IT Benchmarks 2026: Modernization Solutions

According to Gartner’s 2025 study, debt-related expenditures in managing technical debt account for an average 40% of the IT budget of large French enterprises—a substantial resource diverted away from innovation. Generative AI has transformed modernization possibilities: whereas rebuilding a COBOL system could take years of tedious manual work, AI code assistants now enable the analysis, documentation, and migration of legacy code at unprecedented speed. According to IDC France (2025), 72% of CIOs have included reducing technical debt among their priorities for 2026, up from 51% in 2023.

The global market for code quality and application security analysis tools and modernization is estimated at $18.6 billion in 2025 with a growth rate of 16.4% (MarketsandMarkets, 2025). This benchmark covers the full spectrum of solutions available in the French market: from static code analysis that measures and manages debt on a daily basis, to mainframe system modernization tools, to containerizing legacy applications, securing the software supply chain, and low-code platforms that accelerate application redesigns.

What is application modernization?

Application modernization refers to the set of approaches used to improve the quality, maintainability, security, and adaptability of an organization’s application heritage. It spans a broad spectrum: progressively refactoring existing code to reduce technical debt, migrating entirely to cloud-native architectures, containerizing applications, securing the software supply chain, and remaking software via low-code platforms.

The technical debt, a concept introduced by Ward Cunningham in 1992, denotes the future cost generated by suboptimal development decisions made today: duplicated code, ill-suited architecture, insufficient tests, missing documentation, obsolete dependencies. Like financial debt, it accrues interest if left unmanaged: new features become longer and more expensive to implement, and the risk of failure or security vulnerabilities increases. CAST Research Labs (2025) estimates that the average technical debt of a large French organization exceeds €3.6 million per $1 billion of revenue.

Read also: [IT Benchmarks 2026] Data architecture modernization solutions

Application modernization is structured around six complementary approaches, often referred to as the six R model of cloud migration:

Retain: keep the application as-is for stable, non-priority systems—valid for systems whose migration cost exceeds the expected value
Retire: decommission obsolete applications without real business value—often 20 to 30% of the large organizations’ application estate according to Gartner
Rehost (lift-and-shift): migrate the application as-is to cloud infrastructure without changing the code—a quick approach but it does not resolve the underlying debt
Replatform (lift-tinker-and-shift): minor optimizations to leverage the cloud (managed databases, cloud load balancers) without architectural overhaul
Refactor/Re-architect (refactor): rewrite or deeply restructure the application to adopt a cloud-native architecture (microservices, serverless, containers)—more expensive but yields the greatest long-term value
Replace: substitute the application with a SaaS solution or a low-code platform—ideal for standard business applications whose differentiating value is limited

The major transformation of 2025-2026 is the advent of generative AI across the entire modernization cycle: automated analysis of legacy code to understand its operation, automated generation of unit tests, refactoring suggestions, COBOL-to-Java translations, automatic documentation, and vulnerability detection. According to GitHub (2025), developers using GitHub Copilot complete their tasks 55% faster than without AI assistance—with a direct impact on the pace at which technical debt is absorbed.

Trends and market developments in 2026

Trend 1 – Generative AI is revolutionizing development assistance and code refactoring

The arrival of AI code assistants—led by GitHub Copilot, followed by Cursor, Amazon CodeWhisperer, JetBrains AI, and Google Gemini Code Assist—has transformed developer productivity. These tools go beyond code autocompletion: they write complete functions from natural language descriptions, generate unit tests, explain legacy code in plain language, and suggest refactorings. According to GitHub (2025), more than one million developers use GitHub Copilot, and enterprises report a 30 to 55% reduction in time spent on repetitive coding tasks.

Beyond writing assistance, generative AI is reshaping refactoring of legacy code: specialists like Bito, Tabnine, and JetBrains’ AI modules can analyze COBOL, PL/SQL, or FORTRAN codebases spanning millions of lines, generate missing documentation, propose translations to modern languages (Java, Python, Go), and identify critical dependencies. OpenText Fortify and CAST have integrated generative AI capabilities into their analysis tools to reduce by 70% the time required to assess impact of changes in a complex system.

Generative AI use cases in application modernization in 2026:

Automatic generation of unit tests: creating test suites automatically from existing code—critical for securing refactoring by ensuring behavior is preserved
Documentation of legacy code: automatic generation of comments, function descriptions, and architecture diagrams from undocumented code—prerequisite for any migration
Suggestion and execution of refactorings: identifying code smells (duplication, tight coupling, overlong functions) and generating refactored code—GitHub Autofix, SonarQube AI
Assisted language migration: translating COBOL to Java, PL/SQL to Python, VB6 to C#—accelerates migrations by 3 to 5x according to IBM studies (2025)
Automated code review: analyzing pull requests to detect quality issues, potential bugs, and security flaws before merging—GitHub Copilot Code Review, SonarQube PR analysis

Trend 2 – Software supply chain security becomes a regulatory priority

Cyberattacks targeting the software supply chain—SolarWinds in 2020, Log4Shell in 2021, XZ Utils in 2024—have reshaped the perception of risk associated with open-source components and third-party dependencies embedded in applications. By 2026, 95% of applications contain open-source components (Sonatype, 2025), many with known vulnerabilities. Regulations NIS2, DORA, and the forthcoming European Cyber Resilience Act require organizations to document and manage these dependencies through an SBOM (Software Bill of Materials)—the software equivalent of a bill of ingredients.

