Pixee

AI generates first zero day and more

What does AppSec actually sound like in 2026 in "the age of Mythos?"                                 

When Daniel Miessler sat down with Arshan Dabirsiaghi he asked a really important question. "Why would a developer ever trust an automated security fix?" Historically they don't. Merge rates are around ~20% on AI fixes. Devs ignore those PRs because they've earned the right to ignore them. The fix doesn't match the codebase conventions. It changes a function signature three other files depend on. It "works" in the sense that the scanner stops yelling, and breaks in the sense that the next person on call inherits the cleanup. Or, and perhaps most importantly, the PR they are being asked to merge is a false positive in the first place. Here's Arshan's answer on how Pixee tackles that last point in order to increase the merge rate 4x.

Security spending is up. Confidence is down. That's what the 2026 IANS CISO Budget Benchmark survey shows (n=300+ CISOs): Some takeaways:  ↳ 85% got budget increases this year  ↳ 88% expect more budget next year  ↳ 53% are spending over $5M annually And 56% still say it isn't enough to increase security. The bottleneck isn't budget. It's tool sprawl. It's complexity. It's that 82% of "critical" alerts turn out to be false positives once you factor in runtime context. Here's 10 slides summarizing the report in terms of what CISOs are betting on for 2026. #Cybersecurity #AppSec

On May 1st 60 CISOs published a MythosReady framework including leaders from Google, Netflix, Cloudflare, and Wells Fargo. It's useful, substantive, and has a huge gap. None of them addresses what happens when the tools they recommend generate findings at 71-88% false positive rates. The math: ↳ Engineers spend 6.1 hours per week triaging alerts ↳ 72% of that time is wasted on noise ↳ Mean time to remediate sits at 252 days ↳ Marimo: disclosure to working exploit in 9 hours, 41 minutes Anton Chuvakin calls this the Patch Sound Barrier. Every org has a maximum remediation velocity. AI-driven discovery has permanently exceeded it. More scanning at those false positive rates does not shrink the backlog. It grows the triage queue.  What actually closes the gap is two capabilities shipping together: ↳ Triage automation that filters the 71-88% of alerts that are not exploitable ↳ Remediation automation that generates fixes developers actually merge  Visibility without resolution is surveillance, not security.

We read 30 whitepapers released in the last two months across cybersecurity. Some takeaways from the data 👇: 🎯 82% of "critical" vulns aren't actually critical once runtime context is applied (Datadog, State of DevSecOps 2026)  ⏱️ CVE disclosure → active exploitation:  63 days → 5 days, year-over-year (Mondoo, State of Vulnerabilities 2026) The detection machine is working: 141.3M findings processed by Veracode in 2025. The remediation machine isn't: 80%+ of orgs carry security debt older than 12 months. What's in the rest of the carousel: ✅ 7 more findings ✅ 3 contradictions worth knowing ✅ Where AppSec budget is actually going

We're grateful for all the CISOs, AppSec Leads, and security engineers who traded notes with us this week at Health-ISAC's summit in Tampa. Lt. Col. Robert Darling's keynote on the 9/11 PEOC especially stuck out. He highlighted how resilience isn't built in the moment of crisis but is built through regular correct practice and preparation. The overall "Conditioning for Success" theme really resonates with our approach to AppSec and Surag P. and Girish Nair were happy to trade notes with fellow practioners throughout the week. Big thanks to the @Health-ISAC team

"AI-enabled software vulnerability discovery." That's the reason Oracle gave this week for moving Critical Patch Updates from quarterly to monthly. First major enterprise vendor we've seen put it in writing — "AI is finding things our internal SDLC missed."  Same week: — 40,000 cPanel servers compromised before the patch shipped. "Sorry" ransomware. Exploitation live since March. — White House officials drafting a 3-day federal patch rule. — Mandiant: mean time to exploit hit -7 days. Exploited for a week before disclosure.

Every system Mythos broke had passed its audits. Red team. Pen test. The reports came back clean. That's not a defensive failure. The audits were calibrated for a different economy of attack. What used to take a top-tier offensive team weeks now runs in hours at a unit cost defenders can't replicate inside their own programs. This is a new architecture problem, requiring us to re-think the foundations of our AppSec programs. That's what Adam Schaal is unpacking at our IANS Technology Spotlight. He's covering the architectural choices, the real cost of running AI on production codebases, and presenting a clear-eyed framework for the build vs. buy call every AppSec leader has to make next.  #IANSResearch #AppSec

85% of your SCA alerts can't hurt you. We can prove it. Per finding. With evidence your auditors will accept. Here's a common example: your scanner flags a CVE in a transitive dependency. CVSS says 6.9. But exploiting it requires three specific conditions, and your codebase meets zero of them. The tool flags it anyway. That's the gap Pixee's SCA product closes. We generate codebase-aware exploitability analysis on every finding, paired with context-aware remediation that merges at 76% across 100K+ PRs when fixes are warranted.