Modernizing applications for the AI era
Five pillars for frictionless security
Application modernization is the act of bringing essential applications up to speed with contemporary security and build standards. Whether re-hosting an on-premises application in a public cloud as part of your digital transformation initiative, updating an application code base for migration to a supported operating system, or completely overhauling your application to take advantage of containerization’s scaling and resilience capabilities, application modernization brings innovation to legacy software.
The benefits of application modernization are many: improved performance and resilience, better user experience, and the big one — a secure application running in a secure environment. To achieve these benefits, collaboration among IT, security, and application development teams is critical. Cross-functional teams are best equipped to complete application modernization projects with optimal outcomes, and baking security into the solution from project initiation saves everyone costly, time-consuming review and remediation efforts when delivery deadlines are looming.
Simple, right?
The challenges of aligning teams
Actually, several issues can make application modernization efforts challenging, including competing priorities among IT, security, and developer teams. These priorities compete within the greater context of organizational and business requirements, which tend to favor innovation that brings new opportunities to the organization over the work of updating existing applications.
According to the survey conducted for the 2026 Cloudflare App Innovation Report, 79% of IT leaders claim their security and application teams are already aligned. I’ll counter that alignment is measured on a spectrum, and my experience tells me that the number of teams that are 100% perfectly in lockstep, with a “we-love-security-so-much-we-never-do-anything-without-them” attitude is actually a small fraction of that number. For most of us, the struggle to keep everyone aligned is real, especially when time is of the essence.
One thing is certain: When an organization decides to take on modernization, all parties want to do the work as fast as possible to preserve precious resources.
AI could help. AI-assisted development is quickly becoming the new normal in many enterprises, allowing coders to crank out code faster than ever. And while IT and security both have their own AI tools that help keep pace, increased velocity in output from application developers can significantly complicate coordination as existing processes strain with more aggressive shipping goals.
While some AI tools speed development, others complicate the modernization picture. The rapid integration of AI into every nook and cranny of the business environment expands the attack surface even further to include not only human and non-human identities (NHI) but also agents. In short, even the most straightforward application modernization project can bring complexity that makes it hard for a security organization to keep pace.
CISOs know that security is essential to any application modernization effort. Organizations that adopt security by design — from code to underlying infrastructure and security controls — have a distinct competitive advantage.
The term “competitive advantage” gets thrown around a bit. I’ll clarify: If your application is not architected for high availability and is prone to outages, you will lose — revenue, opportunities — when your system is down. However, if your application does not ensure the confidentiality or integrity of your customer’s data due to a failure of security controls, you will lose something even more important: customer trust. As it’s often said, trust is the hardest thing to earn and the easiest to lose. The days of tolerating insecure applications that fail to protect their users are over. If you want to lead your industry and demand premium pricing for your offering, secure, highly available technology is table stakes.
Old apps, fresh problems
Context is everything. Legacy applications running inside the four walls of a traditional data center (yes, they still exist!) will almost always need to be overhauled for hosting in a public cloud. End-of-life operating systems, vulnerability-laden libraries, and configurations that have seen a decade or more of tinkering cannot simply be isolated or firewalled off in the cloud. Additionally, modern applications interact with other systems and services via APIs, each of which represents a potential point of entry to a vulnerable system.
Then there is the issue of cost containment — no small matter when hosting in the cloud. A legacy architecture that can be built in a traditional data center with one-time capital expenditures and relatively minimal ongoing support costs can hit very differently when cloud calculus is applied. In fact, according to Cloudflare’s research, 52% of organizations attribute an expected budget increase to cloud changes.
The good news? The cloud makes it easy to take advantage of lower costs and modern solutions, such as containers, microservices, and object storage. And when cloud environments are configured optimally, they are relatively affordable.
The bad news? All of those awesome modern options, along with those APIs, also massively expand your attack surface.
Security and innovation are inseparable
When you’re moving a legacy application to the cloud, it’s easy to see how a collaboration among IT, security, and developer teams is critical. Each group brings their expertise and knowledge of existing standards — and that’s extremely important when setting the “rules of the road” for the new, modernized application. IT owns the house, application developers design its features, and security is there to make sure everything is built on a solid foundation.
As anyone who has undertaken a home renovation can attest, it’s best to have a clear plan that’s well understood by all parties from the start of your project, and know who is responsible for each piece of that plan. Legacy applications, much like houses, are full of surprises, especially when you start pulling them apart. Problems, hiccups, and gotchas are all but inevitable.
Decisions made about how to work through application modernization challenges directly inform outcomes, and leadership teams must prioritize a security-by-design approach. Security teams should not be expected to scramble to perform rushed security reviews after development teams have already made architectural decisions. Likewise, application development teams must work within existing standards to ensure system supportability and resilience, so IT also must be embedded in the decision-making process from inception. It’s a team sport, remember?
Benefits of aligning security and modernization
In Cloudflare’s research, 14% of survey respondents say their application modernization efforts are behind schedule. That’s troublesome when 90% of organizations report experiencing a security incident in the last year. Many of these organizations admit they are still bogged down by reactive security, spending the bulk of time and resources responding to alerts, and fighting common threats like bot attacks and fraud.
By contrast, 13% of respondents say that they’re ahead of schedule when it comes to their application modernization efforts. This group also reports greater innovation velocity, a more flexible, streamlined decision-making culture, and more meaningful AI adoption. The difference? A security-by-design approach and tight alignment among stakeholder teams. This alignment can be particularly important for larger organizations (with more than 2,500 employees) and at technology organizations, which are more likely to experience fractured decision-making without focused coordination efforts.
Misalignment carries serious consequences. Organizations that struggle to align security, IT, and application priorities face distinct disadvantages that put them behind competitors, particularly in adopting AI. Without a unified approach and agreement among management on prioritization, these misaligned organizations feel far less prepared for AI development, with just over 10% reporting their existing infrastructure and talent as “entirely sufficient.”
Yet, adopting a security-by-design approach and delivering on app modernization projects reaps near-immediate and long-term benefits. According to the 2026 Cloudflare App Innovation Report, 95% of leading organizations (those that are ahead of schedule with modernization) feel they are better positioned to use AI when they have high internal alignment — and they tend to have higher rates of AI adoption.
Accelerate modernization with security by design
Technology leaders who embrace the following five strategic pillars position their organizations to maximize returns on their application modernization projects.
1. Instill a security-first mindset.
Reduce friction by ensuring everyone knows that security is not optional. Within the developer team, adopt a DevSecOps approach, integrating security by design into development pipelines, rather than positioning security as a separate approval gate.
The rewards of this security-first mindset are substantial. Organizations that align their app modernization and security efforts view themselves as being ahead of their industry with regard to AI development. In fact, organizations that find this alignment “very easy”
are nearly four times more likely to be much more developed in their AI use than those who find it “difficult,” according to Cloudflare research.
2. Understand technology and business priorities.
Work with peer C-suite members to establish priorities, and better manage resources and expectations. Proactive alignment might include annual planning exercises, the formation of cross-functional teams, sharing project management resources, and shared metrics.
3. Take a best practices approach.
Many large enterprises have standard build practices, code standards, and review processes. Security personnel should be up to speed on those standards and practices, and work within the larger team's frameworks.
4. Ensure security tooling is appropriate for the modernized application.
Tooling should be appropriate to the new application's platform. Ideally tools don’t stop at providing parity with legacy controls, but improve security posture.
5. Test controls before going live.
Leverage live and / or synthetic pen testing and red teaming tools to test controls before apps go live. AI-powered coding tools will help prevent vulnerabilities in the code base and configuration management tools will ensure standard configs are in place. But there's nothing like a live-fire exercise to confirm your controls perform as expected before deploying to production.
Ensuring security isn’t an afterthought
Organizations that instill security as a core design principle not only reduce risk but also accelerate their ability to innovate, deploy AI capabilities, and maintain stakeholder trust in an increasingly complex threat landscape. The stakes are too high for security to be an afterthought in the modernization journey.
Cloudflare can help your organization align application modernization with security by implementing security by design. With Cloudflare, app development, delivery, and security are integrated into one platform, so you can establish a DevSecOps model that accelerates innovation while controlling risks.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about the value of modernizing applications and discover what leading organizations are doing to remain successful in the 2026 Cloudflare App Innovation Report.
Author
Liz Morton — @liz-morton-543b014
Field CISO, Cloudflare
Key takeaways
After reading this article you will be able to understand:
Silos are the biggest risk to modernization speed
Why security and innovation are inseparable
5 strategic pillars for implementing security by design