The Software Composition Analysis (SCA) market—tools that analyze an application’s open-source dependencies to detect vulnerabilities and licensing issues—grows at 23% annually (Gartner, 2025). Leaders include Sonatype (Nexus), Snyk, Black Duck, and JFrog Xray. According to Sonatype (2025), organizations using an SCA tool detect open-source vulnerabilities four times faster and reduce exposure to critical CVEs by 65% compared with organizations without dedicated tooling.

Components of software supply chain security in 2026:

SBOM (Software Bill of Materials): exhaustive inventory of all software components in an application (open source, third-party, proprietary) with their versions—required by NIS2 and the Cyber Resilience Act
SCA (Software Composition Analysis): automated analysis of open-source dependencies to detect vulnerabilities (CVE), non-compliant licenses, and obsolete components
SAST (Static Application Security Testing): static analysis of source code to detect security vulnerabilities (SQL injection, XSS, OWASP Top 10) before execution—integrated into CI/CD pipelines
Artifact signing and attestation: cryptographic signing of container images and binaries to ensure integrity of the supply chain (Sigstore, cosign)
Secrets analysis in code (secrets scanning): detection of API keys, passwords, and credentials committed to Git repositories—GitHub Secret Scanning, GitGuardian, TruffleSecurity

Ttrend 3 – Containerization accelerates modernization of legacy applications

Read also: [IT Benchmarks 2026] Training & upskilling platforms for IT

Containerization—packaging an application and its dependencies in a Docker or OCI container—has become the natural first step for many modernization projects. Rather than fully refactoring an application before migrating, containerization allows you to migrate to the cloud first, then optimize incrementally. This approach significantly reduces risk and shortens the time-to-value. According to the CNCF (Cloud Native Computing Foundation, 2025), 93% of organizations use containers in production, and Kubernetes has become the de facto standard for orchestration.

Tools such as Red Hat Konveyor (open source, developed under CNCF), AWS App2Container, and Azure Migrate automate discovery and containerization of on-premise applications, reducing analysis that took weeks to mere days. They examine the source code, identify dependencies, generate Dockerfiles and Kubernetes manifests, and evaluate the cloud readiness of each application. The AI integrated into these tools helps forecast migration challenges and generate cost and effort estimates.

Steps of modernization through containerization:

Assessing the application estate: mapping existing apps, cloud readiness scoring, identifying dependencies between apps—tools like CAST Highlight, AWS Migration Evaluator
Automated containerization: generating Dockerfiles from existing source, identifying configurations and secrets to externalize—Red Hat Konveyor, AWS App2Container
Lift-and-shift to Kubernetes: deploying containers into a managed Kubernetes cluster (EKS, AKS, GKE, OpenShift) with cloud managed services (databases, messaging)
Progressive refactoring into microservices: gradually breaking the monolith into autonomous microservices—prioritizing components with the highest demand for scalability

Ttrend 4 – “Vibe coding” and development agents redefine software creation

The term “vibe coding”, introduced by Andrej Karpathy (former AI lead at Tesla) in 2025, describes a rising practice where the developer describes the desired behavior in natural language and the AI generates, tests, and fixes the code with minimal human intervention. This mode of development, enabled by agents such as GitHub Copilot Workspace, Cursor Agent, Devin, and Replit Agent, enables non-developers to create functional applications and allows seasoned developers to boost their productivity dramatically.

For application modernization projects, these agents are especially relevant for large-scale refactoring: analyzing a COBOL codebase of millions of lines, generating documentation, proposing a modern target architecture, and producing migration code. Companies like IBM have announced using AI agents to accelerate migration of their own mainframe systems, achieving results that are 5 to 10 times faster than manual approaches. This capability reshapes the cost–benefit calculus of modernization projects once deemed out of reach.

AI development agents ecosystem in 2026:

GitHub Copilot Workspace: agent that performs complex development tasks (creating a feature, fixing a bug, refactoring a module) within the GitHub environment
Cursor Agent: AI-first development environment that enables large-scale codebase modifications via natural language instructions
Devin (Cognition AI): the first “SWE-agent” (Software Engineering Agent) capable of autonomously executing complete development tasks
Amazon CodeWhisperer + Q Developer: AWS AI development assistant integrated into IDEs with code transformation capabilities (e.g., Java 8 to Java 17)

How to choose an application modernization solution

Criterion 1 – Coverage of the heritage’s languages and technologies

The first criterion is the solution’s ability to analyze and manage the languages and technologies present in the organization’s application estate. The portfolios of large French organizations are extremely heterogeneous: Java and JavaScript for new applications; COBOL and PL/SQL for mainframe systems in banks and insurers; .NET and VB6 in industrial mid-market; PHP and Python in newer web apps. A solution that covers 30 languages is more valuable than a platform with deeper support for five languages, even if it’s more specialized. COBOL coverage is a particularly critical criterion for banking, insurance, and the public sector.

