Datadog Report Finds 87% of Firms Face Exploitable Vulnerabilities, Median Dependency Age 278 Days
Datadog's State of DevSecOps Report 2026 reveals 87% of organizations run software with at least one known exploitable vulnerability, with 42% relying on unmaintained libraries and a median dependency age now at 278 days. Only 4% of firms pin GitHub Actions to specific commits, exposing CI/CD pipelines to supply-chain risks.
1. Key Report Findings
The report indicates that 87% of organizations have known exploitable vulnerabilities in deployed services, 42% rely on unmaintained libraries, and the median software dependency is 278 days out of date. Services using end-of-life language versions face vulnerabilities in 50% of cases, compared to 31% for supported versions.
2. Supply-Chain Risk Drivers
Rapid adoption of new library versions—often within 24 hours of release—introduces potential malicious or compromised code, while only 4% of firms pin public GitHub Actions to specific commit hashes. This combination of aging dependencies and fast-paced development pipelines elevates software supply-chain risk across both build and deployment stages.
3. Strategic Implications for Datadog
Heightened security risks across the software delivery lifecycle underscore increased demand for continuous observability and real-time risk prioritization. Datadog's AI-powered security platform is positioned to help organizations automate vulnerability detection and contextualize alerts to reduce noise and focus remediation efforts on critical threats.