-

Cycode Releases the 2025 State of ASPM Report: AppSec Tool Sprawl Fueling Budget Drain, Hindering Visibility and Widening Talent Gap, Cycode Report Warns

SAN FRANCISCO--(BUSINESS WIRE)--Cycode, a leader in Application Security Posture Management (ASPM), today released its second annual State of ASPM Report, revealing a critical disconnect between rising application security threats and organizations' ability to defend against them. The report, which builds on last year's groundbreaking inaugural study, uncovers a concerning trend of escalating tool sprawl, budget drains, and a widening talent gap impacting application security posture.

The research, based on an independent, vendor-agnostic survey of 700 CISOs, AppSec Directors, and DevSecOps managers across the US, UK, and Germany, reveals that an overwhelming majority (72%) of security leaders agree that the age of AI necessitates a complete reset of how organizations approach application security.

This urgency is reinforced by the fact that 93 billion lines of code were generated in the past year alone, driven in large part by GenAI. This explosion of code is clearly overwhelming security teams, with 73% of security leaders confirming that “code is everywhere.”

"IDC’s latest DevSecOps research highlights that insecure AI-generated code ranks among the top application security challenges for organizations in 2024, aligning with Cycode’s insights. This underscores the rising importance of code security as a cornerstone of application security strategies for 2025," said Katie Norton, Research Manager at IDC. "As development and threat environments grow more complex, strengthening code security is crucial to safeguarding innovation efforts."

According to Cycode, 59% of respondents say today’s attack surface is completely unmanageable, with GenAI emerging as the #1 blindspot, followed by the exponential growth in code. Given these challenges, it’s not surprising that 63% of respondents believe CISOs aren’t investing enough in code security.

In response, security budgets are projected to grow by an average of 50% over the next 12 months.

This reflects the true scale of the challenge ahead. But, as the report highlights, the average enterprise is already using 50 security tools, slightly more than was reported last year. This increasing tool sprawl is creating significant operational challenges, including an overall lack of visibility into security and risk posture, alert fatigue, and difficulties in fostering collaboration between security and development teams.

Other Key Findings Include:

  • Alarmingly, 90% of respondents from organizations with over 61 security tools report a lack of understanding as to where their security budget is being spent. This challenge is compounded by a massive talent gap in cybersecurity, which tool sprawl further exacerbates, leaving organizations struggling to effectively manage and secure their increasingly complex IT environments.
  • Over 4 in 5 (83%) of security professionals surveyed agree that having too many tools requires specialist skills, and that skills are increasingly difficult to find due to the ongoing cybersecurity talent gap. This is of course compounded by the shortage of cyber professionals, which this year neared 4 million. It’s no wonder 65% of respondents said that balancing AppSec needs with the talent shortage is challenging.
  • Security professionals are increasingly aware of the perils of tool sprawl, with 88% confirming plans to consolidate their AppSec tools into a single platform within the next 12 months.

"The market is sending a clear signal: it's time to reset and rethink how we approach application security," said Lior Levy, Cycode's Co-founder and CEO. "Organizations are investing more in code security than ever before, yet challenges like tool sprawl and an unmanageable attack surface persist. We're at a critical inflection point and we don't believe organizations should have to choose between innovation and security. Cycode is uniquely positioned to address these issues with its Complete ASPM, delivering a unified, purpose-built solution for this new era."

Among those already using an ASPM platform, 90% report a significant improvement in their ability to understand and manage overall risk, enabling them to prioritize the most critical vulnerabilities. Furthermore, a remarkable 97% have seen a positive impact on collaboration between security and development teams.

The 2025 State of ASPM Report is available online and provides actionable insights for security leaders navigating the challenges of today’s fast-evolving application security landscape.

About Cycode

Cycode is the leading Application Security Posture Management (ASPM) providing Peace of Mind to its customers. Its Complete ASPM platform delivers safe code, faster. That means stopping code risks before they start, reducing developer productivity tax and lowering the total cost of ownership.

The platform can replace existing application security testing tools or integrate with them while providing cyber resiliency through unmatched visibility, risk driven prioritization and just in-time remediation of code vulnerabilities at scale. Cycode’s Risk Intelligence Graph (RIG), the ‘brain’ behind the platform, provides traceability across the entire SDLC through natural language.

Backed by tier-one investors Insight Partners and YL Ventures, the series-B company has raised $80 million and boasts a number of the top global Fortune 100 customers in the world that are gaining immediate value.

Contacts

Media Contact:
Fabienne Dawson
Fabienne@cycode.com

Cycode


Release Versions

Contacts

Media Contact:
Fabienne Dawson
Fabienne@cycode.com

More News From Cycode

Cycode SAST Leaves Competitors Behind with 94% Fewer False Positives in OWASP Benchmark

SAN FRANCISCO--(BUSINESS WIRE)--Cycode, the leader in Application Security Posture Management (ASPM), today launched its proprietary next-generation SAST engine, achieving a breakthrough 94% reduction in false positives in OWASP benchmark tests compared to leading open-source and commercial alternatives. Critically, Cycode achieves this while remaining one of the fastest scans on the market. By empowering developers with rapid and accurate security feedback, Cycode enables enterprises to delive...

Cycode Unveils Change Impact Analysis, Secures Multiple Fortune 100 Customers, and Extends ASPM Market Leadership

SAN FRANCISCO--(BUSINESS WIRE)--Cycode, the leader in Application Security Posture Management (ASPM), today announced the launch of its groundbreaking Change Impact Analysis (CIA) technology, a key addition to its Complete ASPM platform. This innovative solution empowers organizations to proactively assess the security impact of every code change, enabling them to identify, prioritize, and remediate vulnerabilities faster and more efficiently. By understanding how code changes affect risk and c...

Cycode Doubles ARR YoY for Two Consecutive Years and Sets Sights on EMEA with New Executive Hire

SAN FRANCISCO--(BUSINESS WIRE)--Cycode, the industry leader in Application Security Posture Management (ASPM), today announced it has doubled its growth with consecutive record-breaking quarters. Building on this success, Cycode is now expanding into the EMEA region, spearheaded by a strategic new hire, Jochen Koehler, further solidifying its position as a global leader in the application security space. Consistent Record Growth in North America Cycode’s Complete ASPM continues to gain traction...
Back to Newsroom