Report:

Magic Quadrant for Application Security Testing

Top Vendor Products for Application Security Testing in 2025

• Black Duck
• Checkmarx
• HCLSoftware
• OpenText
• Snyk
• Veracode

Application Security Testing Vendor Product Comparisons 2025

• Black Duck - Leader
  

  Pros:

  • AI code security assistants: Code Sight and Black Duck Assist receive strong reviews from developers and clients and show higher-than-median acceptance rates for automated remediation suggestions.
  • Application security posture management: Black Duck's Software Risk Manager ASPM solution provides a comprehensive view of application risk, policy enforcement, result normalization and compliance management. SRM ingests results from both Black Duck and third-party tools.
  • Binary analysis: Black Duck offers binary scanning, enabling detection of code snippets, partial libraries, containers and statically linked code that may be missed by manifest-based detection methods.

  Cons:

  • Complexity and fit: Black Duck's platform may be too complex or costly for small or midsize companies seeking only basic SCA or SAST functionality.
  • Software supply chain security: Black Duck lacks support for detecting insecure pipeline configurations and vulnerable pipeline plug-ins, validating artifact integrity, and other risks within the development tool ecosystem.
  • Pricing: Some customers report that Black Duck's pricing is complicated, which can be a barrier for smaller organizations and has been cited as a concern in pricing reviews.


• Checkmarx - Leader
  

  Pros:

  • Application security posture management: Checkmarx correlates and deduplicates findings from both its own tools and third-party sources, providing a unified view of risk and policy-driven workflows for streamlined security management.
  • Developer enablement: Checkmarx's AI Security Champion provides context-aware remediation guidance and automated code fix recommendations directly within developer IDEs. The AI Code Security Assistant (ACSA) provides real-time secure coding support by monitoring and prompting secure code assistants for secure code.
  • Software supply chain security: Checkmarx's Software Composition Analysis detects malicious and vulnerable open-source packages, including those for AI components. Its Repository Health solution identifies security misconfigurations in code repositories.

  Cons:

  • Limited AI risk detection: Checkmarx's AI risk detection is currently limited to known vulnerabilities in libraries used to build or integrate large language models (LLMs), and does not cover AI-specific issues like prompt injection or sensitive data disclosure. These capabilities are planned for release in 2026.
  • Missing capabilities: Checkmarx does not offer IAST or mobile binary scanning, and its dynamic testing lacks support for native mobile clients.
  • Pricing and packaging: Although an Essentials tier is available for smaller organizations, some customers report that Checkmarx's pricing and packaging can be difficult to understand, particularly due to additional costs for certain features or support options.


• HCLSoftware - Leader
  

  Pros:

  • ASPM advancements: AppScan's ASPM features include improved dashboarding, correlation, customizable reporting and updated compliance policies, as well as integration with AppScan SSCS for software supply chain security through a partnership with OX Security.
  • AI-driven analytics: The platform leverages IFA to reduce false positives and improve triage, and ICA to expand detection coverage, including dynamic understanding of unseen APIs. CodeSweep provides real-time IDE feedback and AI-powered autofix recommendations.
  • API security: AppScan provides robust, multilayered API security, with AI-driven continuous discovery, including shadow and "zombie" APIs via eBPF inspection and dynamic testing to enhance visibility and protection.

  Cons:

  • Business logic detection: AppScan has limited capability for detecting API business logic vulnerabilities, often requiring third-party tools for certain use cases.
  • On-premises tooling: HCLSoftware's software composition analysis (SCA) and container security offerings were not available for on-premises deployments until the release of AppScan 360º v2.0 (September 2025).
  • Pricing and support: Some customers cite pricing as a concern, especially for organizations with limited budgets or smaller teams. Customer support in some regions may not meet expectations for comprehensiveness.


