Magic Quadrant for Application Security Testing

How does Gartner define the Application Security Testing market in 2025?

Gartner defines the application security testing (AST) market as consisting of providers of products that enable organizations to assess applications for the presence and management of risk. These products identify risk by evaluating source code, performing runtime tests and inspecting supply chain components. AST products can be integrated throughout development workflows for continuous assessment or be used to perform ad hoc evaluations. They enable organizations to manage application risks by providing an integrated set of capabilities for risk identification, prioritization and triage, policy evaluation and enforcement, and remediation assistance. Market offerings are available in on-premises, SaaS and hybrid delivery models. Organizations leverage AST products to assess applications for the presence of security vulnerabilities and other risks (e.g., legal and operational) throughout their life cycle.

Key Facts for Magic Quadrant for Application Security Testing in 2025

Publication Date: 06-Oct-2025

Document ID: G00795930

Coverage: Global

Authors: Jason Gross, Mark Horvath, Giles Williams, Shailendra Upadhyay, Dionisio Zumerle, Aaron Lord

Core Purpose: This Magic Quadrant evaluates application security testing (AST) vendors to help cybersecurity leaders identify and manage risk within applications by integrating and automating AST throughout software life cycles. It addresses how artificial intelligence, modern application designs, and increased software supply chain risks are expanding the AST market scope.

How was the Application Security Testing market evolved in 2025?

The AST market is projected to reach $5.1 billion in 2025, continuing rapid expansion from $3.4 billion in 2023

Growth is fueled by regulatory mandates, high-profile breaches, accelerated development, and expanding attack surfaces from modern architectures

AI adoption is accelerating code development while introducing new vulnerability classes and increasing remediation burden

66% of organizations using AI tools in SDLC report little to no improvement in code security

48% of AI-generated code contains vulnerabilities according to Georgetown University study

Shift-left integration and automation throughout SDLC is now an expectation, not a differentiator

Organizations face signal-to-noise challenges with overlapping findings from multiple security tools

Significant M&A activity continues with vendors expanding portfolios through acquisitions

Strong demand has allowed vendors to sustain higher pricing

Market sees influx of vendors addressing software supply chain security and ASPM

15 vendors evaluated: 6 Leaders, 4 Challengers, 4 Visionaries, 1 Niche Player

What product features are required to be included in this year's evaluation?

Static AST (SAST): Assesses, using a variety of analytical techniques, an application's source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC).

Software composition analysis (SCA): Identifies third-party components, open-source or commercial, included in the development of an application. In addition to dependency details, provides information regarding known vulnerabilities, potential licensing concerns, operational risks, and malicious package identification.

Policy evaluation: Evaluates assessment results and applications against predefined, or customer-defined criteria for the introduction, or acceptable duration of risk presence.

Prioritization and triage: Recommends and allows for the adjustment of remediation priorities based on publicly available and proprietary information related to scanned artifacts, scan findings and risk considerations.

Posture and performance reporting: Provides measurements at the application and application portfolio level to quantify and measure adherence to expectations for introducing and addressing risk.

Software bill of materials (SBOM) life cycle management: Supports the ingestion, creation, and sharing of SBOMs for the purposes of identifying and communicating an inventory of third-party components, commercial or open-source, contained within an application and the risks therein.

Developer education: Includes just-in-time training and/or remediation guidance for individual scan findings as well on-demand training material for secure software development.

What are the common features of top products in the Application Security Testing space?

Dynamic AST (DAST): Externally probes applications in their running (i.e., dynamic) state during the testing and operational phases of the SDLC. DAST simulates attacks against an application, appraises the application's reactions and identifies the presence of vulnerabilities.

Interactive AST (IAST): Instruments, via the injection of a software-based sensor, an application to be tested. When the application is run (e.g., during functional testing), the sensor monitors and records multiple aspects of application activity, such as data and control flow. The tool then analyzes the information gathered to identify vulnerabilities.

Secrets detection: Specialized testing capabilities for the identification of exposed secrets (e.g., credentials, tokens, API keys, etc.) within code, configuration files or other artifacts.

API security testing: Specialized testing capabilities, including support for protocols used by APIs, payload analysis and checks for vulnerabilities unique to APIs. The ability to discover APIs in both development and production environments, as well as the ability to ingest recorded traffic or API definitions to support the testing of an API are common features.

Container security testing: Examination of container images, or a fully instantiated container prior to deployment, for the presence of security issues. Container security tools typically address both configuration hardening and vulnerability assessment tasks. Tools may also scan for the presence of secrets, such as hard-coded credentials or authentication keys.

Infrastructure-as-code (IaC) scanning: Review of IaC directives supporting the dynamic creation, provisioning and configuration of software-defined compute (SDC), network and storage infrastructure.

Unified visibility and correlation: Supports third-party tool assessment ingestion to include cloud and infrastructure vulnerabilities and misconfigurations, deduplication and correlation of findings.

Security workflow orchestration: Policy-based configuration and initiation of security tests, controls and workflows for risk detection and response throughout an application's life cycle.

