How Apiiro is driving the shift towards intelligent, AI-Ready application security.

Aligning Security with AI-Driven Development

The 2025 Gartner® Hype Cycle™ for Application Security confirms what many security leaders are already starting to see: application security is being redefined by the pressures brought on by AI coding assistants. Code is being written faster, often by machines. Risk is increasing, but resources are not. Issues with traditional tools and workflows — scanners, dashboards, long triage cycles — are amplified at this scale.

This year’s report surfaces a decisive and necessary shift: from fragmented tools to intelligent systems that connect risk signals, developer activity, and remediation in real time. Apiiro is proud to be recognized as a Sample Vendor. In our opinion, we are aligned with this direction across several transformational areas, including:

• AI-assisted code remediation
• Software supply chain security
  Governance of SBOM and open source usage
• Posture-driven prioritization and automation

To us, inclusion in this Hype Cycle reflects Apiiro’s deep connection and commitment to the core problems enterprises need to solve to operate securely in an AI-native development environment.

What’s In the Report

Gartner presents a set of realities that security leaders must now confront:

“Gartner estimates that 60% to 80% of the code in new software projects originates from third parties, with most coming from open-source software (OSS) projects.”

“Through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector.”

“By 2026, at least 40% of organizations will default to their application security testing vendors for AI-based autoremediation of vulnerable code.”
— Gartner, Hype Cycle for Application Security, 2025

According to us, in short, the acceleration of AI tooling has made development faster, but has also multiplied the number of risks that must be identified, triaged, and addressed. In many organizations, the remediation backlog now dwarfs available AppSec capacity.

Teams need a new AppSec operating model, one that is posture-led, automation-driven, and rooted in real context.

Where Apiiro Fits

The 2025 Hype Cycle emphasizes a few key themes: the need for AI-based remediation, risk-based prioritization, and policy enforcement at scale, tied together by accurate, contextual understanding of software risk.

Our platform ingests signals from code, configurations, pipelines, and runtime to build a real-time Risk Graph. That graph powers:

• Exploitability-aware risk prioritization, so teams know which issues to focus on, and why
• Policy-based automation enabling security teams to enforce rules without slowing development
• Contextual remediation workflows giving developers get clear, actionable guidance aligned to ownership and business impact
• OSS and SBOM governance with full visibility into usage, transitive dependencies, and violations

Where many tools generate findings, Apiiro helps teams decide what matters and take action grounded in reachability, material risk, and context. That’s what the shift Gartner is describing ultimately demands: less noise, more precision, and scalable execution.

Aligning with Key Trends by Gartner

Securing AI-augmented code development

Gartner outlines a future where automation is a core aspect of code security. But remediation without context is dangerous.

Apiiro doesn’t blindly fix issues. Instead, our AutoFix AI agent provides the visibility, policy logic, and runtime correlation needed to decide when to fix, when to flag, and when to escalate, all embedded in developer workflows.

Supply Chain & SBOM Governance

Modern software is an assembly of first- and third-party components, and the balance is shifting. Third-party code now accounts for the majority of what’s running in production, yet it remains the least visible and least governed. Gartner highlights SBOM and supply chain risk as central concerns, especially with growing OSS usage.

Apiiro delivers AutoGovern, which enforces policies, standards, and secure coding guardrails automatically. Governed OSS usage and real-time SBOM tracking are enriched with impact and exploitability context, so you can enforce policy, not just generate reports.

Risk-Driven Posture Management

Gartner highlights the need for tools that help teams not just surface issues, but correlate and prioritize them based on business impact, exploitability, and change velocity.

Apiiro uses Deep Code Analysis (DCA) to analyze code changes, configurations, and runtime signals to build a live, connected view of application risk, allowing security teams to continuously assess posture, enforce policies proactively, and respond as systems evolve, without relying on fragmented tools or manual triage. We call this AutoManage.

The Strategic Mandate for CISOs

Application security is now inseparable from software delivery. As developers adopt AI coding assistants and ship faster than ever, security must evolve to meet them where they work, with systems that prioritize real risk, reduce friction, and scale trust across the software lifecycle, starting in the design phase.

The 2025 Gartner report outlines the roadmap. We believe that Apiiro is helping customers get there faster.

Download the Full Report

Interested in learning more? You can download the complimentary report here.

Gartner, Hype Cycle for Application Security, 2025. Dionisio Zumerle. Published July 15, 2025.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally Hype Cycle is a registered trademark of Gartner, Inc. and/or its
affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications
and does not advise technology users to select only those vendors with the highest ratings or
other designation. Gartner research publications consist of the opinions of Gartner’s Research
& Advisory organization and should not be construed as statements of fact. Gartner disclaims
all warranties, expressed or implied, with respect to this research, including any warranties of
merchantability or fitness for a particular purpose.