• OpenText - Leader
  

  Pros:

  • Application security posture management: OpenText provides a unified view for correlating, deduplicating and prioritizing findings across its product line, with risk scoring and policy-driven governance. The platform can also ingest findings from third-party commercial or open-source tools through parser plug-ins or APIs.
  • AI risk detection: OpenText identifies and surfaces risks associated with AI components and services used within, or externally by, applications at runtime. Current capabilities include detection of prompt injection, excessive information disclosure and insecure input handling, with policies configurable to block or flag risky components.
  • Flexible deployment: OpenText offers one of the broadest portfolios in the industry, with broad language support and deployment options for on-premises, SaaS, private cloud and managed services.

  Cons:

  • Limited remediation automation: Automated remediation for SAST findings is mainly available through IDE plug-ins with varying language support. Pull request automation is supported for vulnerable open-source packages but does not detect breaking changes.
  • Missing capabilities: OpenText does not offer dedicated container security testing with container registry integrations, nor detects security misconfigurations in development pipelines or source-code management systems. Additionally, secrets detection capabilities lack status validation.
  • Pricing complexity: OpenText's broad deployment options and long market presence have resulted in a complex pricing model, which can complicate negotiations for buyers seeking the best licensing approach.


• Snyk - Leader
  

  Pros:

  • AI-powered remediation: Snyk provides remediation suggestions and human-in-the-loop fix automation with rollback capabilities within IDEs, pull requests, the Snyk web UI and via CLI for SAST, IaC, SCA and container findings.
  • Developer enablement: Snyk integrates with developer tools throughout the SDLC, offering feedback, remediation guidance and automated remediation within IDEs, SCM workflows, CI/CD pipelines and ticketing systems.
  • AI risk detection: Snyk identifies and surfaces known risks associated with open-source AI components used to build applications, and treats output from LLMs as untrusted inputs, ensuring added scrutiny during testing activities.

  Cons:

  • Supply chain security limitations: Snyk does not provide support for detecting insecure pipeline configurations, vulnerable pipeline plug-ins or development tool ecosystem risks.
  • Limited legacy language support: The platform is focused on modern programming languages, with limited support for legacy languages, which may be a concern for organizations with older codebases.
  • Limited reporting customization: Some users have noted that the platform's customization options are limited. Despite the new UI and reporting functions, reporting is still cited as a weak point by some customers, especially when customers have many projects or specific needs for customized metrics. Snyk announced early access, for Enterprise plan customers, to its tenant-level Snyk Analytics in July 2025, which introduced customizable dashboards.


• Veracode - Leader
  

  Pros:

  • Application security posture management: VRM ingests security findings from third-party tools and deduplicates and correlates them with Veracode AST findings to provide a unified view of risk. Findings are enriched with runtime context, threat intelligence and business criticality to assign risk scores to facilitate prioritized remediation.
  • AI-powered remediation: Veracode Fix provides human-in-the-loop remediation suggestions for SAST findings that developers can review and accept within IDEs, pull requests or in bulk via the CLI. Unlike many secure coding assistants, it was trained using Veracode's proprietary reference patches to avoid license and privacy risks.
  • Customer support: Veracode provides 24/5 global service coverage and offers dedicated customer success managers and program management consulting for an additional fee. U.S. clients can also pay for additional U.S.-based staff options and FedRAMP support.

  Cons:

  • SaaS-only offering: Veracode offers a SaaS-only product, which limits adoption in markets where organizations are unwilling or unable to expose their code to the cloud. While Veracode offers the use of customer-managed encryption keys, this option may not fully address all customer concerns.
  • Limited secrets status detection: Veracode can detect hardcoded secrets but cannot determine their status (for example, valid or revoked).
  • Limited AI risk detection: Veracode does detect the inclusion of generative AI components and their associated risks, but it does not provide AI-specific risk detection, such as excessive information disclosure or prompt injection.


