A new survey of more than 300 CISOs and AppSec executives reveals a fundamental context gap in modern AppSec tools, with 76 percent of security professionals lacking the real-time insight into production risks to understand how their applications actually behave in the wild.
The report from Rein Security finds that although most AppSec tools scan pre-production and monitor at the perimeter, as applications continue to grow more distributed through microservices and AI-native components, these legacy scanning methods are failing to provide the runtime context needed for efficient security operations.
This leads to problems in a number of areas, 62 percent of respondents say they are blind to shadow or undocumented APIs; 73 percent of SCA users note a lack of visibility into whether flagged vulnerabilities are actually exploitable in production; and 72 percent of SAST/DAST users say they are challenged by an overwhelming number of false positives. This gap extends to emerging environments, too, with teams struggling to correlate Model Context Protocol (MCP) actions with execution outcomes (46 percent) and reporting blind spots around prompt injection chains or tool-chaining abuse (48 percent) in AI-native apps.
“AppSec teams are drowning in tools and effectively operating in a data and context vacuum, forced to chase theoretical vulnerabilities without clear evidence of how they behave in production environments,” says Matan Bar Efrat, CEO and co-founder at Rein Security. “This report highlights a breaking point in the industry: the majority of AppSec professionals want production-level context, a clear signal that our current reliance on static snapshots has created an unsustainable cycle of manual verification and operational noise.”
Respondents express a high willingness to replace current AppSec tools or adopt new solutions if they would address their biggest pain points. 93 percent are ready to replace or purchase new AI-native application protection; 88 percent are willing to replace API security solutions; and 81 percent are willing to pivot to new MCP protection tools. There are also several dominant tools that at least half of respondents would be willing to replace, including RASP (55 percent), SCA (52 percent) and SAST/DAST (49 percent). For 16 percent of respondents, their ultimate wish is to consolidate the AppSec toolchain into one platform.
You can get the full report on the Rein site.
Image credit: Elnur_/depositphotos.com
