87% of Organizations Are Running Software With Known, Exploitable Vulnerabilities, Datadog Finds

Rhea-AI Summary

Datadog (NASDAQ: DDOG) released the State of DevSecOps Report 2026, finding 87% of organizations run services with at least one known exploitable vulnerability. The report highlights supply‑chain risk: median dependencies are 278 days out of date and only 4% of orgs pin GitHub Actions.

Datadog warns rapid adoption of libraries and noisy critical alerts create prioritization and pipeline‑security challenges for DevSecOps teams.

Positive

• 87% of organizations have exploitable vulnerabilities
• Median dependency age is 278 days out of date
• 50% of organizations adopt new library versions within 24 hours

Negative

• Only 4% of organizations pin public GitHub Actions
• Services using EOL language versions face vulnerabilities 50% of the time
• Only 18% of ‘critical’ alerts remain critical after runtime context

News Market Reaction – DDOG

+5.56%

31 alerts

+5.56% News Effect

+2.6% Peak Tracked

-4.8% Trough Tracked

+$2.18B Valuation Impact

$41.32B Market Cap

0.1x Rel. Volume

On the day this news was published, DDOG gained 5.56%, reflecting a notable positive market reaction. Argus tracked a peak move of +2.6% during that session. Argus tracked a trough of -4.8% from its starting point during tracking. Our momentum scanner triggered 31 alerts that day, indicating elevated trading interest and price volatility. This price movement added approximately $2.18B to the company's valuation, bringing the market cap to $41.32B at that time.

Data tracked by StockTitan Argus on the day of publication.

Key Figures

Orgs with exploitable vulns: 87% Unmaintained libraries use: 42% EOL language vuln rate: 50% +5 more

8 metrics

Orgs with exploitable vulns 87% Organizations with at least one known exploitable vulnerability in deployed services

Unmaintained libraries use 42% Services relying on libraries no longer actively maintained

EOL language vuln rate 50% Services using end-of-life language versions facing exploitable vulnerabilities

Supported language vuln rate 31% Services using supported language versions facing exploitable vulnerabilities

Rapid library adoption 50% Organizations adopting new library versions within 24 hours of release

Pinned GitHub Actions 4% Organizations pinning all public GitHub Actions to specific commit hashes

Median dependency age 278 days Median software dependency age in the report

Critical vulns after context 18% Vulnerabilities still labeled critical after applying runtime context

Market Reality Check

Price: $111.96 Vol: Volume 6,140,263 is below...

normal vol

$111.96 Last Close

Volume Volume 6,140,263 is below the 20-day average of 7,513,871 (relative volume 0.82). normal

Technical Shares at $110.33 are trading below the 200-day MA of $138.77, and about 45.3% under the 52-week high.

Peers on Argus

DDOG is up 5.65% while scanner peers show mixed moves (e.g., SNOW up 3.72%, ZM d...

1 Up 1 Down

DDOG is up 5.65% while scanner peers show mixed moves (e.g., SNOW up 3.72%, ZM down 5.35%). Combined with limited peer news, this suggests a stock-specific reaction rather than a broad software-sector move.

Historical Context

5 past events · Latest: Feb 24 (Positive)

Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Feb 24	Investor conference	Positive	+5.7%	Upcoming Morgan Stanley TMT conference presentation and webcast details.
Feb 18	AI conference event	Positive	-0.6%	Announcement of DASH 2026 AI and observability-focused conference.
Feb 10	Earnings results	Positive	+13.7%	Strong Q4 and FY 2025 revenue growth and margins with guidance.
Jan 20	Earnings date set	Neutral	+5.5%	Scheduling of Q4 and FY 2025 earnings release and call details.
Jan 20	Investor Day	Positive	+5.5%	Announcement of upcoming Investor Day with in‑person and virtual options.

Pattern Detected

Recent news with clearly positive fundamentals or investor-focused events has mostly aligned with positive price reactions; only one AI/event announcement saw a mild divergence.