Read also: [IT Benchmarks 2026] Governance & data management platforms

Key languages and technologies to validate according to organizational profile:

Java / Kotlin (JVM): essential for organizations with enterprise Java apps—all major tools prioritize coverage here
JavaScript / TypeScript: ubiquitous in modern web apps and APIs—critical coverage for Node.js and React stacks
COBOL / PL/SQL / JCL: critical for banks, insurers, and public sector mainframes—covered by CAST, OpenText COBOL, IBM Wazi
.NET / C# / VB6: prevalent in industrial SMEs and Windows apps—migration to .NET 8+ or to Azure-native
Python / PHP / Ruby: web apps and data science—growing coverage in SAST tools such as SonarQube and Snyk
Terraform / YAML / JSON (IaC): infrastructure-as-code file analysis—covered by SonarQube, Checkov, tfsec

Criterion 2 – Measuring and quantifying technical debt

Reducing technical debt first requires measuring it. The most mature tools offer debt quantification in man-days of remediation or directly in financial cost—a more meaningful metric for executives. CAST Highlight is recognized for its ability to express debt in euros, correlating the volume of problematic code with the daily cost of a senior developer. SonarQube quantifies debt in remediation hours and computes a debt ratio (remediation time / estimated development time) to compare projects. This quantification underpins the business case for any modernization program.

Key metrics for measuring technical debt:

Technical Debt Ratio (SonarQube): remediation time versus development time ratio—below 5% is healthy; above 20% is critical
Debt Index (CAST Highlight): 0–10 score measuring the code’s structural health (complexity, coupling, robustness, performance, security)—comparable across projects and vendors
Cyclomatic Complexity: code complexity measure—beyond a threshold, functions become hard to understand and maintain
Coverage (test coverage): percentage of code executed by automated tests—below 60% signals high risk during refactoring
Duplications: percentage of duplicated code—each duplication multiplies maintenance during bug fixes

Criterion 3 – Integration into DevSecOps pipelines

A code quality or application security tool only delivers operational value if it is integrated into development pipelines. A technical debt report produced quarterly by a dedicated quality team will have far less impact than automated analysis run at every commit and every pull request, with a Quality Gate that blocks non-compliant deployments. The shift-left principle—detecting issues as early as possible in the development cycle, ideally inside the developer’s IDE—remains the foundation of an effective quality strategy.

Essential DevSecOps integrations to validate:

IDE plugins (VS Code, IntelliJ, Eclipse): real-time feedback in the IDE before commit—SonarLint (SonarQube), GitHub Copilot, Snyk IDE Extension
Pull Request analysis: automatic quality and security report posted as a PR comment (GitHub/GitLab/Bitbucket)—merge decisions informed
Quality Gates in CI/CD: automatic pipeline blocking if quality thresholds aren’t met—strengthens the quality culture without relying on individual discipline
Integration with ticketing tools (Jira, GitHub Issues): automatic ticket creation for detected issues—closing the loop between detection and remediation

Criterion 4 – Modernization strategy: progressive vs. complete rewrite

The most defining decision in a modernization program is choosing between a progressive approach—incrementally reducing debt while keeping systems in production—and a complete rewrite—replacing the existing system with a modernized application. A full rewrite (a “big bang migration”) is generally discouraged for critical systems: risks are high, costs are often underestimated, and timelines frequently overrun. The progressive approach, typically structured around the “strangler pattern” (gradually replacing legacy functionality with modern microservices), is the standard reference. Tool choice should align with the chosen strategy.

Factors guiding towards a progressive approach or a rewrite:

Progressive (incremental) recommended if: the system is in production-critical operation, business requirements are evolving quickly, automated tests are insufficient, budget is constrained
Complete rewrite feasible if: the system is so obsolete that maintenance costs exceed the rewrite, the codebase is incomprehensible, legacy skills are diminishing
Replacement with SaaS/low-code is appropriate if: the differentiating value of the system is low (standard processes), mature SaaS solutions exist, the organization wants to reduce maintenance burden

Criterion 5 – Governance and DevSecOps culture

Code quality and application security tools only deliver value if the organization builds a culture that supports them. A perfectly deployed SonarQube with Quality Gates that are routinely bypassed under pressure does not improve code quality. The key is to empower development teams to own quality—the “You build it, you own it” principle—rather than delegating quality to a central QA team. Teams must be trained to understand quality metrics, interpret debt reports, and autonomously prioritize remediation.

Governance elements of an application modernization program:

Definition of Quality Gates: minimum quality thresholds (test coverage, duplication, security rating) that each component must meet—defined at the organizational level and automatically enforced across all projects
Technical debt dashboard: consolidated debt view by application, by team, and by business domain—visible to IT leadership and business managers
Dedicated remediation budget: allocation of a percentage of development time to reducing technical debt (typically 20–30%)—without this budget, debt grows
DevSecOps training and certification: skills uplift for security and quality practices—SonarQube, Snyk, GitHub Advanced Security certifications

Key market players

The French market for application modernization in 2026 is organized around five major families: SAST and code quality tools (SonarQube), AI development assistants and DevOps platforms (GitHub Copilot/GHEC), application asset analysis and mainframe modernization platforms (CAST Highlight, OpenText), containerization and cloud-native tools (Red Hat OpenShift/Konveyor), software supply chain security (Sonatype, Black Duck), observability and production quality (Dynatrace) and low-code platforms (OutSystems, Mendix).

