New Research from Rein Security Finds Most Security Teams Struggle to Detect AI Agent Misuse in Production
NEW YORK and TEL AVIV, Israel – Rein Security, a trusted application security company for leading enterprises, today released “The Great AppSec Reality Check: What Security Pros Really Think of Their Existing Tools” Based on a survey of more than 300 CISOs and AppSec executives, the report reveals a fundamental context gap in modern AppSec tools. Despite heavy investments in AppSec, over three-quarters of security professionals still do not have the real-time production insight necessary to validate risk and understand how their code actually behaves in real-world environments.
The Insight Gap: Security Without Production-Level Intelligence
According to the findings, the primary hurdle for modern security teams is no longer tool acquisition, but the persistent absence of real-time context. Most AppSec tools scan pre-production and monitor at the perimeter, but as applications continue to grow more distributed through microservices and AI-native components, these legacy scanning methods are failing to provide the runtime context needed for efficient security operations.
This gap cuts across the entire AppSec stack: 62% of respondents said they are blind to shadow or undocumented APIs; 73% of SCA users noted a lack of visibility into whether flagged vulnerabilities are actually exploitable in production; and 72% of SAST/DAST users said they are challenged by an overwhelming number of false positives. This gap extends to emerging environments, too, with teams struggling to correlate Model Context Protocol (MCP) actions with execution outcomes (46%) and reporting blind spots around prompt injection chains or tool-chaining abuse (48%) in AI-native apps. Without reliable, in-production data, teams waste resources on non-reachable vulnerabilities while undetected threats persist.
“AppSec teams are drowning in tools and effectively operating in a data and context vacuum, forced to chase theoretical vulnerabilities without clear evidence of how they behave in production environments,” said Matan Bar Efrat, CEO and co-founder at Rein Security. “This report highlights a breaking point in the industry: the majority of AppSec professionals want production-level context, a clear signal that our current reliance on static snapshots has created an unsustainable cycle of manual verification and operational noise.”
Why AppSec Struggles to Scale
The data confirms that while a gap in production-level insight exists at any size company, it becomes most visible at scale. As organizations grow, the volume of unvalidated alerts creates a bottleneck that traditional staffing and management models cannot overcome. Despite only 38% of small AppSec teams (1-10 members) that use SCA citing their biggest pain point is the inability to verify if vulnerabilities are exploitable in production, that figure jumps to 63% for mid-sized teams (11–50 members) and remains high at 58% for large teams (50 members or more).
Industry-Wide Willingness to Replace
Frustration with these visibility and scaling challenges is pushing the market toward a massive shift. Respondents expressed a high willingness to replace current AppSec tools or adopt new solutions if they would address their biggest pain points: 93% are ready to replace or purchase new AI-native application protection; 88% are willing to replace API security solutions; and 81% are willing to pivot to new MCP protection tools. There are also several dominant tools that at least half of respondents would be willing to replace, including RASP (55%), SCA (52%) and SAST/DAST (49%).
Other key findings include:
- Although 13% of respondents use agent-based deployment, most (87%) overwhelmingly prefer agentless, package-based or simple CI/CD-based deployment;
- For ASPM platform users, 68% struggle to prove posture and risk to leadership or auditors, 67% cite data gaps and missing telemetry that create blind spots, and 60% say issues are still ranked by theoretical severity instead of real exposure or exploitability; and
- For 16% of respondents, their ultimate wish is to consolidate the AppSec toolchain into one platform.
For more information and to access the full report, download it here.
Research Methodology
Rein Security surveyed 303 CISOs and AppSec executives at U.S. companies with 1,500+ employees (all with dedicated AppSec teams) across banking (12.5%), insurance (12.5%), fintech/insurtech (25%), and SaaS software (50%). The report was conducted online by an independent research firm, Global Surveyz Research, in October 2025.
About Rein Security
Rein Security is an application security company delivering a novel, patent pending technology with real-time, in-production visibility and protection. Trusted by leading Fortune 500 companies, Rein Security enables security teams to uncover which API, SCA and AI risks actually matter by correlating every request, response, resource, API and line of code in production. Backed by Giliot Capital and co-headquartered in Tel Aviv and New York City, the company was founded in 2024. For more information, please visit www.reinsec.io. To book a demo: https://reinsec.io/book-a-demo
