2026 Edition — Data Period Loading…

The AWASP Top Ten

Web application vulnerabilities ranked by real-world exploitation frequency — not theoretical risk. Drawn from breach reports, CVE data, and incident response findings.

▼  View the List What is AWASP?
22,052
Incidents analysed (DBIR)
12,195
Confirmed breaches
245
CISA KEV additions
8
Primary data sources

A different kind of top ten

OWASP does important work. But its list is built on surveys and expert opinion. Ours is built on evidence.

OWASP

  • Survey-based ranking
  • Includes theoretical & rare vectors
  • Updated every few years
  • Broad, design-level categories
  • Limited incident correlation

AWASP

  • Ranked by confirmed exploitation frequency
  • Only confirmed in-the-wild exploits
  • Updated annually from live data sources
  • Specific, actionable vulnerability classes
  • Linked to real breach & CVE evidence

AWASP Top Ten — 2026

Ranked by confirmed exploitation frequency across breach reports, IR engagements, and public CVE data.

# Vulnerability OWASP Equivalent
Loading…

Notable absences from AWASP

These OWASP categories don't appear in the AWASP Top Ten because the evidence doesn't support their inclusion as distinct, exploitable findings.

Loading…

Methodology & Sources

Transparent about where the data comes from, how we used it, and where it runs out.

The OWASP Top 10 is built from testing data — what security scanners and pentesters find when they examine applications. That’s useful, but it tells you what’s discoverable, not what’s actually being exploited. We wanted to know what attackers are actually doing, so we went looking for exploitation data instead.

Sources we used
CISA Known Exploited Vulnerabilities Catalog
245 vulnerabilities added in 2025, filtered to web application vulnerabilities only
The US government’s definitive list of vulnerabilities confirmed to be actively exploited in the wild. We categorised additions by CWE type to identify which vulnerability classes appear most often.
View source →
Verizon Data Breach Investigations Report (DBIR) 2025
22,052 incidents, 12,195 confirmed breaches, 139 countries
The largest annual breach study. Tells us how attackers get in and what types of attacks hit web applications specifically — not what testers find, but what’s actually happening.
View source →
Mandiant M-Trends 2025
Incident response data from one of the largest breach investigation firms
Initial access vectors from real engagements, not simulated tests. Mandiant sees the aftermath of actual breaches, which gives different signal to penetration testing data.
View source →
Recorded Future 2025 Exploitation Reports
161 exploited CVEs tracked in H1 2025 with attribution data
Shows who is exploiting what — state-sponsored groups, ransomware operators, financially motivated attackers — and in what volumes. Attribution data helps distinguish mass exploitation from targeted campaigns.
View source →
SEC 8-K Cybersecurity Filings
Material cybersecurity incident disclosures mandatory for US public companies since December 2023
A ground-truth view of what’s actually hurting organisations badly enough to tell investors about. Biased toward large enterprises, but one of the few sources with real-world impact data.
Individual Breach Disclosures & Advisories
Specific high-profile incidents reviewed individually (Conduent, Prosper Marketplace, French retail chain compromises, and others)
Aggregated datasets miss the detail. Reading individual breach disclosures tells us the specific vulnerability class, affected component, and attacker method in ways that statistics don’t.
Scope
What we deliberately excluded

We filtered out anything that isn’t a web application vulnerability. CISA KEV is full of Use After Free bugs, buffer overflows, and kernel privilege escalations — those are real and serious, but they’re not web app security.

We kept the focus on vulnerabilities in things you access over HTTPS: login pages, APIs, web management interfaces, and web application frameworks.

vs OWASP
What makes this different from OWASP

OWASP’s data contributors are security testing vendors (Veracode, Contrast Security, HackerOne). Zero breach investigation firms — Mandiant, CrowdStrike, Palo Alto Unit 42 — contribute data to the OWASP Top 10.

OWASP uses incidence rate (percentage of apps with the vulnerability) rather than exploitation frequency. Two of their ten categories are chosen by community survey to compensate for things testing tools can’t find. Their own documentation says results are “largely limited to what the industry can test for in an automated fashion.”

None of that makes OWASP wrong or useless. It just means it answers a different question to ours.

Honest limitations

About this project

This site started as a thought experiment: what would the OWASP Top 10 look like if it was derived from breach data and confirmed exploitation, rather than from what security scanners and pentesters find? The answer, it turns out, looks quite different.

It was vibe coded in a handful of hours by Chris Wallis, founder of Intruder — a continuous exposure management platform. The research behind it is real; the site is a quick way to present it. Make of that what you will.

Not affiliated with OWASP. Data drawn from public breach disclosures, CVE records, and incident response reports.