Benchmark players analyzed in this study:

SonarQube (Sonar) – Standard for static code analysis and DevSecOps quality, 30+ languages, 500,000+ instances
GitHub Copilot / GitHub Enterprise Cloud – AI coding assistant + enterprise DevOps platform
CAST Highlight – Asset analysis, debt quantified in euros
OpenText (formerly Micro Focus) COBOL – COBOL/mainframe modernization, progressive migration
Red Hat OpenShift / Konveyor – Containerization and migration of legacy applications to cloud
Sonatype (Nexus / SBOM) – Software supply chain security, SCA and SBOM, open-source vulnerability management
Black Duck (Synopsys) – Unified AppSec suite (SCA + SAST + DAST), Gartner reference
Dynatrace Software Intelligence – Observability, release quality, continuous testing
OutSystems / Mendix – Enterprise low-code platforms for rapid modernization of legacy apps

SonarQube (Sonar)

Global standard for static code analysis and DevSecOps quality—SAST, technical debt, 30+ languages, 500,000+ instances worldwide, CI/CD-integrated Quality Gates

SonarQube is an open-source solution developed by the French company Sonar (formerly SonarSource), founded in Geneva in 2007 with headquarters in Austin and Paris. With over 500,000 instances deployed globally and hundreds of millions of code analyses performed, SonarQube is the de facto standard for static code analysis in organizations with DevOps pipelines. The solution analyzes source code in more than 30 programming languages—Java, JavaScript, TypeScript, Python, C#, COBOL, PHP, Go, Terraform, and more—to detect bugs, security vulnerabilities (OWASP Top 10) and code smells indicative of technical debt, and quantifies remediation effort in man-hours.

SonarQube operates on the principle of “Clean as You Code”: rather than attempting to fix all legacy debt at once—a daunting task—the platform asks teams to maintain a high quality standard for new code and progressively absorb existing debt. Quality Gates set minimum quality thresholds that block deployment if the new code introduces issues, creating a ceiling on quality deterioration. In 2025, Sonar enhanced its platform with AI capabilities via SonarQube AI Code Assurance—a module dedicated to assessing and certifying code generated by AI assistants.

Key features:

Multilanguage Static Analysis (SAST): detection of bugs, OWASP Top 10 vulnerabilities, code smells across 30+ languages—rule base continually updated by Sonar research
Technical debt quantification: measurement in remediation hours and days, Technical Debt Ratio, historical debt evolution—foundation for modernization business cases
Configurable Quality Gates: minimum quality thresholds by project—automated pipeline blocking if new code falls short
SonarLint (IDE plugin): real-time feedback in VS Code, IntelliJ, Eclipse, Visual Studio before commit—maximizing shift-left and on-the-fly corrections
AI Code Assurance: detection and handling of code generated by AI assistants (GitHub Copilot, ChatGPT)—ensures AI code meets the same standards as human code
Universal DevSecOps integration: native plugins for GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines—automated analysis on every PR with no extra setup

SonarQube is used in virtually every organization with active development teams in France. French references include Orange, La Poste, Crédit Agricole, and numerous IT services firms, which rely on it for their development teams. Sonar has offices in Paris (France-Switzerland) and leverages a broad ecosystem of integration partners in France. The Community Edition is free as open source; Developer, Enterprise, and DataCenter editions are paid with advanced features.

GitHub Copilot / GitHub Enterprise Cloud

Premier platform DevOps enterprise and leading AI coding assistant—GitHub Copilot GPT-4o, Autofix, CI/CD Actions, Advanced Security, 1M+ developers

GitHub is the world’s most-used software development platform, with more than 100 million developers and 420 million repositories hosted. Acquired by Microsoft in 2018 for $7.5 billion, it accelerated the integration of AI with the launch of GitHub Copilot in 2022—an AI code assistant based on GPT-4o now used by more than a million developers and over 37,000 organizations worldwide. Copilot has evolved beyond autocompletion to GitHub Copilot Workspace (an agent that can plan and execute complex development tasks) and Copilot Code Review (automated code review of pull requests), turning it into an enterprise-grade augmented software engineering platform.

For modernization projects, GitHub Enterprise Cloud (GHEC) offers a set of security and governance features tailored to large organizations: GitHub Advanced Security (SAST, secrets scanning, SCA integrated), Copilot Autofix (automatic remediation of vulnerabilities detected by Advanced Security), GitHub Actions (native CI/CD with 20,000+ actions in the marketplace), and GitHub Codespaces (standardized cloud development environments). Integrating these services into a single platform greatly reduces tooling complexity in the DevSecOps chain.

Key features:

GitHub Copilot (AI assistance): code generation from descriptions, contextual smart completion, code explanation, automated unit test generation—GPT-4o built-in
Copilot Workspace (development agent): AI agent that plans, codes, and executes complete development tasks (bug fixes, new features) within GitHub
GitHub Advanced Security (SAST + SCA + Secrets): vulnerability detection in code (CodeQL SAST), vulnerable dependencies (Dependabot), and secrets exposure—natively integrated into GitHub
Copilot Autofix: automated generation of fixes for vulnerabilities detected by Advanced Security—reduces security remediation time by about 60%
GitHub Actions (CI/CD): native GitHub CI/CD with 20,000+ actions available—de facto standard for modern DevOps pipelines
Codespaces (cloud development): standardized development environments in the browser or in VS Code—onboarding in minutes

GitHub is used by essentially all modern development teams in France. Hundreds of French organizations, from startups to CAC 40 giants, host their code on GitHub Enterprise Cloud. Its integration with Microsoft Azure (CI/CD to Azure, Azure Active Directory for IAM) reinforces its adoption in Microsoft-centric organizations. Its partner ecosystem includes all major players in DevOps and application security.

