What You Missed on the Expo Floor
Key Moves in Application Security at Black Hat USA 2025:
- Wallarm launched API Revenue Protection to quantify AppSec’s business impact.
- Snyk debuted Secure at Inception for real-time AI code scanning.
- AppviewX showcased certificate lifecycle automation for app environments.
- Palo Alto introduced Cortex Cloud ASPM with open AppSec partner ecosystem.
- Veracode announced new ASPM integrations with Wiz and Palo Alto.
Application security took center stage at Black Hat USA 2025, with vendors and researchers zeroing in on the evolving threat landscape driven by AI, software supply chain vulnerabilities, and the need for proactive posture management. From the expo floor to the briefing rooms, the conversation was clear: Application security is no longer just about scanning code; it’s about securing the entire lifecycle of modern, AI-powered software.
Our team was on the ground throughout the event—attending keynotes, sitting in on panel discussions, and speaking directly with solution providers and CISOs. The energy was palpable, and the urgency around securing applications in the age of agentic AI was front and center.
Here are some key themes from the show that stood out:
AI Is Reshaping Application Security—Fast
The rise of agentic AI and model context protocols (MCP) has introduced new attack surfaces that traditional AppSec tools weren’t built to handle. Vendors like Snyk and Cyera responded with offerings that scan AI-generated code in real time and monitor AI runtime behavior. Snyk’s Secure at Inception platform, for example, integrates directly into MCP workflows to detect vulnerabilities before code is even committed. Cyera’s AI Guardian suite adds runtime protection and asset inventory for AI systems, critical as enterprises adopt generative tools like ChatGPT Enterprise and Claude.
ASPM Is the New Must-Have
Application Security Posture Management (ASPM) was everywhere. Palo Alto expanded its Cortex Cloud with ASPM capabilities, integrating findings from partners like Snyk, GitLab, Veracode, and Checkmarx. The goal: Consolidate AppSec data into a single pane of glass for SOC teams. Veracode also announced new ASPM integrations with Wiz and Palo Alto, enabling broader visibility and prioritization across cloud-native environments.
Business Context Is Finally Part of AppSec
Wallarm made waves with its API Revenue Protection tool, which helps CISOs quantify the financial impact of API attacks. This shift toward business-aligned AppSec was echoed across the show floor. Vendors are moving beyond technical metrics to show how vulnerabilities affect revenue, customer trust, and operational resilience. It’s a welcome evolution for decision-makers who need to justify security investments in terms the board understands.
Supply Chain Risk Is Still a Top Concern
Software supply chain vulnerabilities remain a persistent threat. AppviewX addressed this with automated certificate lifecycle management, helping teams avoid expired certs and misconfigurations that can expose applications. Meanwhile, Veracode shared threat research on malicious packages targeting developers, highlighting the need for continuous monitoring and proactive defense across third-party dependencies.
What We Heard in the Hallways
“The fundamentals still matter. WAFs, bot management, and DDoS protection are still frontline defenses.”
—Daniel Skrba, Content Strategist, HAProxy Technologies
“AppSec isn’t just about code anymore. It’s about context, identity, and business impact.”
—Katy Gwilliam, Veracode
Why It Matters
Application security is evolving rapidly, and Black Hat USA 2025 made that clear. The shift toward ASPM, AI-aware scanning, and business-aligned metrics reflects a maturing discipline that’s ready to meet modern threats head-on. For BDMs and TDMs, the takeaway is simple: AppSec is no longer optional or siloed. It’s foundational to digital trust, operational continuity, and competitive advantage.
If your team hasn’t yet explored ASPM or AI runtime protection, now’s the time. The tools are here. The threats are real. And the business case has never been stronger. Check out our list of vetted application security vendors for how-tos and best practices.
