Red Hat, the world’s leading provider of open source solutions, today releases data from its 2026 State of Cloud-Native Security Report, revealing that 97% of organisations reported at least one cloud-native security incident in the past year. These are not just sophisticated, one-off attacks, but rather often the result of “everyday lapses.”

Hybrid cloud security isn’t just getting harder – it’s reaching a breaking point. While security has always been a race without a finish line, Red Hat’s report reveals that many organisations are now trapped in a cycle of controlled chaos. To break free, teams must move beyond reactive firefighting and anchor their strategy in the foundational security practices and policies that turn security from a bottleneck into a baseline.

The most frequently reported incident types include:

• Misconfigured infrastructure or services (78%): The leading cause of exposure, often due to manual errors in complex environments.
• Known vulnerabilities: Workloads are being deployed with “known-bad” code, creating avoidable windows of risk.
• Unauthorised access: A persistent operational hurdle that frequently leads to sensitive data exposure.

These incidents carry a tangible business cost that extends far beyond the IT department. 74% of organisations have delayed or slowed application deployments in the last 12 months due to security concerns. Beyond delays, 92% of respondents experienced significant impacts ranging from increased time spent on remediation (52%) and reduced developer productivity (43%) to the loss of customer trust (32%). In short, security is no longer just a technical checkbox—it is a primary risk to business agility.

The maturity paradox: Confidence vs. strategy

One of the report’s most striking findings is the gap between perceived readiness and actual strategy. While 56% of organisations describe their day-to-day security posture as “highly proactive.” However, only 39% actually possess a mature, well-defined cloud-native security strategy.

This suggests that while teams aspire to be forward-looking, many are “improvising.” In fact, approximately 22% of organisations operate with no defined strategy at all. This lack of structure leads to inconsistent adoption of security guardrails, including:

•  Identity and Access Management (IAM): Roughly 75% adoption, as identity is widely recognised as a core control.
• Container image signing: Only about half of organisations have implemented this capability for software integrity.
• Runtime protection: Implementation remains patchy, leaving many teams to rely on default settings rather than intentional governance.

The data underscores that maturity pays off: organisations with a well-defined strategy are far more likely to adopt advanced guardrails and report 61% confidence in securing their software supply chain, compared to much lower confidence among less mature peers.

Shifting investment trends: Automation and the supply chain

Recognising these gaps, organisations are rebalancing their budgets for 2026. The focus is shifting from disparate point tools toward platform consolidation and building security directly into the software lifecycle.

Key investment priorities for the next 1–2 years include:

• DevSecOps automation: Over 60% of organisations plan to invest in automating security within CI/CD pipelines. The goal is to move from manual “gates” to “security as code” to reduce human error.
• Software supply chain security: 56% of organisations are prioritising this area. With supply chain attacks soaring, there is an urgent need to verify open source dependencies and container images through Software Bills of Materials (SBOMs) and provenance checks.
• Runtime protection: 54% of respondents intend to expand defences thatcan detect and block active threats, such as cryptojacking or rogue container behaviour, in real time.

Compliance is no longer a back-burner issue. 64% of organisations expect the EU Cyber Resilience Act (CRA) to be a primary driver of their 2026 investment decisions. This shifts security governance from a “nice-to-have” to a mandatory, board-level requirement.

The emerging risk frontier: AI and cloud security

In 2026, AI has become a double-edged sword for cloud-native teams. While 58% of organisations say AI adoption is now a core driver of their security planning, actual governance is lagging “dangerously behind” the pace of implementation.

The report reveals a near-universal anxiety regarding generative AI (gen AI) in cloud environments, with 96% of respondents expressing significant concerns. These fears aren’t just theoretical; they are centered on three specific risks:

•  Ubiquitous concern: 96% of respondents have worries about gen AI in their cloud environments.
• Top fears: These include exposure of sensitive data, shadow AI tools used without approval, and the integration of insecure third-party AI services.
• The governance gap: Despite these fears, 59% of organisations lack documented internal AI usage policies or governance frameworks.

Without clear rules, organisations risk AI-powered behaviors altering configurations or leaking proprietary code outside of normal processes, essentially amplifying existing identity and supply chain risks.

Data-based recommendations for 2026

The report concludes with a clear directive: the speed of cloud-native innovation has officially outpaced traditional security. To bridge the maturity paradox, organisations must move beyond ad-hoc firefighting and adopt a structured, platform-centric approach.

5 Critical Actions for 2026

1. Establish a formal strategy: Organisations must move beyond “ad-hoc firefighting” by creating a structured path from a reactive to a proactive posture.
2. Embed guardrails and automation: Security must be a secure-by-default part of the platform, executed by DevOps or platform engineering teams to scale without adding friction for developers.
3. Prioritise supply chain integrity: Implement mandatory image signing and dependency scanning. As one respondent noted, while everyone uses open source, “hardly anyone scans or signs their dependencies.” Being the exception is critical for resilience.
4. Close the feedback loop: Unify observability and security data so thatinsights from runtime threat detection are fed back into the development process to prioritise the most critical fixes.
5. Govern AI usage now: Organisations can’t wait for external regulations. They must convene cross-functional teams to develop guidelines on acceptable AI use and data handling immediately.

In 2026, security is no longer a bolted-on extra—it is a foundational component of cloud-native architecture. The organisations that succeed will be those thattreat security as a primary driver of business agility, rather than a cost center.

Read the full report to learn more.

Connect with Red Hat

• Learn more about Red Hat
• Get more news in the Red Hat newsroom
• Read the Red Hat blog
• Follow Red Hat on X
• Follow Red Hat on Instagram
• Watch Red Hat videos on YouTube 
• Follow Red Hat on LinkedIn

About Red Hat

Red Hat is the open hybrid cloud technology leader, delivering a trusted, consistent and comprehensive foundation for transformative IT innovation and AI applications. Its portfolio of cloud, developer, AI, Linux, automation and application platform technologies enables any application, anywhere—from the datacentre to the edge. As the world’s leading provider of enterprise open source software solutions, Red Hat invests in open ecosystems and communities to solve tomorrow’s IT challenges. Collaborating with partners and customers, Red Hat helps them build, connect, automate, secure and manage their IT environments, supported by consulting services and award-winning training and certification offerings.

Forward-Looking Statements

Except for the historical information and discussions contained herein, statements contained in this press release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Forward-looking statements are based on the company’s current assumptions regarding future business and financial performance.  These statements involve a number of risks, uncertainties and other factors that could cause actual results to differ materially. Any forward-looking statement in this press release speaks only as of the date on which it is made. Except as required by law, the company assumes no obligation to update or revise any forward-looking statements.

Red Hat, Red Hat Enterprise Linux, the Red Hat logo, and OpenShift are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the U.S. and other countries. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.