Hacken's 2025 SSDLC Maturity Survey — Key Findings
Secure software delivery is no longer optional — it's what separates products users can trust from the ones that end up in post-mortems. In 2025, Hacken ran an SSDLC (Secure Software Development Life Cycle) maturity survey across our customers and partners to take an honest look at how blockchain teams are actually building software today.
The survey covered over 20 questions spanning five domains: governance, security by design, engineering controls, verification & testing, and operational resilience. Here's what the data revealed.
The foundations are solid. The gaps are dangerous.
Most teams showed strong habits where it's easiest to build them: 93% actively monitor production, 87% follow Agile principles, and over 80% have peer code reviews and MFA in place. That's genuinely encouraging.
But dig deeper, and a different picture emerges.
Around 30% of teams lack formal technical security training. General awareness training — phishing simulations, social engineering drills — doesn't equip developers to prevent smart contract exploits or catch code-level vulnerabilities. And no amount of external auditing compensates for a team that can't identify risks in its own code.
Then there's the audit gap. 71% of teams have run a security audit, but nearly half skip audits on subsequent upgrades. Risk concentrates in product updates: new features, dependency changes, permission modifications. A single unreviewed deployment can silently undo everything that was validated before it.
And perhaps most striking: only 50% of teams have a documented incident response plan, despite 93% actively monitoring their production environments. Detecting a breach and knowing what to do about it are two very different capabilities.
"Security is always a trade-off: perfect protection vs. time-to-market, risk appetite vs. business value. Not every control fits every context. But the gaps we identified here — regression testing, incident readiness, continuous assurance — these are the ones that hurt when ignored. I've experienced it firsthand: teams without regression tests reintroducing critical bugs, unprepared teams losing precious time while handling security incidents. The data confirms what practitioners already know: maturity isn't about doing everything. It's about knowing which risks you can take, and which ones will break you."
— Grzegorz Trawiński, Offensive Security Services Director, Hacken
Testing is another weak point. Manual and unit tests are common (90% and 77% respectively), but fuzz testing sits at just 39% and invariant testing at 32%. These advanced methods are specifically designed to catch adversarial behaviors and edge cases that standard tests miss — exactly the scenarios that get exploited in production. Meanwhile, 1 in 5 teams still doesn't run regression tests at all, meaning every hotfix carries the risk of quietly reopening a vulnerability that was already patched.
And with 80% of respondents now using AI tools in their development process, a new risk surface is growing faster than the guidance to manage it: prompt leakage, code provenance questions, and security reviews being quietly bypassed.
Who made this possible
This report reflects ground-up insights from builders across the digital assets ecosystem who chose to share their practices openly. The following organizations opted in to be publicly recognized as contributors:
Protofire DAO, MaiCoin, Takadao, Junction, Cipherlabs, MST Blockchain, Strobe, FG Wallet, AeternaFi, Overtake, CycloneChain, SKY OPTION, daCAT, Sway, Astra Nova, Lumis.fi, OnChainWin, Flicker, Nonco, UFarm.Digital, Asseto, Smart Energy Provider Limited, Privily, AIBTC, WristKey Global Solutions.
Their openness is what makes industry-wide benchmarking possible.
Where to focus next
Teams that want to raise their maturity quickly should prioritize: incident response planning and tabletop exercises; formalizing security requirements and threat modeling before writing code; mandatory technical security training for developers; enforcing least privilege access with periodic reviews; automated regression testing for every update; adopting fuzz and invariant testing for critical code paths; and moving from one-off audits to release-driven assurance on every significant change.
"The key takeaway confirms Hacken's direction for 2026: moving from limited point-in-time security to continuous assurance, supported by structured training, sufficient testing, and cybersecurity embedded across the entire software lifecycle."
— Yev Broshevan, CEO & Co-Founder, Hacken
Read the full report or add your voice to the 2026 data.
The complete findings, including domain-by-domain breakdowns and maturity benchmarks, are available to download here: Download the Full Report
We're now collecting data for the 2026 edition. The survey takes minutes, your insights inform public research used across the industry, and you can opt in to have your company featured in the final report. Take the Survey →
