According to Johri, the volume of AI-generated code is growing faster than the security programs designed to protect it. The result is that developers are no longer just building software, they\u2019re also responsible for securing a much larger and more complex codebase.<\/p>\n\n\n\n
And the stakes are rising.<\/p>\n\n\n\n
With systems like Anthropic\u2019s Claude Mythos<\/a> reportedly capable of autonomously discovering and exploiting vulnerabilities at unprecedented speed and scale, the imbalance is only getting worse.<\/p>\n\n\n\n The question isn\u2019t whether your code has gaps; it\u2019s whether your security can keep up with how fast they\u2019re being created and how quickly someone else can find them.<\/p>\n\n\n\n Johri\u2019s core point is straightforward: AI coding agents are producing more code \u2013 and more vulnerabilities. In fact, AI-generated code can contain two to three times the density of vulnerabilities compared to code written solely by humans, and the overall volume is growing fast.<\/p>\n\n\n\n Before AI, developers had a deep understanding of the code they wrote. Now, a single prompt can generate hundreds of lines instantly. The code works, but the context behind it \u2013 the decisions, trade-offs, and potential risks \u2013 is often missing.<\/p>\n\n\n\n Open source adds another layer. Roughly 70% of a typical enterprise application is made up of open-source components<\/strong>. Developers rely on it to move quickly, trusting that the code has been properly maintained and secured upstream. Sometimes that trust is well placed, but other times vulnerabilities or malicious code slip through.<\/p>\n\n\n\n The result is a growing backlog of risk. According to Checkmarx\u2019s Future of Application Security report<\/a>, 81% of organizations knowingly ship software with vulnerabilities they\u2019ve already identified<\/strong>. These aren\u2019t unknown threats or zero-days, they\u2019re known issues that get deprioritized in favor of speed.<\/p>\n\n\n\n Developers are at the center of this problem because that\u2019s where code begins. But most developers aren\u2019t security experts \u2013 and they shouldn\u2019t have to be. Their job and discipline is to build the functionality the business needs, and to build it fast. Security has historically been a separate discipline, applied after the fact, by a completely different team. But in the age of AI, later is really just too late.<\/p>\n\n\n\n What\u2019s changed is the level of exposure. Because now developers aren\u2019t just introducing risk, they\u2019re being directly targeted. Attackers go after their package registries, plant malicious open-source dependencies, and compromise their credentials to gain access to codebases. The developer\u2019s entire workflow \u2013 the IDE, the coding assistant, the dependencies \u2013 has become the attack surface.<\/p>\n\n\n\n Anthropic\u2019s Claude Mythos<\/a> makes this shift even harder to ignore. When Mythos found a 27-year-old bug in OpenBSD and catalogued vulnerabilities across major open-source dependencies, it wasn\u2019t finding anything new. Those vulnerabilities were already there, sitting in production systems that developers had built on top of for years. What Mythos demonstrated is that finding and exploiting them is now fast, automatic, and cheap \u2013 roughly $1 per exploit in 10 to 15 minutes with no specialized expertise required.<\/strong><\/p>\n\n\n\n And these vulnerabilities that developers unknowingly ship won\u2019t sit idle anymore. With AI, the window between disclosure and active exploitation has shrunk, from roughly 840 days in 2018 to about 1.6 days today<\/strong>.<\/p>\n\n\n\n AI development isn\u2019t just introducing more vulnerabilities, but it\u2019s also introducing entirely new kinds of risk.<\/p>\n\n\n\n Coding assistants can hallucinate package names that don\u2019t exist, and attackers are already registering those names to turn a simple mistake into a malicious dependency. Applications that pass user input into LLMs are now exposed to prompt injection, an entirely new attack vector with no real equivalent in traditional software. And as development becomes more agent-driven, with AI systems taking actions through MCP servers, the attack surface is expanding beyond what conventional security tools were designed to handle.<\/p>\n\n\n\n Some coding tools are starting to layer in security features, but as Johri points out, they don\u2019t do it as exhaustively or with the full enterprise context of purpose-built AppSec platforms \u2013 and that includes Claude Code Security.<\/p>\n\n\n\n As AI-driven development accelerates, closing this gap will require security tools built specifically for how software is being created today, not how it was built before in the pre-AI era.<\/p>\n\n\n\n Johri\u2019s conclusion is simple: application security needs to become agentic. The human-in-the-loop model that\u2019s worked until now can\u2019t keep pace with the velocity of AI-generated code. Agents generating code need security tools that can be called automatically, integrated into the pipeline, and capable of acting on what they find rather than just flagging it for someone to review later.<\/p>\n\n\n\n That urgency is reinforced by developments like Anthropic\u2019s Project Glasswing, a coalition of 40+ technology organizations built around using Mythos defensively. It\u2019s a clear signal that the industry sees what\u2019s coming \u2013 but a coalition isn\u2019t the same thing as a security program.<\/p>\n\n\n\n What\u2019s really needed in this new age is a hybrid approach that combines AI\u2019s speed and scale with deterministic analysis that doesn\u2019t hallucinate. On its own, AI scanning produces findings that erode trust: it will flag an exception already caught upstream, describing a race condition in single-threaded code. Without a rules-based SAST, SCA, and IaC layer to validate what the AI finds, you\u2019re just generating noise at scale.<\/p>\n\n\n\n And timing is just as important. Security has to begin at the moment code is created, while context still exists. In AI-driven development, even a short delay means that context is gone. And when vulnerabilities are found later, developers have to revisit code they\u2019ve already moved past and no longer have the context for \u2013 and that retrace slows everything down and increases the chance risk will slip through.<\/p>\n\n\n\n The takeaway here is that AI is accelerating how code is written, but security isn\u2019t keeping up. More code, less context, and faster exploitation are all converging at once \u2013 and with the recent Mythos announcement, that gap is widening.<\/p>\n\n\n\n The good news is that slowing down development isn\u2019t the answer. The path forward is bringing security into the same flow as development for a more seamless experience: integrated, automated, and able to keep pace with how code is created.<\/p>\n\n\n\n That\u2019s where agentic application security comes in. It needs to move beyond detection to help developers understand, prioritize, and remediate issues in real time, without adding friction or noise.<\/p>\n\n\n\n Watch the full interview here<\/a>, or learn more about how Checkmarx One<\/a> is tackling this with Developer Assist<\/a>, Triage Assist<\/a>, and Remediation Assist<\/a>.<\/p>\n\n\nMore\u00a0Code,\u00a0More\u00a0Risk\u00a0<\/h2>\n\n\n\n
Developers Are in the Crosshairs<\/h2>\n\n\n\n
![\"\"](\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/image-3.png\")
<\/figure>\n\n\n\nAI Is Also Creating New Threats<\/h2>\n\n\n\n
Security Has To Become Agentic Too<\/h2>\n\n\n\n
Keeping Up With the Code<\/h2>\n\n\n\n