Recent Company History

Over the past months, Datadog has combined strong fundamentals with active investor engagement. The Q4 and full-year 2025 results on Feb 10, 2026 showed robust growth and were followed by a 13.74% gain. Announcements around the earnings date and an Investor Day on Jan 20, 2026 each coincided with roughly 5.52% upside. Conference participation on Feb 24, 2026 also matched a 5.65% move. One AI-focused DASH 2026 announcement on Feb 18, 2026 saw a modest -0.64% reaction, a divergence from otherwise positive event-driven responses.

Market Pulse Summary

The stock moved +5.6% in the session following this news. A strong positive reaction aligns with Dat...

Analysis

The stock moved +5.6% in the session following this news. A strong positive reaction aligns with Datadog’s pattern of favorable responses to thought-leadership and data-rich releases, as seen around earnings and investor events with moves up to 13.74%. The report underscores widespread exploitable vulnerabilities, highlighting the relevance of DDOG’s security and observability platform. However, shares still trade below the $138.77 200‑day MA and about 45.3% under the 52‑week high, so investors have previously weighed macro and valuation factors alongside product and research news.

Key Terms

devsecops, software supply chain, ci/cd, github actions, +2 more

6 terms

devsecops technical

"The State of DevSecOps Report 2026 highlights a broader industry shift"

DevSecOps is the practice of building security checks into the whole software creation and delivery process instead of treating security as a separate step at the end. For investors, it matters because products that find and fix vulnerabilities earlier tend to ship faster, cost less to maintain, and carry lower risk of damaging breaches or regulatory fines — much like installing quality and safety checks on a car while it’s being assembled rather than after it leaves the factory.

software supply chain technical

"security risk increasingly moves upstream into the software supply chain"

The software supply chain is the network of code, tools, services and vendors that companies use to build, update and run their applications—like the chain of parts and suppliers that go into making a car. Investors care because problems anywhere in that chain—bugs, outages, or cyberattacks—can disrupt operations, increase costs, harm reputation and trigger regulatory or financial consequences that affect a company’s value.

ci/cd technical

"making CI/CD systems a critical supply-chain risk"

CI/CD stands for Continuous Integration and Continuous Delivery (or Deployment), a set of practices and tools that automate the building, testing and releasing of software so code changes reach users quickly and reliably. Think of it as an assembly line that checks each new part before it leaves the factory. For investors, CI/CD lowers the risk of costly bugs, speeds product improvements, reduces development costs, and makes a company’s road map and revenue more predictable.

github actions technical

"Only 4% of organizations pin all public GitHub Actions to a specific version"

GitHub Actions is a built-in automation system that lets software teams set up repeatable steps to build, test and deploy code whenever changes are made. For investors, it matters because it helps companies release features faster, reduce mistakes and outages, and lower operational costs—similar to an automated assembly line that speeds production and cuts errors, which can improve product reliability and the pace of growth.

runtime context technical

"Only 18% of vulnerabilities labeled “critical” remain critical once runtime context is applied"

Runtime context is the set of conditions and information a software program uses while it is running — including the data it’s processing, the system resources available, user permissions, and configuration settings. For investors, runtime context matters because it affects how reliably and securely a product or service behaves in real-world use, influencing operational risk, performance, compliance, and the cost and speed of scaling or fixing issues; think of it as the kitchen, ingredients and tools that determine how consistently a recipe turns out.

telemetry technical

"Datadog analyzed telemetry from tens of thousands of applications"

Telemetry is the automatic collection and transmission of measurements from remote devices, systems, or patients to a central system for monitoring and analysis—like a car sending engine, speed and location data back to a dashboard. For investors it matters because telemetry provides real-time evidence of product performance, safety and user behavior, helping assess revenue potential, operational risk, regulatory compliance and whether a product is meeting market demand.

AI-generated analysis. Not financial advice.

The State of DevSecOps Report 2026 highlights a broader industry shift as security risk increasingly moves upstream into the software supply chain

NEW YORK, Feb. 26, 2026 (GLOBE NEWSWIRE) -- Datadog, Inc. (NASDAQ: DDOG), the AI-powered observability and security platform for cloud applications, today released its latest State of DevSecOps Report, finding that nearly nine in 10 organizations (87%) have at least one known exploitable vulnerability in deployed services.

The report points to a broader industry shift, with security risk increasing across the software delivery lifecycle. As development accelerates, becomes more automated, and relies more heavily on third-party components, risk is increasingly shaped by the software supply chain and the tools used to build and deploy applications - not just the code that runs in production.