CAST Highlight

Asset analysis and quantified technical debt in euros—5 million lines of code analyzed per hour, 40+ languages, AI Cloud Readiness scoring

CAST is a French company founded in Paris in 1990, a pioneer in structural code analysis and automated measurement of software quality. Its CAST Highlight platform is the reference for large organizations’ asset analysis at scale: it can analyze 5 million lines of code per hour across more than 40 languages, producing a dashboard of application health (structural quality, security, robustness, performance, scalability, size) for each application in the estate. Unlike code-quality tools like SonarQube (which analyze code line-by-line), CAST specializes in high-level architectural analysis—making it particularly suited to CIOs who want a consolidated view of a portfolio comprising dozens or hundreds of applications.

The differentiator for CAST Highlight is its ability to express debt in euros—mapping the volume of problematic code to the cost of a senior developer’s daily rate. This metric is more meaningful to executive leadership than a purely technical score. Its Cloud Readiness Scoring automatically evaluates how easily each application can be migrated to the cloud, identifying cloud blockers (incompatible technologies) and estimating migration effort. This makes CAST Highlight the tool of choice for CIOs and CTOs who must build the modernization business case and prioritize applications for action.

Key features:

Asset analysis (5M LOC/hour): analyzing the entire application estate in hours—providing a consolidated view of each app’s health with multi-dimensional scoring
Debt quantified in euros: translating problematic code volume into financial cost—tangible metric for executives and modernization business cases
Cloud Readiness Scoring (AI): automated scoring of cloud migration ease for each application—identifying cloud blockers, estimating effort, and prioritizing
Open source analysis (SCA integrated): inventory of open-source components, CVE vulnerabilities, license risk—contributing to SBOM generation
Sector benchmarking: comparing quality indicators against industry-aggregated data to contextualize competitive position
Progress tracking: time-based dashboards for debt and quality evolution—measuring modernization program effectiveness

CAST is particularly prevalent in France in the banking, insurance, manufacturing, and public sector where the largest and most complex application portfolios reside. Organizations such as BNP Paribas, Société Générale, Airbus and French ministries rely on CAST to guide their modernization strategy. CAST maintains offices in Paris and works with specialized software-quality partner integrators.

OpenText (ex-Micro Focus) COBOL

Specialist in COBOL modernization and mainframe systems—Micro Focus COBOL, Visual COBOL, Enterprise Server, progressive migration to Java and cloud for regulated industries

Micro Focus is a British company founded in 1976, a pioneer of COBOL on microcomputers and a leading specialist in modernizing mainframe systems. Acquired by OpenText in 2023 for $6 billion, it now operates under the OpenText Cybersecurity & Analytics division while maintaining a dedicated COBOL/mainframe modernization position. Its suite Visual COBOL and Enterprise Server enables organizations to develop, test, debug, and deploy COBOL applications on modern environments—Linux, Windows, Docker—without maintaining a physical IBM Z mainframe license, dramatically reducing mainframe licensing costs.

The COBOL problem is especially acute in France: banks, insurers, tax administrations and pension funds manage critical COBOL systems that can comprise tens of millions of lines of code. These systems handle critical financial transactions (transfers, pension calculations, tax filings) and cannot stop. The shrinking pool of expert COBOL developers makes it urgent to migrate these systems to more sustainable technologies. OpenText advocates a progressive modernization approach: reuse existing COBOL code by running it in modern environments while gradually refactoring toward Java or microservices.

Key features:

Visual COBOL (modern development): modern COBOL IDE integrated with Visual Studio / VS Code, including debugging, refactoring, unit testing, and documentation generation—boosting COBOL developer productivity
Enterprise Server (runtime off-mainframe): execute COBOL and JCL on Linux/Docker/Kubernetes without IBM Z mainframe licenses—substantial reduction in MIPS licensing costs
COBOL analysis and program mapping: structural analysis of COBOL bases to understand program dependencies, data structures, and processing flows—prerequisite for any migration
COBOL-to-Java migration (AI-assisted): translation tools assisted by AI to preserve business logic—accelerated by 2025 AI capabilities
Automated regression testing: automatic generation of regression tests from existing COBOL programs—a safety net before any migration
IBM Z integration (coexistence): connectivity with existing IBM Z environments for a gradual transition—both environments coexisting during migration

OpenText Micro Focus COBOL is present in many French financial institutions, insurance companies, and public administrations that manage sizeable COBOL assets. Its clients include mutual banks, health insurance funds, and French pension organizations whose critical systems rely on COBOL for decades. OpenText maintains a France presence and a network of specialists focused on mainframe modernization.

Red Hat OpenShift / Konveyor

Enterprise Kubernetes platform + CNCF open-source tool for modernization and cloud migration—Konveyor analyzes and automates containerization of legacy applications

Red Hat (IBM) offers a unique combination for cloud-oriented modernization: OpenShift, the world’s most deployed enterprise Kubernetes platform, and Konveyor, an open-source project created by Red Hat and now integrated into the CNCF, which helps organizations analyze, prepare, and execute migration of their applications to cloud-native environments and Kubernetes. This combination enables a modernization continuum: Konveyor assesses the estate and automates containerization, OpenShift provides the target runtime platform.

Konveyor comprises several complementary tools. Tackle analyzes source code of Java, .NET, and others to assess migration-to-Kubernetes readiness and identify incompatibilities (“migration issues”). It generates detailed reports with modification recommendations and automatically estimates migration effort. Move2Kube automates the generation of Kubernetes artifacts from multiple sources: Cloud Foundry, Docker Compose, Helm—reducing weeks of manual configuration to mere hours. The Konveyor ecosystem benefited in 2025 from AI generative capabilities to automatically generate remediation for migration issues.

