Is the Delphi security crisis real? Or was it?

Open any 2026 "top programming languages" list and you see the same names: Python, JavaScript, TypeScript, Go, Rust. Scroll a bit and you'll find Delphi, sitting around 2.5% of respondents in the Stack Overflow Developer Survey 2025.

2.5% of professional developers naming Delphi is a global community that reaches millions when extrapolated to the full developer population (GitHub's Octoverse 2025 counted over 180 million developers on GitHub alone). Delphi code runs core banking back-ends, hospital information systems, ERP suites, industrial control software, and government registries. A lot of it has been in production for 15, 20, 25 years. A lot of it is still shipping new features weekly.

But most vendors still don’t support Delphi.

 

The tooling gap

Go to Delphi-Praxis, one of the most active international Delphi forums, and search for "SBOM." You'll find threads where developers ask: "Is there any tool available to create an SBOM for a Delphi application or DLL?". For years, there weren't any — at least not dedicated ones.

Modern AppSec market grew up around web and cloud stacks, where SCA vendors index npm, PyPI, Maven Central, NuGet, Crates. And while the parsers speak JavaScript, Python, Java, C#, Go, you can rarely see Delphi, Pascal, or Scala and Perl. The commercial logic is understandable — and in 2026, the compliance beats it.

The EU Cyber Resilience Act, NIS2, and sector-specific rules in finance and healthcare now demand the same thing from every vendor regardless of language: a software bill of materials, evidence of vulnerability testing, traceability of third-party components. An auditor asking for an SBOM of a core banking system does not care if it's written in Delphi.

 

RAD Studio 13 Florence

Embarcadero is treating Delphi like it should be treated, RAD Studio 13 Florence — released September 10, 2025 and already updated to 13.1 — is the clearest proof in years. It's the first full 64-bit RAD Studio IDE, it ships a long-requested ternary operator for the Delphi language, a native C++23 toolchain based on Clang 20, an AI Component Pack (SmartCore) for wiring OpenAI, Claude, Gemini and Ollama into Delphi apps, and — in 13.1 — a native Windows on Arm compiler generating Arm64EC binaries.

Delphi is a language with an active vendor, an active roadmap, and developers who will keep shipping new code on top of the VCL and FireMonkey codebases for the foreseeable future. 

 

DerScanner Delphi SCA

On January 9, 2026, DerScanner — Embarcadero's official technology partner for application security — announced Software Composition Analysis for Delphi, the first dedicated SCA solution built specifically for the Delphi ecosystem. It produces automated SBOMs in standard machine-readable formats and identifies third-party and open-source components used inside Delphi projects  — the same workflow mature npm or Maven users have had for a decade, now available for Delphi.

Combined with native SAST with a parser that understands the Delphi language, code quality analysis, and SBOM generation aligned with the EU Cyber Resilience Act — this closes the last major gap in the Delphi security stack.

 

 

Meeting Delphi teams where they are

In February 2026, DerScanner and Konto d.o.o. Požega, a long-standing Embarcadero distributor serving Europe's Adriatic region, announced a partnership focused specifically on helping Delphi development teams meet CRA, NIS2 and sector-specific compliance requirements. 

The same logic is now extending across Europe. DerScanner is available to Czech Delphi teams through Code Secure s.r.o., a Czech Embarcadero reseller that has been distributing Delphi, C++Builder, and RAD Studio for years. In the Benelux, Dutch Embarcadero distributor Barnsten now offers DerScanner to its Delphi customer base — the same developers who already buy their RAD Studio licenses, components, and training through Barnsten.

 

What this means for security leaders

If you're responsible for the security of a portfolio that includes Delphi applications, three things are worth doing this quarter:

1. Stop excluding Delphi from your AppSec scope on the grounds that "no tool supports it." That statement is no longer true, and it will not hold up in a CRA or NIS2 audit.

2. Generate an SBOM for at least one production Delphi application. The exercise alone will usually surface third-party components nobody on the current team remembers adding — and that inventory is what auditors and regulators now expect by default.

3. Include your Delphi teams in the same SAST and SCA workflows you already apply to web and cloud services. The compliance frameworks don't distinguish by language; the tooling shouldn't either.