Red Hat finds cloud security incidents hit 97% of firms
Red Hat has published its 2026 State of Cloud-Native Security Report, which found that 97% of organisations experienced at least one cloud-native security incident in the past year.
The findings point to routine operational weaknesses rather than rare, highly specialised attacks. Misconfigured infrastructure or services were the most commonly reported incident type at 78%, while known vulnerabilities and unauthorised access also ranked among the main causes of exposure.
That suggests many cloud-native security problems still stem from basic execution failures in complex environments. Manual errors, inconsistent controls and weak governance appear to drive a large share of incidents across hybrid and multi-cloud estates.
The effects extend beyond security teams. Over the past 12 months, 74% of organisations delayed or slowed application deployments due to security concerns, while 92% reported significant downstream effects, including increased remediation time, reduced developer productivity, and loss of customer trust.
In the survey, 52% said remediation demands had increased, 43% reported lower developer productivity, and 32% said incidents had damaged customer trust. The findings show how security issues can drag on software delivery and operational planning rather than remain an isolated technical function.
Maturity gap
A central theme in the report is the gap between how prepared organisations believe they are and how structured their security programmes actually are. While 56% of respondents described their day-to-day security posture as highly proactive, only 39% reported having a mature, well-defined cloud-native security strategy.
About 22% reported having no defined strategy at all. That lack of formal planning was linked to uneven adoption of basic controls, including identity and access management, container image signing and runtime protection.
Identity and access management had roughly 75% adoption, making it one of the more established controls in cloud-native environments. By contrast, only about half of organisations had implemented container image signing, while runtime protection remained inconsistent, with many teams relying on default settings instead of deliberately defined policies.
The report argues that those differences matter. Organisations with a well-defined strategy were far more likely to adopt stronger guardrails and reported 61% confidence in securing their software supply chain, notably higher than less mature peers.
Budget shifts
Spending plans are shifting as companies try to close those gaps. Many organisations are moving away from fragmented point products and instead prioritising tighter integration of security into software development and platform operations.
More than 60% of respondents said they plan to invest in DevSecOps automation over the next one to two years to embed security checks into CI/CD pipelines. Another 56% identified software supply chain security as a priority, while 54% said they intended to expand runtime protection to improve detection and blocking of active threats.
That emphasis reflects growing concern over software provenance and dependency risk in cloud-native systems, where open-source components and container images are widely used throughout development pipelines. Organisations are increasingly looking at software bills of materials and provenance checks as part of that response.
Regulation is also shaping priorities. Some 64% of organisations said they expect the EU Cyber Resilience Act to be a primary factor in investment decisions, indicating that compliance requirements are influencing board-level choices on security budgets and governance.
AI concerns
The report also highlights a sharp rise in concern about artificial intelligence within cloud environments. It found that 58% of organisations now see AI adoption as a core driver of security planning, but governance has not kept pace with implementation.
Almost all respondents (96%) expressed significant concerns about generative AI in cloud settings. The main worries were the exposure of sensitive data, the use of unapproved shadow AI tools, and the integration of insecure third-party AI services.
Despite those concerns, 59% said they do not have documented internal AI usage policies or governance frameworks. That leaves many organisations trying to manage a rapidly expanding set of tools and workflows without agreed-upon rules for acceptable use, data handling, or oversight.
The report warns that this could amplify existing weaknesses in identity management and software supply chains. If AI systems alter configurations, handle code or connect to external services without clear guardrails, they may create new routes for data leakage and operational error.
Operational response
Red Hat's findings point to a more formal operating model for cloud-native security. The report recommends establishing a defined strategy, embedding guardrails and automation into platforms, prioritising supply chain integrity, feeding runtime insights back into development and introducing AI governance without waiting for external mandates.
It also identifies image signing and dependency scanning as important priorities for organisations seeking stronger assurance over the software they deploy. The widespread use of open-source software has not always been matched by consistent verification practices, leaving avoidable gaps in resilience.
For many companies, the immediate challenge is less about buying another tool and more about reducing inconsistency across engineering, security and platform teams. The data suggests the organisations making the most progress are those that treat cloud-native security as an operational discipline built into everyday workflows rather than a separate layer applied after development.
With high incident rates, deployment schedules affected, and AI adding a new governance burden, the report presents a picture of organisations under pressure to tighten basic controls while adapting to a more complex threat and compliance landscape.