Threat Detection & DefensePress Release

Datadog Study: 87% of Organisations Are Running Software with Known, Exploitable Vulnerabilities

Highlighting a Broader Industry Shift as Security Risk Increasingly Moves Upstream into the Software Supply Chain  

Datadog, Inc., the Artificial Intelligence (AI)-powered observability and security platform for cloud applications, recently  released its latest State of DevSecOps Report. The Datadog study found that nearly nine in 10 organisations (87 per cent) have at least one known exploitable vulnerability in deployed services.

The report points to a broader industry shift, with security risk increasing across the software delivery lifecycle. As development accelerates, becomes more automated, and relies more heavily on third-party components, risk is increasingly shaped by the software supply chain and the tools used to build and deploy applications—not just the code that runs in production.

Key Findings of the Datadog Study at a Glance

  • 87 per cent of organisations have at least one known exploitable vulnerability in deployed services
  • 42 per cent of services rely on libraries that are no longer actively maintained
  • Services using end-of-life language versions face exploitable vulnerabilities in 50 per cent of cases, compared to 31 per cent for supported versions
  • 50 per cent of organisations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software
  • Only 4 per cent of organisations pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes

Security Risk Increasing at Both Ends of the Lifecycle

On one end, software is aging faster than teams can keep it up to date. The median software dependency is now 278 days out of date—63 days further behind than last year.

At the same time, third-party software accelerates development but introduces risk when implicitly trusted. Datadog researchers found that half of organisations (50 per cent) adopt new library versions within 24 hours of release, and only 4 per cent pin all public GitHub Actions to a specific version using commit hashes.

As a result, build and deployment pipelines are increasingly exposed to silent changes in third-party code, making CI/CD systems a critical supply-chain risk.

“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, Head of Security Advocacy at Datadog. “DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn’t speed—it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”

Alert Volume Is Obscuring Real Risk

While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18 per cent of vulnerabilities labeled “critical” remain critical once runtime context is applied.

“When almost everything is labeled ‘critical’, nothing is,” Krug added. “Teams get paged for noise while threats that pose real risk slip through. Without context, prioritisation becomes harder – leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”

“Across ASEAN, digital transformation is accelerating, but execution is uneven. While awareness of vulnerability risk is rising, known exploited vulnerabilities are still routinely found in internet-facing systems, legacy infrastructure, and fast-moving cloud environments,” said Yadi Narayana, CTO for APJ at Datadog. “Rapid growth in e-commerce, fintech, and super-app ecosystems has created complex hybrid estates powered by containers, open-source software, and automated pipelines – often without full visibility or consistently enforced controls.

“Meanwhile, overstretched security teams battle skills shortages and alert fatigue, prioritising by severity scores rather than real-world exploitability. The organisations that will build lasting resilience are those that move beyond compliance and tool sprawl to focus on contextual, exploitability-driven risk reduction across their entire digital estate.”

Read the full Datadog report, State of DevSecOps Report 2026, to see how these findings are shaping modern approaches to detecting, prioritising and remediating security risk.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *