CrowdStrike's global outage. SolarWinds' supply chain breach. The Colonial Pipeline ransomware attack. These aren't isolated incidents—they're symptoms of a systemic crisis in how we build, deploy, and secure software. While headlines scream about AI transforming everything, the uncomfortable truth is that most engineering teams are drowning in technical debt, manual processes, and security vulnerabilities that should have been solved a decade ago.
But here's what's fascinating: the organizations getting this right aren't just avoiding disasters—they're unlocking millions in hidden value. They're shipping features 60% faster, cutting cloud costs by 15%, and reducing security incidents to near zero. The difference isn't talent or budget. It's knowing exactly where the gaps are and how to close them systematically.
This report exposes the reality of engineering maturity in 2025, based on candid responses from over 650 engineering leaders who completed the Engineering Excellence Maturity Assessment, developed by EngineeringX®, a community of hundreds of CTOs and Engineering VPs. What we found will surprise you: even organizations that think they're "DevOps mature" are missing fundamental practices that separate industry leaders from everyone else.
The five dimensions we measured: Developer Experience, DevOps Modernization, Optimization, Quality & Resilience, and Secure Software Development, reveal where the biggest opportunities lie. By examining this comprehensive data, this report aims to illuminate the adoption of engineering excellence best practices, identify common challenges, and highlight actionable areas for improvement as organizations continue their vital journey toward engineering excellence.
Developer experience is a cornerstone of success for today’s digital-first organizations and is essential to keeping developers happy and productive. Establishing a mature engineering practice hinges significantly on cultivating an exceptional developer experience by arming developers with the tools, capabilities, and resources they need to work quickly and efficiently. This involves optimizing every touchpoint in an engineer's workflow, from rapidly provisioning environments and providing readily discoverable documentation to streamlining planning processes and ensuring efficient code quality practices.
Effective planning and clear requirements are foundational to a positive developer experience. Engineers face frustration, rework, and a reduced sense of accomplishment when requirements are ambiguous or constantly shifting. A well-defined planning process, including precise acceptance criteria, minimizes friction, boosts confidence, and allows development teams to focus on building value rather than deciphering ill-defined goals.
However, many organizations struggle with this:
To mature your planning and requirements process, prioritize defining clear and consistent acceptance criteria for all features. Implement tools and practices that foster communication between product and engineering, reducing ambiguity and ensuring predictable scope.
Engineering teams need instant access to accurate information about the software and services they’re working on. That enables them to make more informed decisions and follow a consistent development methodology. However, they are also under pressure to deliver quickly, so engineering leaders must ensure these processes don’t create extra effort for developers. A comprehensive software catalog, effectively documenting metadata, ownership, and service status, is crucial for reducing friction and enabling engineers to focus on innovation.
This is a significant challenge across the industry:
To mature discoverability and documentation, implement an automated software catalog, ideally via an IDP. This centralizes metadata, ownership, and status, ensuring real-time accuracy without manual developer effort.
Organizations striving for optimal software delivery recognize the critical role of efficient developer environments. Delays in provisioning or inconsistencies across these setups directly impede productivity, slow iteration cycles, and introduce unnecessary friction into the development workflow. Streamlining how teams access and utilize pre-built, standardized environments is paramount for accelerating feature delivery and maintaining developer velocity.
Despite its value, challenges in environment provisioning persist across the industry:
To mature your development process, focus on providing developers with intuitive, self-service tools for rapid environment provisioning and consistent configurations. This frees them from manual setup overhead and lets them focus on value-added tasks. An effective approach is incorporating automated environment provisioning into Internal Developer Portals (IDPs).
Robust development processes and stringent coding hygiene are fundamental to a productive and satisfying developer experience. When code reviews become bottlenecks and commit sizes grow unwieldy, the entire development cycle slows, impacting efficiency and the ability to maintain high-quality software. Addressing these foundational elements is crucial for accelerating innovation and ensuring reliable releases.
Industry data reveals common challenges in this area:
.avif)
To mature development processes and hygiene, prioritize efficient code review workflows and encourage smaller, more frequent code commits. Implement automated checks and clear branching strategies to maintain code quality and accelerate integration without burdening developers.