Pipeline security: Inventories and assesses security controls within development pipelines as well as the infrastructure and systems they both pull from and run from.

Secure coding assistants: Resources that help developers, often through the use of AI, avoid the creation of insecure code or that provide suggestions for the automated remediation and/or mitigation of security bugs within existing code.

Scope Exclusions

Products focused exclusively on embedded systems or specialized hardware testing

Solutions that only address a single geographic region without broader market presence

Vendors that do not support common development languages (Java, Python, C#, PHP, JavaScript) for SAST

Solutions that cannot integrate with developer workflows for automated testing

Products that do not support SBOM ingestion and generation in standard formats

Vendors lacking both SAST and SCA mandatory capabilities

Organizations below the revenue thresholds specified in market performance criteria

Inclusion Criteria

Vendors must, among other requirements:

Provide a dedicated AST solution that is generally available (GA) as of 1 January 2025

Satisfy each of the technical capabilities relevant to Gartner clients

Provide support for all mandatory features identified in the Market Definition

Generated at least $100 million in annual revenue in calendar year 2024, OR at least $55 million with 20% from multiple regions, OR at least $10 million with 100% year-over-year growth

Must support automated vulnerability identification tests within developer workflows

SAST offerings must identify security flaws in common development languages (Java, Python, C#, PHP, JavaScript)

SCA offerings must identify OSS libraries with vulnerabilities, undesirable licenses, malicious packages, and outdated components

Must be able to ingest and generate SBOMs in commonly accepted formats (SPDX, CycloneDx, SWID)

Ability to Execute — Relative Weighting

Product or Service - High

Overall Viability - High

Sales Execution/Pricing - Medium

Market Responsiveness/Record - Medium

Marketing Execution - Medium

Customer Experience - High

Operations - NotRated

Completeness of Vision — Relative Weighting

Market Understanding - High

Marketing Strategy - High

Sales Strategy - Medium

Offering (Product) Strategy - High

Business Model - NotRated

Vertical/Industry Strategy - NotRated

Innovation - High

Geographic Strategy - High

FAQs

Q: What does this research cover?

A: This research evaluates 15 vendors in the application security testing market across their ability to execute and completeness of vision. It covers AST products that identify risk through source code evaluation, runtime tests, and supply chain component inspection. The evaluation includes mandatory features (SAST, SCA, ASPM, SBOM management, developer enablement) and common features (DAST, IAST, secrets detection, API security, container security, IaC scanning). It addresses how vendors are adapting to AI-driven development, modern architectures, and software supply chain risks.

Q: Who should use this research?

A: Cybersecurity leaders and application security teams should use this research to evaluate and select AST vendors based on their specific requirements. It helps organizations understand vendor strengths and cautions across different AST capabilities including SAST, DAST, IAST, SCA, ASPM, and emerging areas like AI risk detection and automated remediation. The research is particularly valuable for organizations looking to integrate security testing throughout their SDLC, address software supply chain risks, manage the security challenges of AI-generated code, and reduce signal-to-noise in their security programs. It provides guidance on vendor positioning, market trends, and selection criteria to support informed purchasing decisions.

Q: What are the mandatory features of vendors included in this market?

A: Mandatory features for vendors in the AST market include: (1) Static AST (SAST) for analyzing source code, bytecode, or binary code for security vulnerabilities; (2) Software Composition Analysis (SCA) for identifying third-party components and their associated risks including vulnerabilities, licensing concerns, and malicious packages; (3) Policy evaluation capabilities to assess results against predefined criteria; (4) Prioritization and triage features for risk-based remediation; (5) Posture and performance reporting at application and portfolio levels; (6) SBOM life cycle management for creating, ingesting, and sharing software bills of materials; and (7) Developer education including just-in-time training and remediation guidance. These capabilities must support automation within developer workflows and cover common programming languages.

Q: What are some reasons for not being included in this report?

Failure to provide a generally available dedicated AST solution as of January 1, 2025
Not meeting minimum revenue thresholds ($100M, or $55M with geographic diversity, or $10M with 100% YoY growth)
Lack of support for mandatory technical capabilities including SAST and SCA
Insufficient support for common development languages in SAST offerings
Inability to integrate automated vulnerability testing within developer workflows
No support for SBOM ingestion and generation in standard formats (SPDX, CycloneDx, SWID)
Missing mandatory features such as policy evaluation, prioritization/triage, or reporting capabilities
Focus exclusively on embedded systems or niche markets without broad language support (e.g., Onapsis)
Corporate restructuring that results in the vendor no longer meeting inclusion criteria (e.g., Synopsys divestiture creating Black Duck as separate entity)

Q: What differentiates Ability to Execute vs. Completeness of Vision?

A: Ability to Execute evaluates current capabilities and market performance, focusing on product quality, viability, sales effectiveness, customer experience, and market responsiveness. It assesses how well vendors deliver and support their current AST offerings. Completeness of Vision evaluates strategic positioning and future direction, focusing on market understanding, innovation, offering strategy, and geographic reach. It assesses how well vendors understand evolving customer needs and translate them into differentiated products and services that address future market requirements.

Report: