As AI drives a surge in software output, security teams are under mounting pressure to use runtime testing to catch risks in running applications.

With the volume of machine-generated code exploding across the modern enterprise, security teams are discovering that static code analysis is no longer enough. This disconnect highlights the urgent need to establish dynamic guardrails that protect applications as they operate, according to Joe Sullivan (pictured, left), board member at StackHawk Inc.

“The challenge with AI is that once you let the AI in the door, you still need to pay attention to what it’s doing,” he said. “It’s kind of like a toddler in the house. You can let them in, but you should have somebody following them around.”

Sullivan and Joni Klippert (right), founder and chief executive officer of StackHawk, spoke to theCUBE’s Dave Vellante at the RSAC 2026 Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the impact of AI on software engineering and the evolving role of the chief information security officer. (* Disclosure below.)

Securing the runtime testing environment in an AI-driven world

As organizations embrace agentic workflows where machines prompt other machines, the associated security risks increase in equal proportion. This increase in output often leads to a “bottleneck of innovation” if security teams rely on traditional, static tools that cannot distinguish between reachable and unreachable vulnerabilities, Sullivan noted.

“In 2026, the bad guys are all jumping into using AI and they don’t have to get through a governance committee to turn it on,” Sullivan said. “The good guys, we have processes — we’ve got to manage risk. Even if the security team wants to deploy the coolest new AI solution, we’ve got to test it.”

Runtime testing provides a layer of protection by identifying exploitable risks as an application runs, rather than simply scanning dormant text. StackHawk’s scanner, HawkScan, is configured as code that can run on a developer’s local machine or within continuous integration and continuous delivery pipelines, Klippert explained. For broad adoption, however, such tools also need to integrate cleanly into developers’ workflows without adding complexity.

“We have to fit into [a software engineer’s] toolchain and make this incredibly low friction, because if they see, ‘I just introduced a new vulnerability,’ they will fix it,” Klippert said. “They want to write quality code, but they don’t want to become security engineers.”

The answer is not more tickets or after-the-fact review, but security tooling that runs alongside modern software delivery, according to Klippert. As AI assistants turbocharge code generation, enterprises need portable, automated runtime testing and discovery built into the development workflow to keep vulnerabilities from piling up, she added.

“When we started the business, we talked about a ratio of one AppSec professional to a hundred software engineers,” she explained. “Those hundred software engineers are now at least a thousand software engineers. This is a discipline we have to fund.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSAC 2026 Conference:

(* Disclosure: StackHawk sponsored this segment of theCUBE. Neither StackHawk nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE