Rapid Response, Custom Control: The Power of Programmability
If there’s one thing this year’s State of Application Strategy Report makes clear, it’s that programmability of the data plane is no longer a luxury; it’s essential for modern application delivery and security.
Gone are the days when static, pre-configured systems could handle the evolving needs of applications. The data shows that organizations are embracing programmable data planes to address everything from inbound request handling to outbound traffic modifications—and they want to use familiar languages to do it.
Let’s break it down.
What is data-plane programmability?
First let’s make sure we’re all talking about the same thing.
Data-plane programmability is the ability to customize and control how network traffic is processed, inspected, and secured in real time, enabling rapid adaptation to new threats, dynamic routing, and enhanced application delivery through custom logic and automation.
For example, data-plane programmability can be used to inject HTTP headers that enable observability (traces) to scan for malicious content, and to identify “bad bots.” Given a robust enough implementation, data-plane programmability can act as a custom service and orchestration tool to route requests to the right place based on the content of the request.
There are literally no limitations to what you can do with data-plane programmability, so we asked about common use cases and capabilities to find out what the industry thinks is important.
Programmability: Priorities and pain points
We asked organizations to rate the importance of various programmable features for inbound and outbound traffic. Here’s what they told us:
Respondents ranked mitigating zero-day attacks as the most important capability of data-plane programmability, with service chaining and header injection close behind.
The most important programmable features for inbound traffic were:
- Mitigating zero-day threats (51%)
- Service chaining (40%)
- Header injection (33%)
- Dynamic app/API routing (31%)
Organizations clearly prioritize security and control at the edge—ensuring threats are mitigated and traffic is routed dynamically for performance and protection.
On the outbound side, the top features included:
- Data loss prevention (DLP) (38%)
- Header injection (37%)
- Protocol translation (35%)
- Service chaining (30%)
Data protection takes center stage here, with DLP leading the way. As applications increasingly rely on external services and APIs, ensuring sensitive data isn’t exposed or mishandled is mission critical.
The data makes one thing abundantly clear: data-plane programmability is a critical tool in the security toolchest.
Mitigating zero-day threats is a top priority for inbound traffic and data loss prevention the top priority for outbound traffic. Neither is a surprise. After all, zero-day vulnerabilities are some of the most dangerous because they are unknown until actively exploited, and data leaks are bigly expensive and can leave an organization with a tarnished reputation for years.
Here’s the problem: emerging technologies like AI and machine learning are exciting but introduce new risks. AI models, for instance, can be targeted with prompt injection attacks, adversarial examples, and data manipulation—threats that traditional security measures weren’t designed to catch.
That’s where data-plane programmability becomes a game-changer. With a programmable data plane, organizations can:
- Rapidly deploy custom security mitigations the moment a threat is identified.
- Adapt on-the-fly to secure novel traffic patterns introduced by AI-driven services, without waiting for a vendor update.
This flexibility means organizations can confidently adopt emerging technologies without fear of being blindsided by new vulnerabilities. When a zero-day exploit emerges, programmable data planes allow security teams to write, test, and deploy custom mitigations in hours—not weeks.
The ability to quickly respond to evolving threats is what enables early adopters to stay ahead of attackers and unlock the benefits of innovation while maintaining security. Organizations that embrace programmability are positioned to lead—not follow—when it comes to adopting the latest technology.
The languages that matter
What’s a programmable data plane without the right tools? We asked organizations about their top two language choices for programmability, and here’s what we found:
- Python (62.77%) is the dominant choice, known for its simplicity and vast libraries.
- Java (48.25%) and JavaScript/Node.js (24.71%) follow closely, reflecting the need for scalable and real-time capabilities.
- Go (23.71%) and Rust (10.35%) are gaining traction, especially in performance-critical environments.
Interestingly, Lua (11.69%) remains a niche but relevant choice, likely for its lightweight nature in embedded environments.
What’s interesting here is that Python is very much aligned with operations while Java and JavaScript are far more likely to fall in the DevOps realm. Which demonstrates that data-plane programmability bridges a gap between the two, especially in environments in which code is released frequently (say, daily or more) and developers are just as likely to be involved with production problems as operations.
The future of programmable data planes
The demand for programmability is no longer theoretical—it’s here, and it’s growing. The data shows a clear trend toward customization and control, with organizations prioritizing flexibility and security at every layer of their stack.
With Python and Java leading the charge and a strong focus on security-driven use cases, the programmable data plane is evolving to become a key enabler for modern application delivery and protection.
The question isn’t whether your organization should adopt programmability—it’s how fast you can use it and what value you can unlock once you do.