New research · Secure Code Warrior & RMIT University

New research to help you take control of AI-driven development

Not all LLMs produce secure code equally. Comprehensive new benchmarking research reveals the security gaps across leading AI coding models — and a maturity model to help every enterprise respond.

Placeholder Image
Lowest secure output rate across evaluated models
~32%
Highest secure output rate — a 2× gap between best and worst
~65%
Some models produce twice as much insecure code as others
2x

Why this research matters

The LLM your team uses is a security decision

AI is accelerating software development at every stage — from human-written code, to AI-assisted vibe coding, to fully agentic systems making autonomous decisions in production codebases. And at every stage, enterprises face the same core problem: the code being generated may not be secure.

New research from Secure Code Warrior and RMIT University presents the first comprehensive benchmarks on how often leading LLMs produce insecure code, giving security leaders the data they need to make informed decisions about AI adoption.

  • Significant variation across models. Secure output rates ranged from approximately 32% to nearly 65% — meaning the choice of model directly determines your baseline risk exposure.
  • Same task, very different outcomes. Models were evaluated against identical development problems. The gap in security behavior is not theoretical — it shows up in the code your teams are shipping today.
  • Material implications for enterprise AI governance. As agentic systems gain autonomy, understanding which AI did what — and how securely — becomes foundational to compliance and incident response.

The maturity model

Understand where your organization stands — and what to do next

Alongside the benchmarking data, the research aligns with Secure Code Warrior’s AI Software Governance Maturity Model: a clear framework for assessing your organization's current posture and the specific gaps creating the most AI risk exposure.

The model spans the full arc of the AI development transition and maps where most organizations have blind spots. It gives security leaders an actionable view of the gaps — and the steps to close them.

Maturity stages

Ad hoc → Aware → Defined → Managed → Leading

Three pillars

  • Observe — Visibility into AI contributions and risk signals at the commit level
  • Govern — Guardrails on what AI can and can't touch in your codebase
  • Learn — Developer capability that evolves at every stage of the transition
Share on social
Full report · coming soon

Be first to access the complete research

당사 제품 및/또는 관련 보안 코딩 주제에 대한 정보를 보내실 수 있도록 귀하의 동의를 구합니다.당사는 항상 귀하의 개인 정보를 최대한의 주의를 기울여 취급하며 마케팅 목적으로 다른 회사에 절대 판매하지 않습니다.

You're on the list. We'll send the full report to you the moment it's published.
Return Home
scw error icon
양식을 제출하려면 'Analytics' 쿠키를 활성화하십시오.완료되면 언제든지 다시 비활성화할 수 있습니다.

Secure AI-driven development before it ships

See developer risk, enforce policy, and prevent vulnerabilities across your software development lifecycle.

book a demo