A sneak peek at key findings from Sembi’s first-ever industry-wide survey | Kiuwan
The code your SAST and SCA tools were tuned to analyze is changing fast. With more than half of all code now AI-generated or AI-assisted, application security teams are facing a fundamentally different risk surface—more volume, more variability, and new vulnerability patterns that traditional analysis wasn’t designed to catch. The Sembi Software Quality Pulse Report, drawn from nearly 4,000 practitioners, shows exactly how the industry is—and isn’t—keeping up.
TL;DR
Security testing adoption is real, but fragmentation is limiting its effectiveness. AI-generated code is introducing new vulnerability patterns that SAST and SCA tools need to evolve to catch—and a false positive rate approaching 50% is eroding the trust teams need to act on findings quickly. The organizations closing the gap are those treating security analysis as a continuous, integrated discipline, not a point-in-time check.
The adoption of application security testing is real. SAST leads the pack as one of the most commonly used security testing methods, alongside API security testing and penetration testing. But the bigger story is the fragmentation beneath that adoption. No single security method dominates. Each approach is used by only a fraction of teams, and those tools rarely communicate with one another. Developers are left manually coordinating multiple testing methods—creating gaps, duplicated effort, and inconsistent enforcement.
The picture becomes clear: most organizations have some security testing in place, but they don’t have a unified security strategy. The result is coverage that’s real but incomplete, and a growing blind spot as systems grow more complex.
The most consequential finding for application security teams in 2026: respondents report that an average of 53% of their code is now AI-generated or AI-assisted. This changes the nature of what SAST and SCA tools need to analyze, and how.
AI-generated code can introduce insecure coding patterns, unfamiliar dependencies, and new open-source components that SCA tools need to track and evaluate. The volume of code is up, the unpredictability of what that code contains is up, and security analysis tools that can scale to AI-assisted development pipelines are no longer optional—they’re essential.
Another finding worth sitting with is that only 51% of detected security issues are true positives, meaning nearly half of what security tools are flagging is noise. That erosion of signal quality has real consequences: security teams are spending time chasing false alerts instead of remediating actual vulnerabilities, and confidence in tooling is declining.
For SAST and SCA tools, accuracy matters as much as coverage. High false positive rates don’t just waste time, they cause teams to deprioritize alerts, increasing the likelihood that real vulnerabilities get dismissed along with the false ones.
When security professionals ranked their top concerns for 2026, data breaches (38.8%), cloud misconfigurations (36.9%), and AI/LLM-specific threats (32%) led the list. These aren’t abstract risks—they’re the specific vulnerabilities that SAST and SCA tools are positioned to identify and remediate before they become incidents.
The organizations best positioned to address these priorities are those that have moved security analysis earlier into the SDLC, integrated their toolchains with CI/CD pipelines, and reduced manual overhead through intelligent automation.
The Sembi Software Quality Pulse Report covers the full state of application security—from SAST and SCA adoption trends to AI’s impact on the threat landscape, staffing challenges, and the convergence of QA and security. Download it for the complete data.
Download the Sembi Software Quality Pulse Report today!
SAST is one of the most widely used security testing methods, but adoption is fragmented across the industry. No single approach dominates, tools rarely communicate with each other, and only 9% of security teams report fully integrated toolchains. The result is security coverage that exists on paper but leaves real gaps in practice.
With 53% of respondents’ code now AI-generated or AI-assisted, SAST and SCA tools are being asked to analyze a fundamentally different kind of codebase—one with higher volume, unfamiliar dependency patterns, and new vulnerability types. 12.9% of security professionals already report that AI code is introducing concerns that their current tools weren’t designed to catch. Scalability and AI-awareness are now table stakes for security analysis tooling.
The report found that only 51% of detected security issues are true positives, meaning nearly half of what tools flag is noise. High false positive rates don’t just waste time; they train teams to deprioritize alerts, which increases the risk that real vulnerabilities get ignored alongside the false ones. For SAST and SCA specifically, signal accuracy is as important as detection coverage.
The report found that 68% of professionals see strong value in aligning QA and security, and SAST and SCA sit at the center of that convergence. When security analysis is integrated into CI/CD pipelines and results are visible to both development and QA teams, organizations can make more informed release decisions and reduce the time from vulnerability discovery to remediation.
The data points to three priorities: reducing false positive rates to rebuild trust in tooling, integrating SAST and SCA findings into CI/CD pipelines for continuous feedback, and evolving analysis capabilities to handle AI-generated code. Teams that treat application security testing as a continuous, integrated discipline—rather than a point-in-time scan—are better positioned to address the top threats of 2026.
