The shape of vulnerabilities to come: more subtle, context-dependent errors
We surveyed 241 developers about how AI-assisted coding is reshaping software delivery, and where it leaves security gaps that impact businesses.
20% find vulnerabilities in AI-assisted code post-deployment, always or often
Only 9% say vulnerability testing keeps pace with development
76% of developers now use AI coding tools constantly
The risk shift: from more bugs to more subtle, context-dependent ones
The numbers
20% discover vulnerabilities in AI-assisted code post-deployment, always or often
31% don't have enough time to review AI-generated code before it ships
9% say vulnerability testing keeps pace with development completely
What we found: AI didn't create the validation gap. It widened it.
Adoption is widespread. Output is up. Pre-release validation is not.
The result is more code, more endpoints, and more findings reaching production. This is where the cost of discovery is highest for security teams, MSSPs, and the CISOs who have to defend the result.
More code, more entry points
More than 3/4 of developers use AI tools constantly. More endpoints, integrations, and logic paths reach production before anyone validates them.
Half of teams see post-deploy vulnerabilities
About half of teams find vulnerabilities in AI-assisted code at least sometimes after it ships, when fixes are more complex and exposure is higher.
Testing rarely keeps up
Only 9% report that vulnerability testing keeps pace completely. 45% say it sometimes or frequently falls behind. The validation window keeps shrinking.
The shift: speed is the vulnerability
AI accelerates code generation. Validation does not scale at the same rate. The gap between them is where risk accumulates, and where attackers find purchase.
The validation window is compressing
AI increases the volume of code and the speed at which it moves through the pipeline. Pre-release reviews happen, but rarely to the depth required to catch what matters.
The pressure to ship is up
Nearly 40% of developers report increased expectations to deliver more code since adopting AI tools. Teams sometimes release before fully exploring vulnerabilities.
The cost of late discovery is highest
For security teams, MSSPs, and consultants, the challenge is no longer just finding vulnerabilities - it's finding them fast enough to matter, with proof a stakeholder will accept.
AI-assisted code tends to reduce simple bugs but increase subtle logic and security misconfigurations, and often spreads the same vulnerability patterns across multiple parts of a system.
Survey respondent, Internal Security Team
The new vulnerability shape: more subtle, context-dependent errors
Static analysis and surface-level review aren't enough. The vulnerabilities that matter now are the ones that only fail under real-world interaction - across workflows, APIs, and integrations.
What's visible isn't the problem. Context is.
Catching issues that surface only when systems interact requires validation that confirms exploitability under real conditions, not just detection that flags potential issues.
Vulnerability categories that came up most often in open-ended responses
→ Logic errors only visible at runtime
→ Insecure configurations
→ Cross-system integration gaps
→ Supply-chain and dependency issues
→ Authentication and session handling
AI tools have shifted our focus from catching manual syntax errors to auditing for "hallucinated" insecure library versions and logic flaws where the AI suggests technically functional but architecturally insecure configurations.
Survey respondent
How Pentest-Tools.com fits
AI-assisted coding doesn't just produce more code. It produces a larger deployed attack surface, faster than anyone can validate it. That's the layer we work on.
We test running systems: deployed applications, exposed services, networks, and the dependencies they bring in. It's the layer attackers actually reach, and the layer where validation evidence actually comes from. This is the gap Adversarial Exposure Validation addresses, turning "we detected something" into "we confirmed it can be exploited."
We won't claim that's a complete answer to the validation gap that the survey describes. But it's part of one.
Get the full survey results
Includes all 241 responses, the qualitative themes that came through the open-ended question, and highlights what teams reporting better outcomes are doing differently.