Author: Kateryna Ivanenko, Invicti & Mend.io Brand Manager
This article will analyze the Application Security Market Report for 2026, which will include survey results and current industry trends.
It is worth noting that the original publication from Latio is based on data mainly on companies from the USA, but in this article we will discuss what conclusions we can make about other regions: Ukraine, Moldova, the South Caucasus, and Central Asia.
Security Team Survey
Top 6 Desired Features of Application Security Tools
- Convenience for developers
- Low number of false positives
- Integrations
- Maximum coverage in vulnerability detection
- Remediation assistance
- Reporting
It would seem that the most important criteria in AppSec tools should be the quality of vulnerability detection, but they put convenience for developers in the first place. This is particularly noticeable in the marketing of static application security testing (SAST) products, with almost every one of them claiming to be “developer-friendly.”
It makes sense, since developers fix vulnerabilities after they are discovered. Therefore, the more convenient security is built into their processes (which includes integrations, for example, with ticketing systems), and the more detailed information about the problem (for example, AI-based fix suggestion functionality is becoming popular), the faster the problem will be fixed. If a tool causes a delay in this, its value for maintaining a high level of application security is significantly reduced.
The Most Common Application Security Tools
The above survey results are based on respondents from the United States, but the picture is clearly different in the regions I mentioned.
As practice and analytics show, most companies use or are looking for SAST or DAST tools. It is “or”, not “and”, because the myth that these scanners are interchangeable is still very common in those countries.
It is recommended to combine them (if the specifics of the company allow it), because thanks to SAST, you can find vulnerabilities at the early stages of development and avoid delays in releases due to later detected security problems, while DAST is able to find vulnerabilities specific to the execution state of the program, which are technically impossible for a scanner that analyzes only the source code.
For example, the report mentions the Invicti DAST platform as an innovator and leader, which seamlessly integrates with the Mend.io solution, which also offers SAST and SCA among its modules. This way, you can centralize all vulnerabilities in one console.
Application security priorities
Of course, the risks of AI-generated code come first. Such assistants are widely used around the world, so this is also relevant for the above-mentioned regions.
We have an article on our blog about common vulnerabilities in AI-generated code, you can read it here.
In second place in the report are supply-chain attacks with malware. Unfortunately, in the above-mentioned countries, this is not given enough attention. For example, SCA tools can find malicious packages, which allows you to reduce these risks.
Regarding obtaining a budget in the mentioned regions, the situation is clearly more critical than in respondents from the USA, because due to lower legislative requirements for application security and lower maturity of the markets, this area may not receive enough attention from management.
The Trend of Transition of Tools on the Market to Platforms
Threats are growing over the years, and the number of application security tools is only increasing. If you use at least the basic set of SAST + DAST + SCA, it is not very convenient to log into a separate console each time to run scans and manage results. Another headache is the consolidation of all reports.
Application security vendors have noticed this and have started to massively expand their portfolios in recent years to further unify these products into a single platform for easy use. Almost every player in the AppSec market in the above-mentioned regions now offers more than one class of solutions.
But many teams, for one reason or another, use tools from different vendors. In this case the problem does not go away. To solve this, a class of solutions has been invented called Application Security Posture Management (ASPM), which can be translated as application security posture management, an example of which is Invicti ASPM.
These products work as orchestrators:
They integrate AppSec scanners for centralized vulnerability management, scan launching, and consolidated reporting.
Although the initial idea is to integrate different tools, the term ASPM can be somewhat misleading. Some vendors position ASPM as a single console for exclusively their own tools, which distorts the perception of this class of solutions.
In addition to integrating commercial tools, some products offer the use of well-known open-source scanners “built-in” to the platform. This helps to close gaps in areas where budgets have not yet been allocated, maintaining a higher level of security than could be.
Some even take this strategy as a basis, allocating the budget primarily to ASPM. This may seem counterintuitive, but the logic here is as follows: open-source scanners are not always very “user-friendly”, which makes them difficult to use. And again, there is a problem of a large number of different consoles. However, if you run and analyze the results in ASPM, as well as configure policies there that are not available in the above-mentioned tools, the convenience of the processes increases rapidly, allowing you to find a balance between the allocated budget and security coverage.
Development of DAST and API Security
Dynamic application security testing (DAST, black-box testing) began as collecting the structure of the site, sending payloads, and analyzing the response.
However, with the spread of microservices and attacks on them, this class of solutions also began to cover API testing based on the provided specifications. The most popular one is still RESTful API. Over time, even the functionality of their detection appeared, which developed the field of attack surface management.
Not so long ago, AI-based pentesting capabilities appeared, which was noted as the most desired AI-feature in AppSec in the report’s survey. In the mentioned countries, I often see polar opposite opinions about AI: either seeing an increase in efficiency (mainly in private companies), or being too scared of the threats that AI poses.
Software Supply Chain Security
Supply-chain attacks have become increasingly common in recent years, which creates even more relevant offers in the markets I mentioned.
For example, SCA (Software Composition Analysis) tools generate a list of libraries used in an application, then they are checked for vulnerabilities and licensing risks. The popularity of such tools is gradually growing, considering modern threats, but remains noticeably lower than in the US.
One of the important features of this class of solutions is reachability analysis, which checks whether an attacker can actually exploit the library (based on information about whether a vulnerable function is called).
Because manual update of dependencies is tiresome, special tools appeared to automate this process, such as Mend Renovate.
Protecting AI models in applications
AI-based chatbots are increasingly used in applications, which creates new risks for us. The above-mentioned regions are not too concerned about this yet, although conversations are ongoing, but solutions to provide protection are already present on the market.
This includes detecting AI components in the application, analyzing the security of the model’s behavior (the so-called red teaming), checking internal instructions (system prompts) and configurations. An example of such functionality is Mend AI Premium.
Conclusion: We Have Room to Grow
Compared to the US, the market of Ukraine, Moldova, the South Caucasus, and Central Asia is less mature in terms of application security, despite the growth of modern threats.
As mentioned above, our regulatory requirements differ. In addition, popular AppSec vendors are mainly concentrated in the US, that is, they built market awareness of cybersecurity there much earlier than they reached the above-mentioned regions.
However, the full-scale war in Ukraine gave an impetus in this direction due to an increase in cyberattacks, which highlighted the already existing need.
Thus, we have a lot of room for development, which will be encouraged by stricter regulatory standards and modern threats.
If you would like to test Invicti (DAST, IAST), Invicti ASPM or Mend.io (SAST, SCA, container security, dependency updates and AI component protection) for free, please leave your contact details below, and our manager will contact you.
