Datadog flags rising DevSecOps risk from ageing code

Datadog reports that 87 per cent of organisations are running deployed services with at least one known exploitable vulnerability, as software teams struggle to keep applications patched and up to date.

The finding comes from Datadog's State of DevSecOps Report 2026, which draws on telemetry from tens of thousands of applications, alongside additional datasets for specific measures. The dataset is global in scope.

The report suggests security risk is spreading across the software delivery lifecycle, driven by faster release cycles, increased automation, and heavier reliance on third-party components. It also places greater emphasis on supply chain exposures in build and deployment tools, not only weaknesses in production code.

Ageing dependencies

A central theme is a widening gap between how quickly software changes and how well teams keep dependencies current. The median software dependency is now 278 days out of date-63 days further behind than last year.

The analysis also found that 42 per cent of services rely on libraries that are no longer actively maintained. This creates a structural patching problem, as inactive projects can lag on fixes or stop shipping security updates altogether.

Programming language choices also factor in. Services using end-of-life language versions have exploitable vulnerabilities in 50 per cent of cases, compared with 31 per cent for supported versions. The figures point to a material increase in exposure when teams run language versions that no longer receive upstream security maintenance.

Supply chain risk

The report also highlights risks created by how quickly organisations adopt third-party updates. Half of organisations adopt new library versions within 24 hours of release, which can leave little time for internal review and testing of new releases and their transitive dependencies.

Build pipeline configuration is another area of concern. Only 4 per cent of organisations pin all public GitHub Actions to a specific version using commit hashes. Without pinning, workflows can pull in third-party changes without a clear change event in the organisation's own repository.

This is framed as a supply chain issue inside CI/CD systems, not just application runtimes, with a particular focus on the risk of "silent changes" in third-party code used in build and deployment pipelines.

Alert fatigue

The findings also examine how security teams triage risks. Only 18 per cent of vulnerabilities labelled "critical" remain critical once runtime context is applied. That suggests severity labels alone can inflate the apparent urgency of large volumes of findings when issues are not reachable or exploitable in the running environment.

Andrew Krug, Datadog's Head of Security Advocacy, said the gap between software delivery practices and security approaches is widening.

"The way software is built has fundamentally changed, but security practices haven't kept up," Krug said.

"DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn't speed-it's clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first," he said.

Krug also linked alert volume to operational impacts. "When almost everything is labeled 'critical', nothing is," he said. "Teams get paged for noise while threats that pose real risk slip through. Without context, prioritisation becomes harder-leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action."

A/NZ governance

In Australia and New Zealand, the report's themes intersect with a regulatory environment that has pushed cyber governance deeper into board oversight and change control. Yadi Narayana, Datadog's CTO for APJ, pointed to APRA CPS 234 and the Essential Eight as drivers of governance maturity, while describing implementation as the pressure point.

"In A/NZ, regulatory pressure from APRA CPS 234 and the Essential Eight has significantly lifted governance maturity. Boards understand cyber risk, and structured change control is firmly embedded," Narayana said.

"The challenge now is execution. We still see Known Exploited Vulnerabilities in internet-facing and legacy systems because patch velocity can't always keep pace with operational complexity," he said.

Narayana added that cloud-native adoption has increased reliance on open-source software and public package repositories, expanding the attack surface without always being matched by controls across GitHub Actions and CI/CD pipelines. "Add alert fatigue driven by severity-based prioritisation, and security teams are stretched thin. The next phase of maturity is pairing strong governance with contextual observability-focusing on what's truly exploitable and reducing real business risk, not just compliance exposure," he said.

Datadog's report is intended to inform how organisations detect, prioritise and remediate software risk as supply chain dependencies and automated delivery pipelines play a larger role in modern application delivery.