Arnica Wins the 2026 Cybersecurity Stars Award for Best AI Governance and Security Platform

The Hacker News just named Arnica the winner in the inaugural 2026 Cybersecurity Stars Awards AI Governance and Security category.

“Arnica has built a platform that addresses a real gap in application security: helping teams govern code written by AI agents like Copilot and Cursor before that code enters production. Rather than scanning after the fact, their approach brings security checks directly into the moment code is generated, which is a different way of thinking about the problem.”

The old model doesn’t fit the new world

Most AppSec tools were built for a world where humans wrote every line of code: scan the repo, find the vulnerabilities, file the tickets, try to meet your SLAs. That model only works when code production is slow enough for security to keep up, and even then, risks were piling up and leaving organizations vulnerable over time.

This model doesn’t work when AI agents are generating meaningful chunks of your codebase every day.

Google reports that 75% of their new code is now written by AI. S&P Global found that 42% of developers have abandoned security reviews entirely because of AI code volume. The tools haven’t caught up, so security teams are either drowning or hoping that they won’t have the next big Shai Hulud on their hands.

Security at every phase of the agentic lifecycle

If AI is generating code at every stage of development, security needs to be present at every stage too.

• ‍Before code is written: Agentic rules govern what your AI coding agents (Copilot, Cursor, Claude Code) are permitted to do. Risky patterns get blocked before a single line is generated. ‍
• As code is written: AI SAST runs on push and on PR, catching vulnerabilities at the moment of creation and applying developer-native workflows to ensure productive remediation without impeding feature releases. ‍
• After code is written: Routine scanning surfaces risk across your existing codebase, including everything your agents have already shipped. ‍
• Across the stack: A complete inventory of every MCP, skill, and agentic rule in your environment gives your security team the visibility they need, and the audit evidence regulators are starting to require.

We call this the Agentic Development Lifecycle (ADLC). Forrester formalized the category in their Q2 2026 Agentic Development Security Tools Landscape, the first tier-one analyst validation that this problem is real and distinct from traditional AppSec.

OWASP agrees. Their 2026 Top 10 for Agentic Applications catalogs agent goal hijacking, tool misuse, identity abuse, and memory poisoning as critical risks, and existing scanners weren't built to catch them.

AppSec isn’t going away, it’s evolving

We want to be clear: AppSec is very much alive, and the security problems it solves haven’t disappeared.

What has changed is the source of the code. The same vulnerabilities that AppSec has always cared about including injection flaws, insecure dependencies, access control gaps are now showing up in AI-generated code, often at higher volume and faster velocity than any team can manually review.

Arnica brings both together. You get the security coverage you need with developer-native workflows and developer feedback loops, plus governance over the agents writing your code at scale.

What's Next?

If you’re thinking about how to govern AI-generated code in your environment, whether the conversation starts with AppSec, agentic AI, or somewhere in between, then let’s talk.  

Sources:

• Google CEO says 75% of the company's code is AI-generated — Fast Company

• Survey Surfaces Emerging DevOps Bottlenecks in the AI Coding Era — DevOps.com

• AI project failure rates are on the rise: report — CIO Dive

‍