3 categories. 1 report. The conversation has caught up to the problem.

Gartner just published its Hype Cycle for Secure Software Engineering, 2026, and OX Security appears as a Sample Vendor in three distinct categories:

Agentic Coding Security
Application Security Posture Management (ASPM)
Software Supply Chain Security

We think it reflects something real about where application security is heading.

Why Three Categories Matter

The following reflects OX Security’s perspective and does not represent Gartner’s views.

For the past few years, we’ve been building around the thesis that the threat model for application security has fundamentally changed. AI-generated code, autonomous agents writing and deploying software, and supply chains that now include MCP servers and open-weight LLMs — these aren’t edge cases. They’re the new baseline.

The fact that Gartner is now mapping an entire Hype Cycle around these dynamics, and that three of its defined innovation categories align directly with what OX has been building, is the conversation catching up to the problem.

Agentic Coding Security: A Whole New Attack Surface

When code is written by an agent, not a developer, the assumptions behind traditional AppSec break. You can’t review what you didn’t write.

The attack surface isn’t just the code that comes out. It’s everything the agent touches along the way: the instructions it receives, the tools it calls, the way it executes, and the output it produces. Input, tools, execution, output. Four distinct layers, none of them covered by traditional scanners.

Security can’t sit at the end of a workflow that moves faster than any human reviewer. It has to be embedded across all four layers, automatically, in real time.

ASPM: The Connective Tissue

It’s not enough to have tools that find issues. Security teams are drowning in findings they can’t act on. ASPM is about taking all those signals — from scanning, from runtime, from pipeline telemetry — and turning them into something a human can actually use to make a decision.

That’s the core of what OX does.

Software Supply Chain Security: The Ground Floor

The code your agents write depends on packages. Those packages have vulnerabilities, some exploitable, most not. The MCP servers your agents call out to are third-party code you didn’t review. The model you’re using has a provenance you probably haven’t validated.

SSCS isn’t a feature — it’s a prerequisite.

One Chain, Not Three Problems

Three categories in one Hype Cycle isn’t about breadth for its own sake. It reflects the reality that these problems are connected.

If you’re a security or engineering leader trying to figure out where to focus, this report is worth reading.

Gartner, Hype Cycle for Secure Software Engineering, 2026, Aaron Harrison, 2 June 2026.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research and advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER and HYPE CYCLE are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

The post OX Security Named a Sample Vendor in the Gartner® Hype Cycle™ for Secure Software Engineering, 2026 appeared first on OX Security.