Nearly nine in 10 organisations (87%) have at least one known exploitable vulnerability in deployed services, according to a report from Datadog.
The report points to a broader industry shift, with security risk increasing across the software delivery lifecycle.
As development accelerates, becomes more automated, and relies more heavily on third-party components, risk is increasingly shaped by the software supply chain and the tools used to build and deploy applications – not just the code that runs in production.
Findings show that 87% of organisations have at least one known exploitable vulnerability in deployed services, and 42% of services rely on libraries that are no longer actively maintained.
Also, services using end-of-life language versions face exploitable vulnerabilities in 50% of cases, compared to 31% for supported versions.
On one end, software is aging faster than teams can keep it up to date. The median software dependency is now 278 days out of date — 63 days further behind than last year.
At the same time, third-party software accelerates development but introduces risk when implicitly trusted.
Datadog researchers found that half of organisations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software.
Further, only 4 per cent pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes.
As a result, build and deployment pipelines are increasingly exposed to silent changes in third-party code, making CI/CD systems a critical supply-chain risk.
“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, head of security advocacy at Datadog.
“DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code,” said Krug. “The real challenge, though, isn’t speed – it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”
While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18% of vulnerabilities labeled “critical” remain critical once runtime context is applied.
“When almost everything is labeled ‘critical’, nothing is,” Krug added. “Teams get paged for noise while threats that poserealrisk slip through. Without context, prioritisation becomes harder – leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”
Yadi Narayana, CTO for APJ at Datadog said that in A/NZ, regulatory pressure from APRA CPS 234 and the Essential Eight has significantly lifted governance maturity.
“Boards understand cyber risk, and structured change control is firmly embedded, said Narayana. “The challenge now is execution. We still see Known Exploited Vulnerabilities in internet-facing and legacy systems because patch velocity can’t always keep pace with operational complexity.”
Narayana added that at the same time, cloud-native adoption is increasing reliance on open-source software and public package repositories, expanding the attack surface, often without equivalent controls across GitHub Actions and CI/CD pipelines.
“Add alert fatigue driven by severity-based prioritisation, and security teams are stretched thin,” he said. “The next phase of maturity is pairing strong governance with contextual observability – focusing on what’s truly exploitable and reducing real business risk, not just compliance exposure.”