Key findings at a glance:

• 87% of organizations have at least one known exploitable vulnerability in deployed services
• 42% of services rely on libraries that are no longer actively maintained
• Services using end-of-life language versions face exploitable vulnerabilities in 50% of cases, compared to 31% for supported versions
• 50% of organizations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software
• Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes
  
  

Security Risk Increasing at Both Ends of the Lifecycle

On one end, software is aging faster than teams can keep it up to date. The median software dependency is now 278 days out of date - 63 days further behind than last year.

At the same time, third-party software accelerates development but introduces risk when implicitly trusted. Datadog researchers found that half of organizations (50%) adopt new library versions within 24 hours of release, and only 4% pin all public GitHub Actions to a specific version using commit hashes.

As a result, build and deployment pipelines are increasingly exposed to silent changes in third-party code, making CI/CD systems a critical supply-chain risk.

“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, Head of Security Advocacy at Datadog. “DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn’t speed - it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”

Alert Volume Is Obscuring Real Risk

While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18% of vulnerabilities labeled “critical” remain critical once runtime context is applied.

“When almost everything is labeled ‘critical’, nothing is,” Krug added. “Teams get paged for noise while threats that pose real risk slip through. Without context, prioritization becomes harder - leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”

Read the full report, State of DevSecOps Report 2026, to see how these findings are shaping modern approaches to detecting, prioritizing and remediating security risk.

Contact
press@datadoghq.com

Report Methodology

Datadog analyzed telemetry from tens of thousands of applications to assess security risk across modern software environments, along with additional datasets used for specific findings. The data is global in scope.

About Datadog

Datadog is the AI-powered observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, user experience monitoring, cloud security and many other capabilities to provide unified, real-time observability and security for our customers' entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior and track key business metrics.

Forward-Looking Statements

This press release may include certain “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended including statements on the benefits of new products and features. These forward-looking statements reflect our current views about our plans, intentions, expectations, strategies and prospects, which are based on the information currently available to us and on assumptions we have made. Actual results may differ materially from those described in the forward-looking statements and are subject to a variety of assumptions, uncertainties, risks and factors that are beyond our control, including those risks detailed under the caption “Risk Factors” and elsewhere in our Securities and Exchange Commission filings and reports, including the Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission on February 18, 2026, as well as future filings and reports by us. Except as required by law, we undertake no duty or obligation to update any forward-looking statements contained in this release as a result of new information, future events, changes in expectations or otherwise.

FAQ

What did Datadog report about exploitable vulnerabilities in deployed services (DDOG, Feb 26, 2026)?

Datadog found that 87% of organizations run at least one known exploitable vulnerability in deployed services. According to Datadog, this reflects rising supply‑chain and maintenance gaps as dependencies age and third‑party components proliferate.

How old are software dependencies on average according to Datadog's State of DevSecOps Report 2026 (DDOG)?

The report states the median software dependency is 278 days out of date, up 63 days year‑over‑year. According to Datadog, slower updates increase exposure to known vulnerabilities across deployment pipelines and production.

What proportion of organizations adopt new library versions quickly, per Datadog (DDOG)?

Datadog reports 50% of organizations adopt new library versions within 24 hours of release. According to Datadog, this rapid uptake can increase risk of installing malicious or compromised packages in CI/CD pipelines.

How prevalent is pinning GitHub Actions to specific versions, per Datadog's 2026 report (DDOG)?

Only 4% of organizations pin all public GitHub Actions to a commit hash, leaving pipelines vulnerable to silent changes. According to Datadog, lack of pinning heightens supply‑chain risk in build and deployment stages.

What did Datadog say about critical vulnerability alerts and runtime context (DDOG)?

Datadog found that only 18% of vulnerabilities labeled critical remain critical after applying runtime context. According to Datadog, alert noise hampers prioritization and can cause teams to miss threats that pose real business risk.

How do end‑of‑life language versions affect vulnerability risk, per Datadog (DDOG)?

Services using end‑of‑life language versions face exploitable vulnerabilities in 50% of cases versus 31% for supported versions. According to Datadog, EOL languages materially increase exposure to known, unpatched issues.