Key features:

Konveyor Tackle (migration readiness analysis): analyzes Java and .NET apps to identify cloud/Kubernetes incompatibilities, scores migration effort, and generates detailed reports
Konveyor Move2Kube (Kubernetes artifacts generation): automated transformation from Cloud Foundry, Docker Compose, Helm to Kubernetes manifests—reducing weeks of manual configuration to hours
Konveyor AI (automated fixes): automatically generates code changes needed to remediate migration issues—accelerating pre-migration remediation
OpenShift (target platform): Kubernetes-based enterprise platform with enhanced security, operators, monitoring, and CI/CD pipelines—stable production platform for containerized apps
OpenShift Dev Spaces (cloud IDE): standardized cloud development environments integrated with OpenShift—onboarding developers within minutes for modernization projects
Hybrid deployment (on-prem + cloud): OpenShift runs on any infrastructure—on-premises, AWS, Azure, GCP, OVHcloud—without refactoring containerized apps

Red Hat OpenShift is widely adopted in France in regulated sectors and large organizations with DevOps teams. Organizations such as Orange, Société Générale, Airbus, and French administrations use OpenShift as their production platform. Konveyor is adopted by modernization teams preparing migrations to OpenShift or to managed Kubernetes.

Sonatype (Nexus / SBOM)

Leader in software supply chain security—Nexus Repository, automatic SBOM, SCA across 100M+ components, zero-day open-source vulnerability detection

Sonatype is a US-based company founded in 2008, creator of the Apache Maven project and a global leader in Software Supply Chain Security. Its platform covers the entire lifecycle of software components: artifact storage and distribution (Nexus Repository), governance of open-source component quality (Nexus Lifecycle), and real-time protection against new threats (Sonatype Advanced Security). Sonatype claims to have analyzed over 100 million components and discovered more than 70,000 open-source vulnerabilities not yet listed in CVE, thanks to its security researchers (Sonatype Research).

This value proposition directly supports NIS2, DORA, and the upcoming Cyber Resilience Act: the automatic generation of SBOMs (Software Bill of Materials), a list of all software components with their versions and licenses. Sonatype generates SBOMs in standard formats (SPDX, CycloneDX) and keeps them up to date with every build. Its Sonatype AI (Ossa) engine predicts vulnerabilities before they are officially referenced—a capability particularly valuable in the zero-day era. In 2025, the XZ Utils attack—a backdoor inserted into an open-source library used by millions of Linux systems—dramatically demonstrated the importance of this monitoring.

Key features:

Nexus Repository (artifact management): private repository for all software artifacts (Maven, npm, PyPI, Docker, NuGet, etc.) with proxies to public registries—full control of components entering the organization
Nexus Lifecycle (SCA in CI/CD): analysis of open-source dependencies at every stage of the CI/CD pipeline—automatic blocking if a vulnerable component is introduced, configurable vulnerability policies
SBOM generation (SPDX / CycloneDX): automatic Software Bill of Materials generation at each build in standard formats—compliance with NIS2, DORA, and Cyber Resilience Act
Sonatype Advanced Security (zero-day): detection of vulnerabilities not yet listed in official CVEs via Sonatype Research—protection 40 to 90 days before official publication
Open-source license auditing: detection and management of license risks (GPL copyleft, non-commercially compatible licenses)—critical for commercial software distributions
Universal DevSecOps integration: native plugins for major CI/CD tools (Jenkins, GitHub Actions, GitLab CI, Azure DevOps)—shift-left of open-source security

Sonatype is adopted by thousands of global organizations, notably in sectors with high security obligations such as finance, defense, energy, and technology. In France, its presence is growing as NIS2 requirements mandate traceability of software components. French references include major industrial groups, financial institutions, and critical-importance operators.

Black Duck (Synopsys)

Unified application security suite SCA + SAST + DAST— Gartner’s AppSec reference, 2,500+ enterprise customers, SBOM, Black Duck AI for AI component risk

Black Duck is a major player in application security, spun out as an independent company in October 2024 after the carve-out of Synopsys’ Software Integrity group (renamed after acquisition). Historically known as Black Duck Software (acquired by Synopsys in 2017 for $565 million, later spun off in 2024), the portfolio now spans the full spectrum of AppSec: SCA for open-source dependencies, SAST via Coverity for proprietary code analysis, and DAST with Black Duck DAST for runtime testing. This tri-dimensional coverage—rare on the market—positions Black Duck as a unified AppSec platform rather than a single-purpose tool. Black Duck claims more than 2,500 enterprise customers across finance, defense, automotive, and semiconductors.

A key differentiator for Black Duck SCA is the depth of its open-source knowledge base and the vulnerabilities linked to components. Its Black Duck KnowledgeBase lists more than 8 million open-source components with vulnerabilities, licenses, and origins—powered by a dedicated security research team. In 2025, Black Duck launched Black Duck AI—a module that analyzes risk introduced by AI components (ML models, AI frameworks, datasets) in response to AI Act requirements. Its capability to detect code snippets copied from open source embedded in proprietary code—without an explicit dependency—remains a market-unique feature especially valuable for license compliance audits.

