We’ve been saying for years that most application security training doesn’t actually help developers write secure code. But when we sat down with the latest data from Security Compass, Backslash Security, and Pynt, even we were surprised by what we found. Here’s the thing: 85% of organizations mandate AppSec training, yet 0% of developers have ever asked for it voluntarily.
THREE SURPRISING FINDINGS
Surprising Finding #1: Zero developers asked for this training. That’s not a typo. According to Security Compass (March 31, 2026), in zero percent of organizations did developers voluntarily request security training. Not one. Compliance and contracts are driving the mandate, but nobody is asking for the actual content.
Surprising Finding #2: Zero organizations have no AI plans. While 86% of organizations are already leveraging AI/ML significantly in their security strategy, the remaining 14% still have plans to adopt. That means 100% of organizations are either on AI or getting there. The question isn’t if, it’s whether your training will be ready.
Surprising Finding #3: The “defensive tax” costs over $1.2 million per year. We calculated this based on Backslash Security’s finding that 89% of AppSec teams spend at least 25% of their time chasing vulnerabilities. For a large enterprise, that’s more than a million dollars in engineering hours spent reacting instead of building.
KEY FINDINGS
Here are the numbers that define the current state of AppSec training, pulled directly from three independent research sources:
From Security Compass (March 31, 2026):
- 85% of organizations mandate AppSec training
- 57% say compliance is the primary driver, not skill-building
- Developers’ #1 frustration: training content not delivered through dev or security tools
- 86% are already leveraging AI/ML significantly in security strategy
- 0% have no plans to integrate AI into security
- 0% of organizations reported developers asking for training voluntarily
- 75% plan to increase AppSec training budgets
From Backslash Security (March 30, 2026):
- 58% of AppSec teams spend more than half their time chasing vulnerabilities
- 89% spend at least 25% of time in “defensive tax” mode
- 39% see growing friction between AppSec and dev teams due to tool gaps
From Pynt (April 9, 2026):
- 25% of developers report being overwhelmed by vulnerability volume
- 35% cite false positives as the top shift-left challenge
- 47% have implemented shift-left security strategies
- 50% of those who haven’t implemented shift-left have no plans to do so
WHAT THIS MEANS FOR DEVELOPERS, TEAMS, AND TECH LEADERS
For developers, this data confirms what you already feel: the current training model wasn’t built for you. It was built for compliance teams. When 25% of you report being overwhelmed by vulnerability volume, that’s not a skill gap, that’s a systems failure.
For tech leads and CTOs, the defensive tax is real money leaving your engineering budget. If 89% of your AppSec team is spending a quarter of their time chasing vulnerabilities instead of enabling faster, safer shipping, you’re losing both velocity and morale.
For organizations scaling training, the message is clear: throwing more mandatory modules at the problem won’t work. Zero percent of developers asked for what you’re currently offering. Time to build something they’d actually want.
EXPERT QUOTE
“We’ve built an entire industry on security training that nobody asked for, delivered in ways that break developer flow, measured by completion certificates instead of actual secure coding skills,”
said Leon I. Hicks, founder of Secure Coding Practices.
“The data shows 85% of organizations mandate training, but zero percent of developers requested it. That’s not a training problem, that’s a trust problem. Developers aren’t resisting security. They’re resisting training that feels irrelevant to their actual work. When you deliver hands-on, stack-specific bootcamps that solve real problems developers face every day, the dynamic changes completely.”
METHODOLOGY NOTE
The findings in this analysis are drawn from three independent surveys conducted between March 30 and April 9, 2026: Security Compass/Golfdale Consulting (150 software professionals across US, Canada, and UK), Backslash Security (300 AppSec professionals at US enterprises with 1,000+ employees), and Pynt (shift-left security adoption survey). All data is publicly available via the sources linked above.
READ THE COMPLETE ANALYSIS
We’ve published the full breakdown of these findings, including deeper analysis of why the defensive tax matters and how developer-centric training actually fixes the problem.
Read the complete analysis with full methodology on our blog → AppSec Training is Broken Because It Ignores the Developer
Explore hands-on secure coding bootcamps → Secure Coding Bootcamps for Teams