Weekly AppSec Briefings
A curated newsletter of what changed in AppSec this week, why it matters, and what to do about it.
February 25, 2026
Claude Code Security Spooked Wall Street. The npm Worm Should Have.
Claude Code Security erased billions in market cap over capabilities that already existed. A self-spreading npm worm hit 50,000 downloads targeting AI coding tools. Russian actors used commercial AI to compromise hundreds of firewalls.
January 21, 2026
AI Coding Tools Systematically Ship Security Flaws Your Scanner Won't Find | Jan 15-21
Tenzai research proves all 5 major AI coding assistants generate critical business logic flaws. Prompt injection hits Google Gemini, Microsoft Copilot, Anthropic MCP. Europe launches GCVE vulnerability database.
December 3, 2025
98% of Companies Deploy AI Agents, 79% Have No Security Policy | Nov 27 - Dec 3
98% of enterprises deploy AI agents but 79% have no written security policies. Fragmented tooling creates 4-week MTTR for critical vulnerabilities. AI coding tools becoming attack surfaces. $190M+ funding validates automated remediation.
November 19, 2025
Attackers Automated 90% of Operations with Claude AI | Nov 15-19
Chinese state-sponsored actors automated 90% of cyberattack operations using Claude AI while 30,000 EU organizations face December NIS2 compliance deadlines. Seven zero-days under active exploitation demonstrate ongoing response velocity gap.
November 12, 2025
50% of CISOs Report Security Burnout. GitHub Copilot Reports First CVE
50% of CISOs report burnout affecting breach preparedness while 80+ critical CVEs landed in one week. Operational capacity hits the wall as teams drown in alerts and patch volumes exceed human triage capacity.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
SCA Remediation at Scale: Dependencies Are the Real Challenge
How to Reduce False Positives by 80%: A Triage Automation Framework
AWS Bundles 14 Security Vendors Into One Bill. What's Missing Tells the Real Story
The Pentagon Banned Anthropic and OpenAI Accepted the Same Terms Hours Later
Your AI Coding Assistant Has CI/CD Privileges and None of the Controls
87% Run Exploitable Code in Production, and 98% of "Critical" Alerts Downgrade at Runtime
So, You Want to Build a Resolution Platform
AI Code Security Fixes: Three Gaps You Can't Prompt Your Way Around
New Look, Bigger Mission: Pixee Just Grew Up
Pixee Wins 2026 DEVIES Award for AppSecOps
What Looking at 14,000 Security Reviews a Year Taught Me About the Future of AppSec
Pixee's Pledge to Open Source
The Battle of AI Wrappers vs. AI Systems
Why General Security Copilots Might Not Work in Enterprise AppSec
Time-to-Exploit Has Collapsed. Has Your Remediation Strategy?
Why AI Can't Audit Its Own Code: Replit's Research on Deterministic Security
CVE Had a Near-Death Experience. Europe's Response: Build Their Own.
92% of Security Teams Are Prioritizing Vulnerabilities Wrong (And the Data Proves It)
The $2.4 Million Blind Spot: Why Your Security Automation ROI Calculator Is Wrong
Google, Microsoft, Anthropic: Same Week, Same Attack, Same Blind Spot
Every Layer of Your Dev Stack Is Now an Attack Vector
78% of Security Alerts Go Uninvestigated: The Silent Risk Accumulation
Six Zero-Days, One Refusal: How npm Created Two-Tier JavaScript Security
When Half Your Security Leaders Are Too Burned Out to Protect You
What Security Leaders Learned in 2025 (And What They're Watching in 2026)
The Find but Never Fix Crisis: The Math Breaking AppSec Teams
Why You Shouldn't Buy a Security Product in Response to React2Shell
Why Purpose-Built Security Remediation Produces Higher Quality Fixes
Why General Security Copilots Might Not Work in Enterprise AppSec
The AppSec Maturity Model: Where Does Your Organization Fit?
User Spotlight: Stirling-PDF
User Spotlight: ResumeBoostAI
The Illusion of Progress: Why Prioritization Alone Won't Make Us Safer
Top 10 Things We Learned From Reading 35 AppSec Reports: Why Teams Are Drowning in Triage, Not Fixes
The AppSec Maturity Model: From Detection to Resolution
The Agentic AI Governance Gap: A Strategic Framework for 2026
The AI Remediation Imperative: Why Detection Isn't Enough for OWASP Agentic AI in 2026
Pixee’s Approach to Security Focused UX and Design
The $19M Paradox: Why Security Spending and Security Debt Both Keep Rising
The 2.74× Problem: New Data Shows AI Code Ships With Nearly 3× More Security Flaws
Q4 2025 Retrospective: 10 Stats That Defined the Quarter in AppSec
React2Shell: The Next Struts2-Style Bug Parade?
That Time Our Own Security Tools Came to the Rescue
Pixee announced winner of the 2023 Santander X Global Challenge
Pixee wins 2024 DEVIES Best Innovation in AppSecOps award
Machine-Speed Triage: The Three Intelligence Types Security Needs Now
Pixee CTO Arshan on The Daily Tech Talks Podcast
From Systems of Detection to Systems of Decision: AppSec's Next Frontier
Introducing Pixee for SCA
Managing Pixeebot Activity with the New User Dashboard
More Isn't Always Better, But AI Makes That Irrelevant
$1.88M/Year on Triage Labor: The Hidden Cost Your AppSec Team Won't Tell You
Just Fix It.
How to Secure the 77% of Code You Didn't Write
From 2,000 Alerts to 50 Fixes: The Triage Automation Playbook
How to Reduce Your Security Backlog: 4-Step Plan to Cut Vulnerabilities
Google CodeMender just validated autonomous patching. Enterprise readiness takes more.
From 'Block Everything' to 'Respond Fast': The CISO's New Playbook for AI Security
Breaking down the Node.js sandbox bypass CVE-2023-30587
8 Forces Making On-Premises AI Remediation Urgent Now
Enhancing Product Security through Developer-Security Team Collaboration
DefectDojo and Pixee Partner to Realize the Potential of DevSecOps
77% of Your Code Came From Somewhere Else. Now What?
8 Forces Pushing Enterprises Back to On-Premises AI Security
Beyond the Black Box: How Pixee Validates AI-Powered Vulnerability Triage
81% Ship Vulnerable Code. The Problem Isn't Negligence—It's Capacity.
Stay ahead of the curve
Get the latest AppSec insights, research, and product updates delivered straight to your inbox. No spam, just signal.