To deliver a truly great developer experience, engineering leaders need to ensure there are opportunities for personal development and learning new skills. Investing in continuous learning keeps teams at the forefront of technology, prevents skill stagnation, and significantly boosts morale and retention.
However, many organizations face a gap in this area:
To mature learning and development initiatives, leaders should focus on establishing clear curricula and prescriptive learning paths. These programs, including internal training and external certifications, are crucial for effective upskilling and reskilling, ensuring engineers consistently grow their capabilities.
Streamlining the developer experience through better documentation, planning, and environment provisioning accelerates new developer onboarding. Equipping engineers with efficient tools and workflows cuts the time new hires take to reach full productivity. For every 1000 developers, organizations have an opportunity to realize the following savings:
Formula:
.avif)
DevOps modernization is not merely about adopting new tools; it's a strategic imperative to transform how software is built, delivered, and secured, laying the groundwork for a truly mature engineering practice. It encompasses streamlining critical processes—from build pipelines and deployment automation to advanced strategies and robust security—to drive efficiency, reduce risk, and accelerate the pace of innovation. Organizations can significantly improve their operational stability and developer productivity by addressing these foundational areas, thus establishing a mature engineering practice.
Standardized build processes are essential to maintain software quality and security while enabling developers to accelerate delivery through modern DevOps practices. These pipelines should include automated quality gates to prevent bad code from reaching production and reduce context switching for developers, ultimately contributing to a more efficient and reliable software delivery lifecycle.
Despite this importance, many organizations face significant hurdles:
To mature your build process, focus on establishing standardized, templated build pipelines that incorporate automated quality gates. These gates should intelligently run relevant tests and enforce policies to prevent non-compliant or faulty code from progressing, thereby improving quality and developer efficiency.
The deployment process is the critical nexus where development meets operations, fundamentally defining an organization's velocity and reliability in the journey towards DevOps modernization. An optimized deployment pipeline is essential for delivering software rapidly and consistently, ensuring that new features and fixes reach production safely and efficiently. This section explores various facets of modern deployment, from automation and strategies to rollbacks and security.
Standardized and automated deployment processes are cornerstones of effective DevOps modernization, directly optimizing the delivery cycle. When manual steps are minimized, organizations can accelerate releases, reduce human error, and free up valuable engineering time for innovation. Automating deployment steps allows for consistent, repeatable, and rapid software delivery, which is crucial for modern development velocity.
Despite this clear advantage, significant manual intervention persists:
.avif)
To mature deployment automation, focus on standardizing and templating all deployment pipelines. Prioritize automating every possible step—from code and infrastructure to database changes—to eliminate manual intervention and achieve consistent, rapid, and reliable releases.
Modern deployment strategies such as rolling, canary, and blue/green updates, GitOps, and feature flagging are foundational to engineering maturity. Implementing these practices enables organizations to control release risk, perform phased rollouts, and ensure stability in production, all of which are crucial for effective DevOps modernization. Yet many organizations have not yet incorporated these practices into their DevOps workflows.
The adoption of these strategies remains a challenge:
To mature deployment strategies, systematically adopt these modern, progressive delivery techniques. Establish clear processes for their implementation and management to reduce deployment risk, accelerate feedback loops, and decouple feature releases from code deployments.
Many organizations manage rollbacks manually or rely on subjective evidence following deployment failures. These methods introduce delays and variability into the recovery process, directly impacting Mean Time To Recovery (MTTR) and hindering overall DevOps modernization efforts. Implementing automated rollback capabilities offers a more consistent and efficient approach to mitigating the impact of failed deployments, enabling swifter resolution and improved operational stability.
The challenges are clear:
To mature your rollback process, prioritize implementing fully automated rollback capabilities for all critical deployments. Supplement automation with data-driven decision-making frameworks, leveraging objective metrics to trigger and validate rollbacks, thus ensuring rapid and reliable recovery.
Engineering leaders must also ensure their deployment processes adhere to security best practices and safeguard sensitive customer and enterprise data from exposure. Modern DevOps includes rigorously controlling access to secrets and personally identifiable information (PII) throughout the software delivery pipeline, preventing vulnerabilities that could lead to breaches or compliance failures.
