A sneak peek at key findings from Sembi’s first-ever industry-wide survey | PreEmptive
AI is generating more than half of all code. Release cycles are compressing. And application security teams are being asked to protect software they didn’t fully write, moving faster than ever before. The Sembi Software Quality Pulse Report—drawing on insights from nearly 4,000 QA engineers, security professionals, developers, and engineering leaders—reveals exactly how exposed that leaves most organizations.
TL;DR
Security teams are aware of their gaps but haven’t operationalized the proactive practices needed to close them. AI-generated code is expanding the attack surface faster than most protection strategies were designed to handle—and understaffed, reactive teams are absorbing the cost. Application hardening and obfuscation represent the kind of preventative, low-overhead defense the industry is recognizing it needs.
Despite growing awareness of application security risks, the industry’s dominant posture remains reactive rather than preventative. Security tools are fragmented, coverage is inconsistent, and the proactive practices most likely to prevent exploitation—like threat modeling, obfuscation, and hardening—rank near the bottom of adoption lists.
The cost of a reactive posture is well documented. IBM’s recent Cost of a Data Breach report found that understaffed, reactive security teams incur an average of $1.76M more in breach costs compared to teams with mature, proactive practices. The data is clear: catching vulnerabilities before deployment is exponentially cheaper than responding to them after.
One of the most significant findings in this year’s report is also one of the most consequential for application security: respondents report that an average of 53% of their code is now AI-generated or AI-assisted. AI code generation is fast, but it introduces new risk patterns that traditional security processes weren’t designed to catch.
For teams focused on application protection, AI-generated code means more code to analyze, more potential obfuscation blind spots, and more attack surface to harden. Applications built with AI-assisted development pipelines need protection strategies that are designed with that volume and variability in mind.
The report’s findings on security testing fragmentation are telling: no single security method dominates, and most teams rely on a patchwork of approaches without a unified strategy. Threat modeling—one of the most proactive security practices available—ranks near the bottom in adoption.
Application obfuscation and hardening represent exactly the kind of proactive, layered defense that the industry is recognizing it needs, but hasn’t yet broadly operationalized. In an environment where 50% of breached organizations link incidents directly to understaffing and reactive postures, preventative application protection becomes an essential multiplier for stretched security teams.
DevSecOps is the aspiration. Full integration is still rare. Most teams describe themselves as “partially” or “somewhat” integrated with DevOps pipelines, which in practice often means manual handoffs, delayed feedback, and security functioning as a late-stage gate rather than a continuous control.
Application hardening tools that fit natively into CI/CD pipelines—running automatically as part of build and release workflows—help close this gap without adding manual overhead to already stretched teams.
The Sembi Software Quality Pulse Report is the first industry-wide look at the real state of software quality and security, drawn from nearly 4,000 practitioners. Download the full report for a complete view of the security landscape—including staffing data, AI adoption trends, and the growing convergence of QA and security.
Download the Sembi Software Quality Pulse Report today!
The report found that despite growing awareness, most security teams remain reactive by default. Only 9% have fully integrated toolchains, only 24% feel appropriately staffed, and proactive practices like threat modeling and application hardening rank near the bottom of adoption. The gap between knowing what needs to change and having the infrastructure to change it is the defining challenge of 2026.
With respondents reporting that 53% of their code now AI-generated or AI-assisted, the attack surface has expanded significantly. AI introduces new insecure coding patterns and vulnerability types that traditional security validation wasn’t designed to catch. 12.9% of security professionals report that AI code is already creating unfamiliar security concerns—a number that will grow as AI adoption deepens.
As development velocity increases and AI generates more code faster, the window for pre-deployment security review narrows. Application obfuscation and hardening provide a layer of protection that persists after release—making reverse engineering, tampering, and exploitation significantly harder regardless of when in the SDLC they’re applied. For understaffed teams, it’s force multiplication.
The report found that 68% of professionals see strong value in aligning QA and security—and the data shows that teams with better integration across both functions have stronger release confidence and fewer vulnerability blind spots. For AppSec teams, that means security can no longer be a late-stage gate. Hardening and protection need to be embedded earlier in the development lifecycle, not bolted on at the end.
IBM’s Cost of a Data Breach research, cited in the report, found that understaffed, reactive teams incur an average of $1.76M more in breach costs than those with mature, proactive practices. Catching vulnerabilities before deployment—through hardening, static analysis, and CI/CD-integrated protection—is significantly cheaper than remediating them post-release.