• Contrast Security - Visionary
  

  Pros:

  • Interactive application security testing: Contrast Assess is one of the industry's most widely adopted IAST solutions, leveraging quality assurance or other forms of active testing (for example, DAST and load testing) to passively scan for security issues with minimal false positives.
  • Dynamic risk prioritization: Contrast Score provides contextual risk ratings for individual findings and applications and are dynamically adjusted to reflect real-time risk. Scores are informed by Contrast Graph (a digital twin of the application built using runtime telemetry, application metadata and threat intelligence feeds), enabling teams to better prioritize remediation efforts.
  • Remediation automation: Contrast AI SmartFix uses real-time context from Contrast Graph to generate application-specific vulnerability fixes, delivered through the Contrast MCP server for use with coding assistants like GitHub Copilot or as pull requests using GitHub Actions.

  Cons:

  • Missing capabilities: Contrast Security does not offer capabilities for DAST, secrets detection, container security, IaC scanning or security assessment of development infrastructure.
  • Limited ASPM: While Contrast correlates its own findings, integrates with developer workflow tools and leverages runtime telemetry for risk-based prioritization, it does not ingest third-party findings, resulting in fragmented visibility into an application's overall risk posture.
  • Customer support: Contrast Security offers 24/7 global customer support options. However, language support is relatively limited compared to other vendors. It covers North America, the U.K., the EU and APAC, with support for the English, French and Japanese languages.


• JFrog - Visionary
  

  Pros:

  • Policy enforcement and attestations: JFrog evaluates and enforces policies throughout the SDLC and can generate cryptographically signed attestations (for example, SLSA and SBOM) for release builds to help meet regulatory and compliance requirements.
  • Software supply chain security: The platform covers the entire SDLC, integrating tools such as JFrog Curation for preventive open-source risk protection and JFrog Xray (SCA) for detection within pipelines. JFrog Advanced Security extends supply chain protections to include scanning for secrets, contextual analysis and testing for IaC and pipeline risks.
  • Developer experience: JFrog embeds security into developer workflows through IDE extensions, CLI tools, SCM integrations and partnerships with AI coding assistants such as GitHub Copilot, enabling early detection and rapid remediation of issues.

  Cons:

  • Missing capabilities: JFrog does not include native solutions for DAST, IAST, dedicated API security testing or comprehensive ASPM, requiring organizations to look elsewhere for these capabilities.
  • Product packaging: Security features are bundled within the broader JFrog platform and are not available as stand-alone offerings, which may not suit organizations seeking best-of-breed or point solutions.
  • New product maturity: JFrog's SAST and IaC scanning solutions are relatively new and less mature than those of established competitors in this Magic Quadrant, with some customer feedback citing limited customization options and user experience concerns.


• Mend.io - Visionary
  

  Pros:

  • AI risk detection: Mend.io identifies and surfaces known risks related to internal and external AI components used by applications, as well as those specific to AI-enabled applications, such as misinformation and sensitive information disclosure. Mend AI Premium extends coverage to include automated red-teaming for conversational AI.
  • Triaging and prioritization: The correlation engine analyzes findings across SAST, SCA, container and infrastructure scans, enabling organizations to resolve related vulnerabilities through a single remediation action.
  • Automated remediation: Mend.io offers automated remediation capabilities for first-party code and third-party libraries through Mend SAST and Mend Renovate. The products deliver AI-powered fixes within developer IDEs or by generating pull requests.

  Cons:

  • Partner-dependent coverage: Mend.io does not provide native DAST and IAST, relying on OEM partners for these capabilities. Changes to partner agreements may require clients to manage additional tools and vendors.
  • Pricing: Some prospects cite challenges with perceived value for cost, especially when comparing Mend.io to point solutions or repository vendors.
  • Limited IaC functionality: While the platform supports IaC misconfiguration scanning, it lacks secrets detection and cannot identify configuration drift in production environments.


• Sonatype - Visionary
  

  Pros:

  • Software supply chain security: Sonatype integrates across the SDLC, offering core SCA, artifact and container scanning, and SAST via OpenText Fortify, with a focus on early risk prevention and supply chain security.
  • AI risk detection: The platform uses heuristics, metadata and SBOM analysis to identify AI and LLM components, enabling policies to block or flag risks such as untrusted models, noncompliant datasets or unclear licenses.
  • Policy-driven risk prioritization: Sonatype's policy engine applies business rules and metadata to prioritize findings, with the Sonatype Developer module factoring in fix complexity and reachability.

