Application layer comes under threat

A new report from Contrast Security exposes a growing crisis at the application layer as adversaries use AI to easily launch previously sophisticated attacks at scale.

Recent reports from Verizon (DBIR 2025) and Google Mandiant (M-Trends 2025) confirm what many security leaders already suspect: components of the application layer are among the most targeted and least protected part of the modern enterprise.

This trend includes hackers’ heightened focus on cloud environments, which heavily depend on application-layer services and interfaces, such as critical components like cloud-based single sign-on (SSO) web portals that store centralized authority.

The report, built on 1.6 trillion runtime observations per day, the report provides a uniquely accurate picture of how applications and APIs are being targeted, and how defenders can regain control.

“We’re seeing a fundamental shift in how applications are being attacked,” says Jeff Williams, CTO and founder of Contrast Security. “AI is making it easier than ever for adversaries to launch targeted, viable attacks at scale, while traditional tools like WAFs, SAST, and EDR remain blind to what’s happening inside the application while it’s running. This report exposes that gap with hard data. It shows where the real threats are, how fast they’re moving, and why organizations need a new model for defense: one that starts with runtime visibility.”

On average, apps contain 30 serious vulnerabilities. AI-generated code is exacerbating the problem, and third-party libraries are accelerating the risk. Applications face an average of 17 new vulnerabilities per month, with developer teams remediating six per month, on average.

The report also finds that attackers exploit new vulnerabilities in just five days, but it takes 84 days on average to patch even the most critical flaws. Application attacks are also more prolific than ever before, with the average application targeted by attackers once every three minutes.

The average application is exposed to 81 confirmed, viable attacks each month that evade other defenses, primarily driven by untrusted deserialization, method tampering, OGNL injection, and similar attacks, which can vary by industry and technology stack.

To manage the growing risks, security teams are increasingly evolving their strategies to address the visibility gap at the application layer. This includes moving beyond traditional reactive defenses and adopting runtime protection models that can detect and stop attacks from within running applications.

The report also highlights how shared telemetry across SecOps, AppSec, and development teams helps organizations focus on the threats and vulnerabilities that pose the greatest real-world risk. This unified, contextual approach enables faster response, more targeted remediation, and reduced alert fatigue across security workflows.

You can get the full report from the Contrast site.

Image credit: Napong Rattanaraktiya/Dreamstime.com