’s entire workflow – the IDE, the coding assistant, the dependencies – has become the attack surface. Anthropic’s Claude Mythos makes this shift even harder to ignore. When Mythos found a 27-year-old bug in OpenBSD and catalogued vulnerabilities across major open-source dependencies, it wasn’t finding anything new. Those vulnerabilities were already there, sitting in production systems that developers had built on top of for years. What Mythos demonstrated is that finding and exploiting them is now fast, automatic, and cheap – roughly $1 per exploit in 10 to 15 minutes with no specialized expertise required. And these vulnerabilities that developers unknowingly ship won’t sit idle anymore. With AI, the window between disclosure and active exploitation has shrunk, from roughly 840 days in 2018 to about 1.6 days today. AI Is Also Creating New Threats AI development isn’t just introducing more vulnerabilities, but it’s also introducing entirely new kinds of risk. Coding assistants can hallucinate package names that don’t exist, and attackers are already registering those names to turn a simple mistake into a malicious dependency. Applications that pass user input into LLMs are now exposed to prompt injection, an entirely new attack vector with no real equivalent in traditional software. And as development becomes more agent-driven, with AI systems taking actions through MCP servers, the attack surface is expanding beyond what conventional security tools were designed to handle. Some coding tools are starting to layer in security features, but as Johri points out, they don’t do it as exhaustively or with the full enterprise context of purpose-built AppSec platforms – and that includes Claude Code Security. As AI-driven development accelerates, closing this gap will require security tools built specifically for how software is being created today, not how it was built before in the pre-AI era. Security Has To Become Agentic Too Johri’s conclusion is simple: application security needs to become agentic. The human-in-the-loop model that’s worked until now can’t keep pace with the velocity of AI-generated code. Agents generating code need security tools that can be called automatically, integrated into the pipeline, and capable of acting on what they find rather than just flagging it for someone to review later. That urgency is reinforced by developments like Anthropic’s Project Glasswing, a coalition of 40+ technology organizations built around using Mythos defensively. It’s a clear signal that the industry sees what’s coming – but a coalition isn’t the same thing as a security program. What’s really needed in this new age is a hybrid approach that combines AI’s speed and scale with deterministic analysis that doesn’t hallucinate. On its own, AI scanning produces findings that erode trust: it will flag an exception already caught upstream, describing a race condition in single-threaded code. Without a rules-based SAST, SCA, and IaC layer to validate what the AI finds, you’re just generating noise at scale. And timing is just as important. Security has to begin at the moment code is created, while context still exists. In AI-driven development, even a short delay means that context is gone. And when vulnerabilities are found later, developers have to revisit code they’ve already moved past and no longer have the context for – and that retrace slows everything down and increases the chance risk will slip through. Keeping Up With the Code The takeaway here is that AI is accelerating how code is written, but security isn’t keeping up. More code, less context, and faster exploitation are all converging at once – and with the recent Mythos announcement, that gap is widening. The good news is that slowing down development isn’t the answer. The path forward is bringing security into the same flow as development for a more seamless experience: integrated, automated, and able to keep pace with how code is created. That’s where agentic application security comes in. It needs to move beyond detection to help developers understand, prioritize, and remediate issues in real time, without adding friction or noise. Watch the full interview here, or learn more about how Checkmarx One is tackling this with Developer Assist, Triage Assist, and Remediation Assist. Tags: Agentic AI Application Security Testing AppSec Awareness Leadership