  Cons:

  • Missing capabilities: Sonatype does not offer native DAST, IAST or IaC, and its SAST is only available through its partnership with OpenText, which may require managing additional vendors.
  • ASPM solution: The platform lacks a dedicated ASPM tool, though it uses available data from SSCS, open-source and SBOM features to inform risk decisions.
  • SAST transition: Sonatype is moving away from its own SAST engine in favor of the OpenText partnership, narrowing its direct coverage in this area.


• Data Theorem - Challenger
  

  Pros:

  • Mobile and API security: Mobile Secure provides comprehensive mobile app testing, including App Store Blocker Protection to help prevent app store rejection or removal. It also inventories back-end web services and APIs for testing with API Secure, which covers API-specific risks such as broken object-level access.
  • Reachability analysis: Code Secure's SAST+ leverages DAST to validate the exploitability of static findings, while Code Canary confirms reachability and exploitability at runtime.
  • Single-page application (SPA) support: Web Secure offers agentless dynamic runtime analysis for SPAs built on cloud-native and serverless architectures (Lambda) and provides a suite of hacker toolkits for testing critical applications.

  Cons:

  • Software supply chain limitations: Data Theorem lacks dedicated features for detecting security risks in development toolchains, verifying artifact integrity at each stage and evaluating the security of CI/CD pipelines. Data Theorem released new features to address this caution after the submission deadline for inclusion in this research.
  • Remediation automation: Data Theorem does not offer automated remediation capabilities, requiring developers to manually implement recommended fixes rather than leveraging integrated, automated workflows such as those available in other platforms.
  • Pricing: Some customers cite pricing as a concern, with cost being a top reason for not selecting Data Theorem as their AST provider.


• GitHub - Challenger
  

  Pros:

  • Developer-native integration: GitHub's security offerings, including SAST, SCA and secret scanning, are natively integrated into its platform and developer workflow, surfacing alerts directly within pull requests for early triage and remediation.
  • AI-powered remediation: Copilot Autofix, one of the most widely adopted AI code security assistants, leverages AI to suggest secure code fixes for vulnerabilities detected by CodeQL, providing actionable guidance directly within pull requests.
  • Developer enablement: GitHub's integrated source code management and CI/CD tools embed security features — such as dependency review and secrets scanning — directly into pull requests and related workflows. This integration enhances the developer experience and promotes shift-left security by enabling earlier detection and remediation of vulnerabilities.

  Cons:

  • Missing capabilities: GitHub lacks proprietary solutions for DAST, IAST and comprehensive API and container security testing or discovery. Open-source vulnerability reachability analysis is also not currently available.
  • Limited AI risk detection: GitHub's detection of AI-related risk is limited to AI-specific libraries installed using a supported package manager. It does not include testing for AI-specific vulnerabilities, such as prompt injection or sensitive information disclosure.
  • Limited mobile support: GitHub offers mobile testing support with CodeQL (SAST) and Dependabot (SCA) for Swift (iOS) and Kotlin (Android), but it does not provide dynamic testing and does not include mobile-specific policy definition and evaluation.


• GitLab - Challenger
  

  Pros:

  • Unified DevSecOps platform: GitLab offers a comprehensive, AI-native DevSecOps platform that natively integrates a broad spectrum of security capabilities, including SAST, SCA, DAST, secrets detection, API security, fuzz testing, container scanning and IaC, directly into the software development life cycle.
  • Custom Compliance Frameworks: In 2024, GitLab introduced Custom Compliance Frameworks. This feature allows compliance managers to tailor and automate specific compliance requirements (e.g., SOC 2, ISO 27001, NIST frameworks and the CIS GitLab Benchmark) to different codebases directly within the platform.
  • Software supply chain security: GitLab has full visibility and traceability into the software delivery pipeline, from code commit to applications running in production.