However, many teams fall short in this critical area:
To mature deployment security, prioritize adopting a centralized secrets management solution, such as a Hardware Security Module (HSM) or dedicated secrets manager, across all deployment stages. Enforce policies to prevent sensitive data from being stored in plain text and integrate security checks into pipelines to maintain compliance and protect data integrity.
Modernizing DevOps streamlines build and deployment processes, significantly reducing manual steps and freeing up valuable engineering time. With 23% of developer time currently spent on manual build and deployment activities, addressing this manual intervention unlocks substantial efficiencies. For every 1000 developers, organizations have an opportunity to realize the following savings:
Formula:
.avif)
Establishing a truly mature engineering practice requires relentless optimization of resource utilization, encompassing systems, costs, and the invaluable effort of your developers. This strategic focus ensures that every investment in cloud infrastructure or engineering hours yields maximum efficiency and value. Organizations can eliminate waste, enhance performance, and drive sustainable growth by continually refining how resources are consumed.
Managing cloud costs is critical to effective optimization for mature engineering practices. As cloud adoption scales, gaining granular visibility into spending and automating cost reduction efforts becomes essential to maximizing resource utilization, controlling budgets, and ensuring financial efficiency across the organization.
However, many organizations struggle with this fundamental aspect of optimization:
To mature cloud cost optimization, implement automated tools that provide granular, real-time cost visibility down to projects, teams, and workloads. Prioritize automating cost reduction efforts through intelligent resource management and continuous optimization recommendations.
To mature cloud cost optimization, implement automated tools that provide granular, real-time cost visibility down to projects, teams, and workloads. Prioritize automating cost reduction efforts through intelligent resource management and continuous optimization recommendations.
To mature your metrics and insights, establish clear, actionable key performance indicators (KPIs) for your software delivery lifecycle. Implement automated tools for continuous data collection and analysis, and integrate this intelligence to drive decisions, define SLOs, and gate deployments for consistent performance optimization.
Optimizing cloud costs, with granular visibility and automated reduction efforts, unlocks significant financial benefits. This calculation illustrates the substantial savings organizations can achieve by adopting cloud optimization best practices, aligning with the 10-15% reduction in cloud spend seen by leading FinOps organizations. Organizations that use the cloud have an opportunity to realize the following savings:
Formula:
.avif)
At the heart of a mature engineering practice lies the unwavering commitment to software quality and operational resilience. This means rigorously testing applications, proactively building systems that withstand extreme conditions, and establishing robust processes to manage and learn from every incident. By prioritizing these foundational elements, organizations can ensure their software is not only reliable but also capable of enduring real-world challenges, ultimately building trust and driving business continuity.
Robust quality testing is paramount for establishing true software quality and resilience. Ensuring that code is thoroughly validated across environments, from unit tests to functional automation, is critical for catching defects early and preventing issues from reaching production. Without comprehensive testing, organizations risk compromising reliability and eroding user trust, directly impacting their ability to deliver high-quality, resilient systems.
Despite its importance, there are notable gaps in quality testing practices:
To mature quality testing, prioritize achieving high test and production environment parity. Invest in automating functional and unit tests, define clear test plans for all features, and integrate continuous verification into your deployment pipelines to ensure automated quality gates and faster feedback loops.
Modern engineering practices integrate chaos testing into their DevOps lifecycle for a truly resilient and high-quality system. This advanced practice allows teams to stress test their software in extreme conditions, such as seasonal spikes or emergency scenarios, ensuring it can handle unusual demand and maintain stability when unforeseen events occur. This proactive approach is fundamental to building robust, fault-tolerant systems.
However, the adoption of chaos testing remains limited:
Integrate dedicated chaos testing practices and tools into your SDLC to mature resilience testing. Proactively simulate failures and extreme conditions in controlled environments to identify weaknesses, validate system behavior under stress, and ensure your applications can gracefully recover from unexpected events.
