Pricing is steep at some vendors, complex at others—or both. Over the years, this overarching assessment has solidified in Gartner’s Magic Quadrant for Application Security.
The latest edition does not depart from this trend. In particular among the “leaders,” four out of six are flagged for their pricing: Black Duck, Checkmarx, HCLSoftware and OpenText.
Gartner had already called out Checkmarx and OpenText on this point in the previous edition, in May 2023. The analyst firm had done the same with another “leader” at the time: Synopsys. If the latter has disappeared from the chart, it is because it sold its application security testing (AST) business to Clearlake Capital and Francisco Partners. Black Duck emerged from this deal, taking over the intellectual property, customers, leadership team and sales staff.
From one edition to the next of this Magic Quadrant, the functional inclusion criteria have evolved little. As in 2023, for vulnerability identification, only SAST (static analysis) and SCA (software composition analysis) were deemed indispensable. DAST (dynamic analysis) and IAST (interactive analysis) remained optional. The same went for container analysis, API analysis, and IaC analysis. About security posture management, the linkage to third‑party tools was not mandatory. Likewise, for software supply chain management, the governance of development pipelines and underlying systems (only lifecycle management of SBOMs was mandatory).
On the “execution” axis, which translates market responsiveness, the 16 vendors are positioned as follows:
| Rank | Vendor | Change |
| 1 | Black Duck | = |
| 2 | Checkmarx | + 2 |
| 3 | Veracode | – 1 |
| 4 | Snyk | + 3 |
| 5 | OpenText | = |
| 6 | GitHub | + 2 |
| 7 | GitLab | – 4 |
| 8 | HCLSoftware | – 2 |
| 9 | Data Theorem | new entrant |
| 10 | JFrog | new entrant |
| 11 | Sonatype | = |
| 12 | Contrast Security | – 3 |
| 13 | Semgrep | new entrant |
| 14 | Mend.io | – 2 |
| 15 | Cycode | new entrant |
| 16 | Apiiro | new entrant |
On the “vision” axis, reflecting strategies (vertical/horizontal markets, geographic reach, go-to-market, product), the standings are as follows:
| Rank | Vendor | Change |
| 1 | Checkmarx | + 3 |
| 2 | HCLSoftware | + 7 |
| 3 | Snyk | + 4 |
| 4 | Black Duck | – 3 |
| 5 | OpenText | – 3 |
| 6 | Sonatype | + 5 |
| 7 | Contrast Security | – 4 |
| 8 | Mend.io | – 2 |
| 9 | Veracode | – 4 |
| 10 | JFrog | new entrant |
| 11 | GitLab | – 3 |
| 12 | Semgrep | new entrant |
| 13 | Cycode | new entrant |
| 14 | GitHub | – 4 |
| 15 | Apiiro | new entrant |
| 16 | Data Theorem | new entrant |
Apart from Synopsys for the reasons noted above, one vendor left the Magic Quadrant: Onapsis, due to insufficient coverage of programming languages.
Black Duck can improve software supply chain security
Black Duck stands out positively for code security, with its Code Sight plug-in for IDEs (SAST and SCA), recently equipped with an AI assistant. It’s also a strong point in managing the security posture of applications (comprehensive risk view, compliance management, ingestion from third‑party tooling). And its binary analysis can prove more precise than manifest-based detection methods.
The market views Black Duck’s pricing as complex. Its offering can also be expensive for SMBs (fewer than 1,000 employees in Gartner’s taxonomy) that are only seeking SCA or SAST. There is room for improvement in software supply chain security (limited support for detecting insecure pipeline configurations and validating artifact integrity, among other capabilities).
Checkmarx, limited on AI component security
Checkmarx also stands out for the security posture management of applications (a unified view, correlation with third-party tools). Gartner also values the assistance provided to developers through the SAST AI Security Champion, which automates remediation inside IDEs. It welcomes the supply chain capabilities (handling open-source packages, particularly, and identifying misconfigurations in code repositories).
However, Checkmarx lacks an IAST component and does not cover binary analysis of mobile applications. Moreover, AI risk detection is limited to vulnerabilities in libraries used to develop or integrate LLMs (it does not cover prompts injection or leakage of sensitive data). On pricing, it can be difficult to understand, as can packaging options and support levels.
Weaknesses in support at HCLSoftware
HCLSoftware stands out for its advances in security posture management (enhanced dashboards, correlation, reporting, and software supply chain management via a partnership with OX Security). Another strength lies in its analytics engines, used to reduce false positives and expand detection, including understanding the dynamic behavior of APIs. The security of APIs, in particular, is considered robust.
HCLSoftware has been slow to make certain components available on-site (SCA and container security can be deployed on-prem only since September 2025). Its offering is also limited for detecting business-logic-level API behavior (often requiring third-party tools). Pricing can be prohibitive for small teams, and support in some geographic regions may not be comprehensive.
OpenText can do better on automated remediation
OpenText also stands out positively for managing the security posture of applications. It also scores well on risk management for AI components and services (detection of prompt injections, disclosure of sensitive information, and handling of insecure inputs). Gartner also appreciates the variety of deployment options (on-prem, SaaS, private cloud, managed) along with extensive language support.
One native capability for container security testing is missing. It also lacks detection of misconfigurations in development pipelines and in source code management systems. Gartner notes limitations in automated remediation (variable language support in IDEs, no detection of breaking changes at the PR level). There is also pricing complexity tied to the diversity of deployment options and OpenText’s long-standing presence in this market.
With Snyk, watch the focus on modern languages
Unlike OpenText, Snyk stands out for AI-assisted remediation that spans SAST, SCA, IaC, and containers via IDEs, pull requests, web UI, and CLI. Gartner overall appreciates the quality of its integration across the software development lifecycle, including ticketing tools. It’s also a plus for detecting AI component risks, including outputs from LLMs.
In the realm of the software supply chain, Snyk’s offering has some limits (no detection of insecure pipeline configurations and vulnerable plug-ins). There is also a caveat on language support (focus on “modern” languages) and on the customization of reporting, which customers perceive as a weakness.
No on‑prem option at Veracode
Veracode also scores well for security posture management, particularly through the integration of threat intelligence. Other strengths include AI-enabled remediation (for SAST, in IDEs, PRs, or via CLI) and robust support (both the core offering and optional extensions).
Veracode is SaaS-only, which may be a hurdle for organizations that want to keep their code in-house, even though there is a client-managed key option. AI-driven risk detection for AI components is still imperfect (no coverage for prompt injection or leakage of sensitive data) as is the detection of secret status (are the secrets valid or not?).