  Cons:

  • Limited DAST and IAST offerings: GitLab's DAST does not integrate with popular test automation tools such as Selenium or Postman. Additionally, GitLab does not offer IAST capabilities.
  • Limited AI risk detection: GitLab's detection of AI-related risk is limited to known vulnerabilities within libraries and SDKs used to interact with LLMs. It does not include testing for AI-specific vulnerabilities, such as prompt injection or sensitive information disclosure.
  • AST product packaging: All AST offerings are now exclusively part of GitLab's Ultimate edition, requiring the adoption of GitLab for both CI/CD and SCM to use its AST solution.


• Apiiro - Niche Player
  

  Pros:

  • Risk-based prioritization: Apiiro's Risk Graph aggregates findings from multiple sources and enhances them with business criticality, sensitive data presence and exploitability context to assign actionable risk scores.
  • Deep Code Analysis (DCA): Apiiro's DCA technology continuously scans code repositories to build comprehensive inventories of applications and their architectures, including internal or external AI models and services.
  • SDLC integration: Apiiro embeds security into development workflows by adding remediation guidance into pull request comments and tickets. DCA's material change detection triggers automated threat modeling by Apiiro's AI AppSec agent.

  Cons:

  • Missing capabilities: Apiiro's core solution does not include native DAST, IAST or container security scanning capabilities. Customers requiring these capabilities must obtain them from another provider, but can ingest their findings into Apiiro.
  • UI complexity: Some Gartner Peer Insights reviews indicated difficulty with UI filters, the need to configure multiple policies for workflow automation and challenges with managing high volumes of data.
  • Customer support: Support staff is heavily concentrated in North America, with limited presence and native language options in EMEA. This may present challenges for multinational organizations operating across diverse time zones and languages.


• Cycode - Niche Player
  

  Pros:

  • Pipeline security: Cycode's Cimon product monitors pipeline executions to protect against supply chain attacks and automate SLSA attestations.
  • Posture management and reporting: Cycode's ASPM capabilities include comprehensive dashboards for visibility, prioritization, remediation and compliance against frameworks such as CIS Benchmarks, SOC 2 Type II, ISO 27001 and NIST SSDF, using normalized risk scoring based on technical and business context.
  • Risk Intelligence Graph: Cycode's hybrid data architecture maps relationships between code, assets, developers, pipelines and findings, enabling complex queries, risk correlation and real-time visibility across the entire SDLC.

  Cons:

  • Missing capabilities: Cycode offers DAST and API security only through partnerships with other providers, requiring clients to manage additional vendors for these functions.
  • Automated remediation gaps: While Cycode provides AI-generated fixes, it lacks the ability to detect and prevent breaking changes for open-source software (OSS) library fixes and cannot recommend alternative libraries or automate license/operational risk remediation.
  • User experience: Cycode's user interface and API can feel unintuitive, with some Gartner Peer Insights reviewers citing challenges in navigation and integration.


• Semgrep - Niche Player
  

  Pros:

  • Detection rule customization: Semgrep allows users to create custom SAST rules with a flexible YAML-based syntax to detect specific code patterns or vulnerabilities and enforce coding standards.
  • AI-powered remediation assistance: Semgrep Assistant leverages its "Memories" and AI to automate triage and provide custom, step-by-step remediation guidance based on Semgrep rules and code context. Additionally, the platform can integrate with AI-enabled coding tools such as Cursor to ensure secure code generation and enhance developer support.
  • Ecosystem and community: Semgrep offers a large library of predefined and community-contributed rules that can be copied, modified or extended, enabling users to tailor detection to their specific needs.

  Cons:

  • Missing capabilities: Semgrep does not offer solutions for DAST, IAST, container security, dedicated API security testing or ASPM, requiring organizations to look elsewhere for these capabilities.
  • Supply chain security limitations: Semgrep does not provide support for detecting insecure pipeline configurations, vulnerable pipeline plug-ins or development tool ecosystem risks.
  • UI and reporting: Some users report challenges with the user interface and find exported reports lacking in presentation quality.

Reference

• Gartner, Magic Quadrant for Application Security Testing, 06-Oct-2025, ID G00795930

View Market Definition
View Vendor Movements