Contrast Security releases Software Under Siege 2025, exposing what traditional reports miss about application-layer threats

Following the heels of the DBIR and Mandiant M-Trends, Contrast’s new report reveals what’s really happening inside the application layer and why it’s a top target for attackers in 2025.

Pleasanton, CA – July 17, 2025 – Contrast Security, the global leader in Application Detection and Response (ADR), today released Software Under Siege 2025: The Contrast Application Threat Report, exposing the growing crisis at the application layer as adversaries use AI to easily launch previously sophisticated attacks at scale.

Recent reports from Verizon (DBIR 2025) and Google Mandiant (M-Trends 2025) confirm what many security leaders already suspect: components of the application layer are among the most targeted and least protected parts of the modern enterprise.  This trend includes hackers’ heightened focus on cloud environments, which heavily depend on application-layer services and interfaces, such as critical components like cloud-based single sign-on (SSO) web portals that store centralized authority.

But those reports raised an even bigger question:

What’s actually happening inside the applications we build and run every day?

The Software Under Siege 2025 report from Contrast Security provides the missing context, offering a detailed, data-driven view into the vulnerabilities, exploit patterns, and attacker behaviors that SOC and AppSec teams need to understand now. Built on 1.6 trillion runtime observations per day, the report provides a uniquely accurate picture of how applications and APIs are being targeted, and how defenders can regain control.

“We’re seeing a fundamental shift in how applications are being attacked,” said Jeff Williams, CTO and Founder of Contrast Security. “AI is making it easier than ever for adversaries to launch targeted, viable attacks at scale, while traditional tools like WAFs, SAST, and EDR remain blind to what’s happening inside the application while it’s running. This report exposes that gap with hard data. It shows where the real threats are, how fast they’re moving, and why organizations need a new model for defense: one that starts with runtime visibility.”

The report confirms that applications and APIs are the modern battleground of choice for attackers. Key findings include:

• Why attackers are winning: On average, apps contain 30 serious vulnerabilities. AI-generated code is exacerbating the problem, and third-party libraries are accelerating the risk.
  
  
• Why defenders can’t keep up: 
  • Applications face an average of 17 new vulnerabilities per month, with developer teams remediating 6 per month, on average. 
  • Attackers exploit new vulnerabilities in just 5 days, but it takes 84 days on average to patch even the most critical flaws.
  • Application attacks are more prolific than ever before, with the average application targeted by attackers once every 3 minutes.
  • The average application is exposed to 81 confirmed, viable attacks each month that evade other defenses, primarily driven by untrusted deserialization, method tampering, OGNL injection, and similar attacks, which can vary by industry and technology stack.
  • A small number of attack techniques, harder to execute before AI, account for the lion’s share of risk.
    
    
• Why traditional tools fall short: WAFs and EDRs lack the runtime context to detect the growing threats. Many SOCs are flying blind.
  
  
• The new “best practice”: A small number of attack techniques account for the majority of risk. Focusing on what’s exploitable now enables teams to regain control.
  

To manage the growing risks, security teams are increasingly evolving their strategies to address the visibility gap at the application layer. That includes moving beyond traditional reactive defenses and adopting runtime protection models that can detect and stop attacks from within running applications.

The report also highlights how shared telemetry across SecOps, AppSec, and development teams helps organizations focus on the threats and vulnerabilities that pose the greatest real-world risk. This unified, contextual approach enables faster response, more targeted remediation, and reduced alert fatigue across security workflows.

Organizations adopting these practices are better positioned to improve their resilience against the rising tide of AI-assisted application-layer threats. 

To download the full report, visit https://www.contrastsecurity.com/software-under-siege-2025-report.

Methodology

The report combines proprietary data from the Contrast Runtime Security Platform with additional data from trusted third parties to help security leaders understand the scope and nature of application-layer threats.

Contrast’s data is collected from real-world running applications and application programming interfaces (APIs), using a lightweight sensor that allows full visibility into the complete runtime context. This “inside-out” approach provides continuous visibility into how applications behave and are targeted in real-world production environments.

About Contrast Security

Contrast Security is the global leader in Application Detection and Response (ADR), empowering organizations to see and stop attacks on applications and APIs in real time. Contrast embeds patented threat sensors directly into the software, delivering unmatched visibility and protection. With continuous, real-time defense, Contrast uncovers hidden application-layer risks that traditional solutions miss. Contrast’s powerful Runtime Security technology equips developers, AppSec teams and SecOps with one platform that proactively protects and defends applications and APIs against evolving threats.

Media Contact:

Jake Milstein

206 718 9602

Jake.Milstein@contrastsecurity.com