In this episode of Resilient Cyber, I sit down with Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security at IDC, to unpack what application security looks like as AI moves from copilot to autonomous teammate across the software development lifecycle.
We dig into AI’s accelerating impact on AppSec and the SDLC, the productivity-versus-risk equation now that agentic coding tools are landing pull requests with minimal human review, and the so-called “Vulnpocalypse” – the explosion of CVEs, AI-generated code, and the widening gap between vulnerability discovery and remediation capacity. We explore whether legacy AppSec tooling categories like SAST, DAST, SCA, and ASPM can keep pace, or whether they’re being fundamentally reinvented for an agentic world.
Katie also shares her perspective on the rise of autonomous pen testing and offensive security agents, what it means when attackers operate at machine speed while defenders are still triaging tickets, and how practitioners, CISOs, and security leaders should be rethinking team structure, skills, and governance for an agentic SDLC.
Prefer to Listen?
Be sure to subscribe and leave a review!
Key Takeaways:
AI is breaking the AppSec workload equation. Agentic coding tools have dramatically increased code velocity and volume, exposing the limits of human-paced security review and forcing organizations to rethink how AppSec scales.
The “Vulnpocalypse” is real, but uneven. The gap between vulnerability discovery and remediation capacity is widening fast, and the organizations feeling it most are those still relying on legacy triage and ticketing models built for a pre-AI world.
Legacy AppSec categories are being reinvented, not just extended. SAST, DAST, SCA, and ASPM weren’t designed for a world where AI agents author, review, and deploy code – and the tooling landscape is starting to reflect that reality.
Autonomous offense is outpacing autonomous defense. With tools like XBOW, Project Naptime, and Project VAIL pushing the boundaries of agentic pen testing, defenders need to take the asymmetry seriously and invest accordingly.
The agentic SDLC demands new governance, not just new tools. From AI-generated dependencies and hallucinated packages to MCP server integrity, supply chain risk is evolving – and the organizations that thrive will be the ones building governance models, skills, and team structures purpose-built for this era.