However mature their practices, experience has proven that engineering teams must always be prepared for the unexpected. If something can go wrong, then it will. As such, it’s essential to equip them with the tools and processes to resolve incidents quickly and learn from them. This preparedness is fundamental to maintaining system quality and resilience, minimizing downtime, and fostering continuous improvement.
Despite this necessity, gaps persist in incident management:
To mature incident management, establish a formal process with clear roles and responsibilities, supported by integrated tools for rapid detection, communication, and resolution. Crucially, cultivate a culture of blameless post-mortems to learn from every incident and systematically enhance system resilience.
Prioritizing software quality and operational resilience is key to minimizing disruptions and maintaining business continuity. Proactive testing, resilient systems, and strong incident management significantly reduce outage impact. For every 1000 developers, organizations have an opportunity to realize the following savings:
Formula:
Establishing a truly mature engineering practice requires security to be an intrinsic part of every development phase, not an afterthought. Secure software development involves integrating robust security and governance policies early, maintaining comprehensive visibility into software components through tools like SBOMs, and ensuring developers are trained in best practices. This holistic approach builds resilience against threats, minimizes vulnerabilities, and safeguards critical assets throughout the software lifecycle.
Mature engineering practices recognize that shift-left is not about pushing additional work onto developers, but empowering them to build secure software by default. To succeed in secure software development, engineering leaders must reduce the toil of secure software delivery by integrating security and governance seamlessly into every lifecycle stage. This proactive approach ensures compliance and minimizes vulnerabilities from inception to deployment.
However, organizations often face significant gaps in this critical area:
To mature integrated security and governance, establish clear security best practices. Automate security scanning and policy enforcement within the CI/CD pipeline, and ensure that high-severity issues are identified, prioritized, and remediated swiftly before release.
Understanding the precise composition of your software is no longer optional for robust, secure software development and a mature engineering practice. A Software Bill of Materials (SBOM) provides critical transparency into every application component, dependency, and vulnerability. This granular visibility is essential for proactive risk management and building more secure systems.
However, the adoption of SBOM generation is still limited:
To mature your SBOM practice, establish processes for automated SBOM generation for all software artifacts across the development lifecycle. Integrate SBOMs with vulnerability management tools to enhance risk identification and ensure compliance with evolving industry standards and regulatory mandates.
For a truly mature engineering practice, security training for developers is indispensable. Even with advanced tools and automated checks, human awareness of security best practices remains a critical line of defense. Equipping engineers with up-to-date knowledge on secure coding, common vulnerabilities, and threat landscapes empowers them to build secure software from the ground up, reducing risks and improving overall software quality.
However, the consistency of such training varies:
To mature security training, establish a continuous and formalized curriculum for developers covering current security best practices, secure coding principles, and common vulnerabilities. Regular training, workshops, and access to security resources can significantly elevate the security posture of your development teams.
Integrating security early and automating scans reduces developer toil. While security toil is just the tip of the iceberg for integrated security, its reduction offers significant productivity gains. This calculation focuses solely on these productivity gains, not the vast savings possible from preventing breaches or brand damage. For every 1000 developers, organizations have an opportunity to realize the following productivity savings:
Formula:
.avif)
Today’s engineering teams carry a significant burden of responsibility as they strive to balance rapid innovation alongside improved software security and resilience. Mature engineering practices, underpinned by end-to-end pipeline automation, are essential to their ability to build, test, and deploy their software faster and with greater confidence.
However, the findings of this report highlight that many organizations remain in the early stages of their journey to engineering excellence across key dimensions. While there is a widespread adoption of best practices, adherence to them is often inconsistent, used in only isolated use cases or pipeline stages. This fragmented approach leads to inefficiencies and a lack of consistency in how organizations approach Developer Experience, DevOps Modernization, Optimization, Quality & Resilience, and Secure Software Development.
To accelerate their journey toward engineering excellence, leaders must move beyond traditional, siloed approaches and embrace a more unified approach to software delivery. Adopting a platform-centric strategy that seamlessly integrates the tools and capabilities developers need across these critical areas will set engineering leaders on the surest path to success.
We invite you to take the Engineering Excellence Assessment to assess your organization's progress in these vital aspects of engineering maturity and more.