Key features:

Black Duck SCA (Software Composition Analysis): open-source dependency analysis with an 8M+ component KnowledgeBase—CVE vulnerabilities, licensing non-compliance, origins, and obsolete components
Detection of copied code snippets: identification of open-source fragments embedded directly into proprietary code without declared dependencies—unique for license audits
Coverity (SAST): static analysis of proprietary code to detect security vulnerabilities (CWE Top 25, OWASP Top 10), quality defects, and concurrency issues—an automotive and aerospace industry reference
Black Duck DAST: dynamic security testing on running applications—identifying vulnerabilities not visible in static analysis
SBOM generation (SPDX / CycloneDX): complete SBOM production from SCA and snippet detection—compliance with NIS2, Cyber Resilience Act, and AI Act
Black Duck AI (AI component risk): AI component risk analysis (ML models, frameworks, datasets)—launched in 2025 in response to AI Act requirements
CI/CD and IDE integration: native plugins for Jenkins, GitHub Actions, GitLab CI, Azure DevOps and major IDEs—shift-left of AppSec within development pipelines

Black Duck is especially adopted in the automotive, aerospace, defense, semiconductor, and financial services sectors—industries where open-source license compliance is a major legal and financial concern and where application security requirements are highest. In France, references include Airbus, Renault, Thales, and major banking institutions. Black Duck is classified as a Leader in Gartner’s Magic Quadrant for Application Security Testing, alongside Veracode and Checkmarx.

Dynatrace Software Intelligence

Observability + software quality + continuous testing—unified—causal Davis AI, automated release validation, runtime vulnerability management, deployment intelligence

Dynatrace, featured in the IT automation benchmark as a leader in AIOps, also plays a pivotal role in application modernization through its Software Intelligence capabilities—an integrated set of features for development and SRE teams to ensure release quality and security. Its coverage is unique: rather than waiting for post-deployment problems (traditional APM), Dynatrace measures quality each deployment, enabling automated release gating that blocks deployments that would degrade performance or reliability.

Its runtime vulnerability management (RASP) capability is particularly relevant for modernization: instead of solely analyzing code statically, Dynatrace detects vulnerabilities that are actually active in production—prioritizing patches based on what is exploitable in the real environment. During the Log4Shell migration in 2021, Dynatrace helped clients know in minutes which applications were genuinely vulnerable, rather than spending weeks analyzing every app containing the vulnerability. Its Grail data lakehouse unifies metrics, logs, traces, and security events for cross-cutting analysis.

Key features:

Automated release validation (Davis): automated comparison of performance indicators before and after deployment—automatic detection of regressions and blocking of deployments if degradation is detected
Runtime vulnerabilities (RASP): detection of vulnerabilities actively exploited in production—not just in code—prioritizing patches based on real-world exploitability
Code-level insights: precise identification of the code line responsible for a performance degradation—eliminating tedious manual debugging
Embedded load testing: execution and analysis of load tests directly in the Dynatrace pipeline—pre-production scalability issue detection
SBOM and runtime dependencies: automatic inventory of all active software components in production, SBOM generation from observability data—complementary to static SCA
Full-stack observability (OneAgent): automated instrumentation of the entire stack—from applications to containers, microservices, and cloud infrastructure—full context for troubleshooting

Dynatrace Software Intelligence is adopted by development and SRE teams of cloud-native, high-release-velocity organizations. French organizations such as Orange, Renault Digital, and Europ Assistance rely on Dynatrace to ensure release quality. The platform is particularly valuable in environments with frequent deployments (multiple times per day) and where regressions have immediate commercial impact.

OutSystems / Mendix

Enterprise low-code platforms for rapid modernization of legacy applications—10x development speed, enterprise governance, integrated generative AI

Enterprise low-code platforms represent a strategic alternative to traditional modernization approaches for business applications with mid-range differentiating value. Rather than refactoring a complex legacy app into existing languages and frameworks, these platforms enable you to rebuild 5 to 10 times faster using a visual and model-driven approach. The two leaders in the space are OutSystems (Portuguese, founded 2001, valued at $9.5B in 2021) and Mendix (Dutch, founded 2005, acquired by Siemens in 2018 for $730M), both with strong France presence.

These platforms specifically target business applications—customer portals, HR apps, workflows, operational tools—where the logic is complex but where the organization does not gain competitive advantage by building the app in traditional code. Business teams can be more closely involved in design, delivery cycles are dramatically shorter (weeks rather than months), and maintenance is more accessible. In 2025, OutSystems integrated Mentor (generative AI) to generate modules from natural language descriptions. Mendix launched Maia, its built-in AI assistant that suggests data models, generates interfaces, and proposes business logic.

Key features (OutSystems):

Visual development (Service Studio): visual modeling of data, processes, and interfaces—automated code generation of Java/JavaScript in the background
Mentor AI (generative): generation of modules and screens from natural language descriptions—further accelerating app creation
Enterprise governance: centralized control of developed applications, lifecycle management, dependencies, and teams—essential to avoid low-code debt

Key features (Mendix):

Studio Pro (full-stack development): visual modeling of data, pages, microflows, and APIs—native collaboration between developers and business teams
Siemens integration (Industry 4.0): native connectivity with Siemens ecosystem (MindSphere, Teamcenter)—a decisive advantage for industrial organizations
Mendix Cloud (Siemens Cloud): dedicated hosting on Siemens infrastructure with enterprise governance—European sovereign option

OutSystems has a strong footprint in France’s financial services, insurance, healthcare, and public sector with references such as Decathlon, BRED Banque Populaire, and Sopra Banking Software. Mendix is particularly strong in industrial and manufacturing sectors thanks to Siemens’ backing, with references such as Airbus, BASF, and ABB in Europe.

