The State of the State of Application Exploits in Security Incidents

Application security is often a fragmented picture, with different defenders seeing different parts of the “elephant.” This multi-source analysis stitches together findings from the Cyentia Research Library, Verizon DBIR, and IRIS Xtreme to provide a unified view of the frequency and role of application exploits in real-world incidents. We examine successful attacks that resulted in outages, data theft, or major financial loss to determine if application-layer defense is truly the primary battleground.

The data confirms that web application security issues are the leading incident pattern for the biggest losses. All told, 56% of the largest incidents of the last five years tie back to application-layer issues, accounting for 42% of all recorded financial losses in extreme events. This report rewards the click by revealing a “254-day discovery gap”—the average time-to-discovery for app exploits is significantly higher than the 71-day average for other types of extreme events.

The analysis also highlights the prominence of state-affiliated threat actors. These actors were responsible for 57% of all known financial losses in major web application incidents over the last five years. By comparing tactical definitions across sources, we find that “Exploit Public-Facing Application” is consistently ranked as the #1 or #2 Initial Access technique. This research is an essential corrective for threat models that underestimate application-layer risk.

Key Findings

• Application Loss Dominance: Web application issues tie back to 56% of extreme incidents and 42% of all financial losses in the last five years.
• The 254-Day Detection Lag: Web application exploits take an average of 254 days to discover, far exceeding the 71-day average for other major incidents.
• State-Affiliated Tail Risk: 57% of all financial losses in major web app incidents are attributed to state-affiliated threat actors, though they cause only 20% of events.
• Initial Access Consensus: “Exploit Public-Facing Application” is either the #1 or #2 Initial Access technique for every source that reports on the MITRE ATT&CK framework.
• Credential Tactic Lead: Credential attacks involving web applications were the most common (46 incidents) and costly ($10 billion) tactic across extreme events.
• Incident Pattern Frequency: Web application attacks were the leading incident pattern among data breaches for six of the last eight years.
• “Tower of Babel” Effect: Only two types of application attacks—SQLi and XSS—were reported by at least three independent sources due to a lack of shared attack lingo.