AppSec Research & Data Studies
Original studies built on primary data we collected and analyzed ourselves. No vendor surveys, no sponsored content.
MCP Server Security Audit 2026
I analyzed 33 MCP servers using mcp-scan v0.4.3 and Cisco mcp-scanner v4.3.0. The YARA scanner flagged 27 patterns across 10 servers — but many detections reflect intended tool behavior, not actual vulnerabilities. Here's what pattern-based scanning catches and misses.
DevSecOps Statistics 2026
60+ DevSecOps statistics from industry reports and original research. Covers adoption rates, market growth, supply chain risks, vulnerability data, and breach costs. Every stat sourced.
Application Security Statistics 2026
50+ application security statistics from original research. AI code vulnerabilities, security header adoption, open-source tool health, and more.
AI-Generated Code Security Study 2026
I asked 6 LLMs to write Python and JavaScript code for common development tasks, then scanned the output with 5 open-source SAST tools. See which models produce the most secure code.
State of Open Source AppSec Tools 2026
I analyzed GitHub data for 64 open-source application security tools across 8 categories. See which projects have the most community traction, healthiest maintenance, and strongest adoption.
Security Headers Adoption Study 2026
I scanned 10,000+ websites to measure adoption rates of CSP, HSTS, and other security headers. See which headers are widely deployed and which remain rare.
CandyShop: Open-Source Security Tool Benchmark 2026
Real scan results from 12 open-source security tools tested against 6 intentionally vulnerable applications. Compare SAST, DAST, SCA, container, and IaC scanners with actual detection data and F-measure accuracy scores.
DAST Benchmark Project
Test your applications with multiple DAST tools and receive a comparative benchmark report to select the most suitable tool with confidence.