Comparison table of solutions

Comparative synthesis of the main application modernization solutions active in the French market in 2026.

Solution	Positioning	Best For	Scope	AI & Analysis	Key Differentiator
SonarQube (Sonar)	Static code quality and DevSecOps reference	Dev teams, DevSecOps, CI/CD pipelines	SAST, code quality, technical debt, 30+ languages	AI-suggested corrections, CleanCode AI	De facto standard SAST, 500k+ instances, universal CI/CD integration
GitHub Copilot / GHEC	AI development assistance + enterprise code governance	Modern development teams, enterprise DevOps	AI coding, PR reviews, code security, Actions CI/CD	Copilot GPT-4o, Autofix, Copilot Workspace	Most adopted AI assistant (1M+ users), unified GitHub ecosystem
CAST Highlight	Asset analysis, quantified technical debt	CIOs, CTOs, legacy audits, modernization business cases	Application mapping, risk, debt, cloud readiness	AI Cloud Readiness scoring, auto risk analysis	Only tool quantifying debt in euros, 5M+ LOC/hour, 40+ languages
MicroFocus (OpenText) COBOL	COBOL/mainframe modernization, progressive migration	Banks, insurers, public sector with mainframe	COBOL to Java/cloud, refactoring, testing mainframe	AI COBOL analysis, program mapping	Historic COBOL modernization leader, 50+ years of mainframe expertise
Red Hat OpenShift / Konveyor	Containerization and cloud migration for legacy apps	Organizations migrating to Kubernetes/cloud	Containerization, refactoring, Kubernetes, migration	Konveyor AI analyzes migration readiness	Konveyor open-source (CNCF), native Kubernetes migration, Red Hat ecosystem
Sonatype (Nexus / SBOM)	Software supply chain security, SCA and SBOM	DevSecOps, compliance, DORA/NIS2 supply chain	SCA for open source, SBOM, vulnerability management, licenses	AI-based vulnerability detection, auto policy enforcement	Leader in SCA, SBOM generation automatically, 100M+ components analyzed
Dynatrace Software Intelligence	Full-stack observability + continuous testing + release intelligence	SRE, DevOps, advanced cloud-native teams	APM, code analysis, automated testing, release quality	Davis AI, automated regression testing, release gating	Automated release gating, observability plus quality in a single tool
Black Duck	SCA + SAST + DAST unified, comprehensive AppSec	Large enterprises, regulated sectors, finance, industry	Open-source SCA, SBOM, vulnerability management, licenses	AI vulnerability detection, Black Duck AI risk scoring, AI BOM	Complete AppSec suite (SCA+SAST+DAST), 2,500+ customers, Gartner Leader

The other IT Benchmarks of 2026

FAQ

What is the difference between technical debt and technological obsolescence?
Technical debt refers to internal quality problems in code—duplication, excessive complexity, insufficient tests, tight coupling—that slow development and increase risk. It can affect newer applications if they were built under pressure without proper quality care. Technological obsolescence concerns the choice of language, framework, or architecture—an application can be perfectly written in COBOL (no debt) yet still be technologically obsolete if COBOL cannot integrate modern cloud services. A modernization program should address both dimensions distinctly.

What is an SBOM and why has it become mandatory in Europe?
An SBOM (Software Bill of Materials) is an exhaustive inventory of all software components: open-source libraries, third-party dependencies, frameworks, and their respective versions. It is akin to a bill of ingredients for a medication. In Europe, the Cyber Resilience Act (being transposed) and the NIS2 directives make SBOM production and maintenance mandatory for software manufacturers and operators of critical infrastructures. It enables a quick answer to: “Are we exposed to vulnerability X?”—a task that previously required days of manual research.

How should one prioritize applications to modernize in a large application portfolio?
Prioritization should combine four dimensions: business value—the impact on revenue, customer service, or compliance; technical risk—the debt level, incident frequency, obsolete dependencies; estimated modernization cost—via tools like CAST Highlight that assess complexity and Cloud Readiness Score; and resource availability—internal skills and the number of concurrent applications in modernization. High business value, high technical risk, and reasonable modernization cost make for strong candidate applications.

Can generative AI really migrate COBOL to Java?
Yes, but with important caveats. Generative AI—including IBM watsonx Code Assistant for Z and GitHub Copilot—can accelerate COBOL-to-Java migration by 3 to 5x by generating an initial Java version and documenting business logic. However, the generated code is not production-ready on its own: it requires thorough review by experienced developers, exhaustive behavioral validation (regression testing is critical), and performance optimization. Migration of COBOL remains a complex project—AI makes it more approachable, not trivial.

What is the difference between SonarQube and GitHub Advanced Security?
SonarQube is a tool focused on continuous code quality: deep SAST analysis, debt measurement, code smells, duplication, test coverage—available across any code repository (GitHub, GitLab, Bitbucket, Azure DevOps). It covers more than 30 languages with substantial depth. GitHub Advanced Security (GHAS) is integrated natively into GitHub and covers three dimensions: SAST (CodeQL), secrets scanning, and SCA (Dependabot). Its advantage lies in seamless integration with the GitHub experience, with Autofix AI to automatically remediate issues. The two are complementary: many organizations use GHAS for security and SonarQube for quality.