New data finds 87% of monitored client-facing apps faced attacks in 2026 — up from 55% in 2022 — as AI permanently collapses the cost and expertise required to exploit them
iOS and Android attack rates have converged for the first time — closing a 21-point gap and invalidating a decade of platform-based security assumptions
RALEIGH, N.C.–(BUSINESS WIRE)–AI has created two simultaneous acceleration curves in enterprise software: one for building it and one for attacking it. For most software teams, publishing an app to the App Store or Google Play still feels like a product milestone. In 2026, it is a security exposure event.
Agentic AI has reset the economics of software attacks.Share
Digital.ai’s 2026 Application Security Threat Report draws on real-time threat monitoring data from applications serving billions of consumers across financial services, healthcare, automotive, and telecommunications. The report finds that as AI tools accelerate application development and shipping, attackers are using the same capabilities to move faster, causing the window between app store publication and first hostile contact to disappear.
Another key finding cuts to the root cause: agentic AI has reset the economics of software attacks. The skill, time, and cost barriers that once limited sophisticated attacks have collapsed. Activities that once required specialized security expertise, custom tooling, and days of manual effort can now be accomplished through AI-assisted code inspection, exploit generation, and malware adaptation in a fraction of the time.
The five-year attack rate trajectory makes the correlation visible. The 55% → 57% → 65% → 82.7% → 87% climb — tracking closely alongside each major AI model release since 2022 — suggests the industry has crossed a threshold. The question now is not whether agentic AI-powered attacks will keep climbing; it is whether enterprises will invest in defending against them at the same pace.
The Attack Surface Enterprises Left Exposed
One enterprise customer monitoring their application in production observed hostile activity less than two hours after their app appeared in the store, a timeline consistent with what Digital.ai’s broader threat telemetry shows. The window between app publication and first hostile contact is now measured in hours, not days.
Mobile applications have become a primary attack surface in the enterprise portfolio — and the most exposed to the new attacker capabilities that AI has unlocked. The applications that enterprises distribute directly into the hands of billions of customers exist outside the enterprise firewall. They live on devices the security team does not control, in public marketplaces on the open internet. When an attacker compromises a mobile app, the app is not the destination; it is the entry point. Reverse engineering a mobile application gives an attacker a blueprint to the backend APIs, authentication logic, and server infrastructure that power it — the same infrastructure protecting customer data, transactions, and core business operations.
A companion finding puts a finer point on where the underinvestment is showing up.
The iOS Budget Assumption Has Expired
In 2023, iOS apps faced roughly half the attack rate of Android apps, a gap that justified significantly lower security investment on Apple’s platform. In 2026, iOS apps were attacked at an 86% rate, compared to 89% for Android. This gap, which once stood at 21 percentage points, has now effectively closed. iOS instrumentation attacks alone jumped 10 percentage points in a single year, as AI-assisted dynamic analysis tooling matured into a mainstream attacker capability.
iOS has always been harder to attack but is no longer the deciding factor in target selection. AI-assisted reverse engineering absorbs what complexity remains. Enterprise AppSec budget allocations that still reflect a 2-to-1 Android-to-iOS threat assumption are now misaligned with the data.
The Number That Matter
- 87% of monitored mobile applications faced attacks in 2026, up from 55% in 2022 — a 58% climb that maps closely alongside every major AI model release since ChatGPT launched in November 2022
- The reason: agentic AI has collapsed the cost and skill floor of attacking software. What once required a specialist team and weeks of work now takes an afternoon and an LLM subscription
- Financial services apps hit a 2026 attack rate of 91% — the highest ever recorded for any vertical in the report’s history
- Automotive apps reached 91% — statistically identical to financial services — as connected vehicle apps became primary control surfaces for assets worth tens of thousands of dollars
- Medical device apps recorded the largest single-year jump of any named vertical — 8 percentage points, from 78% to 86%. A compromised medical device app raises possible consequences far beyond a typical data breach. It is a potential pathway to patient harm.
- iOS apps were attacked at an 86% rate in 2026, compared to 89% for Android — closing a gap that once stood at 21 percentage points and invalidating the budget assumptions that gap justified
- iOS instrumentation attacks jumped 10 percentage points in a single year. This is the sharpest single-year move recorded for any attack type on either platform and a direct signal that AppSec budgets still favoring Android over iOS are misaligned with the data
“The same AI your developers used to build your app this morning is being used to attack it this afternoon. That forces a question every AppSec team needs to answer: is the application built to defend itself from the moment it hits the store? Or is it waiting for the security team to notice it is being used as the entry point? In an environment where 87% of monitored apps are under attack, waiting is not a strategy,” said Derek Holt, CEO, Digital.ai. “The gap between where the attacks are and where the security investment is, is no longer acceptable.”
To read the full report, visit Digital.ai.
About the Report
The Digital.ai 2026 Application Security Threat Report is based on real-time threat telemetry collected from monitored applications serving billions of end users across financial services, healthcare, automotive, telecommunications, and other regulated industries globally. The data was collected across billions of application instances during Q4 2025.
Most published threat intelligence in application security describes server-side attacks, network activity, or post-incident forensics. This report describes something different — client-side and runtime attacks observed against applications running in production, in the wild, on devices and networks outside enterprise control. Digital.ai operates the largest application hardening telemetry footprint in the industry, with roots tracing to the original commercial application of anti-tampering technology developed at Purdue University in 2001. The dataset behind this report is not derivable from public sources, vendor surveys, or threat intelligence feeds.
About Digital.ai
Digital.ai enables the world’s most complex organizations to deliver trusted software at AI speed. By applying agentic AI across the critical stages of software delivery — from planning through security, testing, and delivery — Digital.ai helps enterprises remove bottlenecks, reduce risk, and improve the flow of software value to production. Its solutions integrate into existing environments, allowing organizations to transform to AI-first without disruption. Today, 53% of the Fortune 100 trust Digital.ai to make that happen.
