Limiting the market to around twenty providers no longer suffices for analyzing the AST market (application security testing).
Gartner has concluded as much. It considers that this market has expanded too far to fit within the scope of its Magic Quadrant, which imposes that limit. It has therefore “zoomed in” on a sub-segment: software supply chain security.
Its evaluation focused on three functional components: SCA, SBOM, and threat intelligence. Many building blocks were not mandatory to appear in this Magic Quadrant. Among others:
- Integration into source code managers and build tools
- Protection against third-party AI components (LLMs and MCP servers)
- Analysis of extensions in IDEs
- Governance of the security posture of delivery pipelines
- Lifecycle management of SBOMs
18 providers, 8 “leaders”
Two axes determine the positioning of the providers. One, called “execution,” reflects the ability to respond to demand (customer experience, pricing, quality of products/services…). The other, called “vision,” mirrors the strategies (geographic reach, industry focus, innovation…).
The situation on the “execution” axis:
| Rank | Vendor |
| 1 | JFrog |
| 2 | Sonatype |
| 3 | Checkmarx |
| 4 | Black Duck |
| 5 | Chainguard |
| 6 | Cycode |
| 7 | Apiiro |
| 8 | OX Security |
| 9 | ReversingLabs |
| 10 | Endor Labs |
| 11 | GitHub |
| 12 | Lineaje |
| 13 | RapidFort |
| 14 | Mend.io |
| 15 | Arnica |
| 16 | FOSSA |
| 17 | ActiveState |
| 18 | Veracode |
On the “vision” axis:
| Rank | Vendor |
| 1 | Chainguard |
| 2 | JFrog |
| 3 | Black Duck |
| 4 | Checkmarx |
| 5 | Apiiro |
| 6 | OX Security |
| 7 | Endor Labs |
| 8 | Cycode |
| 9 | ReversingLabs |
| 10 | Lineaje |
| 11 | Sonatype |
| 12 | Mend.io |
| 13 | RapidFort |
| 14 | GitHub |
| 15 | Arnica |
| 16 | ActiveState |
| 17 | Veracode |
| 18 | FOSSA |
Of the 18 ranked providers, eight sit in the “Leaders” square: Apiiro, Black Duck, Chainguard, Checkmarx, Cycode, JFrog, OX Security, and Sonatype.
Apiiro, not easy to get started
With Apiiro, Gartner appreciates the integration of SCA into a graph-based model, which helps prioritize vulnerabilities based on exploitability and impact. It also notes favorably what the Guardian Agent contributes in terms of detection and remediation across IDEs, CI/CD, and coding agents. Apiiro has more broadly managed to adapt its governance capabilities to AI-assisted development.
Compared with competing solutions, Apiiro’s platform is more complex to onboard. Especially when responsibility for various parts of the software development lifecycle falls to different teams. Also be mindful for those with straightforward SDLC infrastructures or limited AI adoption: the cost of the solution and the effort may not justify the return.
Governance-focused, Black Duck risks alienating developers
Gartner notes the quality of Black Duck’s security bulletins. It also highlights its position in regulated environments, including enforceable SBOMs, license compliance management, and vulnerability disclosure workflows. It also covers use cases beyond cloud-native (firmware, embedded systems, software distributed only as binaries) with a single SCA.
Centered on governance and thus quite structured, Black Duck’s workflows may not suit teams that want to give developers more flexibility. Watch the onboarding effort, and be aware that the comprehensiveness of analyses can lead to longer scan times, larger data volumes, and greater process complexity.
Chainguard faces a risk of lock-in
Chainguard’s approach is to deliver libraries and images (containers, VMs) that are secure by default and rebuilt from source. Gartner sees this upstream protection as a strength, especially since produced artifacts can be consumed via standard formats.
The flip side: this model offers limited flexibility for consuming arbitrary dependencies and raises a lock-in risk. Moreover, Chainguard shows limited capabilities for inspection and remediation within IDEs.
Checkmarx, to calibrate carefully
Unlike Chainguard, Checkmarx integrates deeply into IDEs, with AI-assisted remediation. It centralizes governance of multiple security engines, promoting signal normalization and consistent policy enforcement. Gartner also appreciates its ability to correlate vulnerabilities with the code context.
Whether by subscription or by usage, Checkmarx’ pricing is higher than the average for this segment. The granularity of policy control requires careful tuning to align with the tolerated risk level. Also watch onboarding, since Checkmarx primarily targets large enterprise use cases.
With Cycode, actioning can take longer
Cycode distinguishes itself by its focus on threats specific to AI components and agentic coding. Gartner notes that it has adapted its offering to recent attack patterns (such as Shai-Hulud), notably by providing runtime protection for pipelines.
In terms of both customer footprint and dedicated staff presence, Cycode remains a small player in this segment. It also lacks certifications such as FedRAMP. Moreover, deploying its solution can be slow for organizations with legacy or highly customized build environments. Also be mindful of alert volumes.
JFrog, more expensive than average
Gartner values JFrog’s policy-as-code approach, which automates collection and proof of compliance by attaching security attestations to software packages. Its regional SLAs are another strength, as is the overall level of automation (for example, vendor substitution), which helps sustain the cadence of development workflows.
On pricing, the comment is similar to Checkmarx: higher than average. This is accompanied by a tendency to adjust public pricing and discounts year after year, contrasting with the market’s overall dynamic. Gartner also notes that IDE support is limited to Visual Studio Code environments, and that security controls for agentic skills have only recently left PoC stage.
OX Security, issues with reporting
Gartner commends OX VibeSec, which integrates directly into code-generation workflows. It also values its capabilities in managing the security posture of pipelines, including a proprietary SBOM extension. Another plus: subscription pricing is cheaper than most other vendors ranked in this Magic Quadrant.
OX Security does not hold FedRAMP certification, nor does it offer binary analysis (a capability that is becoming an important differentiator alongside SBOM). Some clients have reported issues with reporting and alerts, notably limited histories and a lack of customization options.
Functional gaps at Sonatype
Sonatype stands out for the level of unification of its tools and its remediation approach that combines deterministic rules with GenAI. It also offers an interactive Guide that provides developers with feedback on security, quality, and license compliance. Support is another strong point.
No FedRAMP certification either for Sonatype, and a shift toward usage-based pricing can create some confusion. It also lacks features such as pipeline security posture management, securing developer workspaces, and secret detection.