No more typing reviews! Try our Samantha, our new voice AI agent.

Black Duck SCA vs Xygeni comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 22, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Black Duck SCA
Ranking in Software Composition Analysis (SCA)
3rd
Average Rating
7.6
Reviews Sentiment
6.2
Number of Reviews
23
Ranking in other categories
No ranking in other categories
Xygeni
Ranking in Software Composition Analysis (SCA)
15th
Average Rating
9.0
Reviews Sentiment
7.0
Number of Reviews
4
Ranking in other categories
Application Security Tools (23rd), Software Supply Chain Security (14th), Application Security Posture Management (ASPM) (13th)
 

Mindshare comparison

As of July 2026, in the Software Composition Analysis (SCA) category, the mindshare of Black Duck SCA is 9.1%, down from 17.6% compared to the previous year. The mindshare of Xygeni is 1.2%, up from 0.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA) Mindshare Distribution
ProductMindshare (%)
Black Duck SCA9.1%
Xygeni1.2%
Other89.7%
Software Composition Analysis (SCA)
 

Featured Reviews

SS
Project Lead at ABB
Compliance checks have improved while vulnerability coverage and SBOM accuracy still need work
I think Black Duck SCA needs to improve on the overall approach. I assume that the people who developed Black Duck SCA believe that users will use this tool for some time in a full-fledged way with all those features. However, the way it really works with product development or in a software development life cycle is that this is just one of the steps for checking whether something is license compliant, whether it has vulnerabilities, or whether the SBOM is generated. It is just one of those steps in the software development process. The expectation from the tool's perspective is that users have to go into the Black Duck SCA portal, look at each of those items, and if something is not correct, try to find it out and update or configure the right CPEs or PURLs or those kinds of things. In reality, most users would not have time for this because they would have done this as part of the build and would generate an SBOM as part of the build. The tool should be quite usable. If a feature works properly and correctly, then nobody will go back and try to spend time on that. For example, if I generate an SBOM and that SBOM has a particular CPE and there are multiple sources, the tool should produce those CPEs with vulnerabilities, put them into the SBOM, and allow me to move forward. If there are more bugs or more configuration requirements, the usage will come down. It is like a mobile application: if there is too much data that needs to be looked at, configured, and used, then the number of users would come down. The tool should be fast, usable, and accurate. Users should just be able to use it without needing to learn too much. The learning curve should be less when using a tool, and the usage should be easy with basic understanding. They should not need to go through complex processes and can assume that whatever data is given is correct. That is where the whole problem with Black Duck SCA lies. The documentation is not really on the mark. For example, if there is a functionality, such as wanting to see a CPE, the documentation should show how to get this via API or see it and how to configure that with examples. Most of the time the tool says it is all in the community, which is not ideal. The community is different from a conceptual view. The community is for bugs and issues that users want to report. However, people who are looking at the tool fresh and need to see functionality such as scan configuration need clear documentation. If I want to see the scan configurations and how to do it, there are videos, but there should be clear documentation with examples, such as how to configure for Docker using specific commands and methods. This example could be clear documentation and should not be redirected to the community every time. If there is a problem or those kinds of issues, they should go to the community and solutions will be found. However, for basic documentation on features being provided, I do not see that kind of clear documentation with clear examples.
AI
Business development manager at RSsecurity
Unified monitoring has reduced alert noise and provides accurate, proactive application security
Xygeni was highly effective for us, but there are areas where improvements could be made. More customization options for dashboards and reports would help teams tailor the platform to their specific metrics and workflows. I also occasionally encounter DevOps tools that are not yet supported natively. Expanded coverage for niche or emerging tools would make onboarding even smoother. These points, however, are minor compared to the overall value the platform delivers, especially given the strength of its AI-driven detection, remediation, and supply chain protection capabilities. It would also be an improvement for licensing with regard to on-premise variants. Perhaps we could have an on-premise option for standard subscription.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The installation is very easy."
"The solution works well on Mac products."
"We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks."
"The solution is stable."
"The tool is giving a range for a given open-source component in a version and provides a list of vulnerabilities based on the sources with a lot of information."
"The most valuable feature for me in Black Duck is its ability to scan binary files effectively."
"Since using Xygeni, the time to review vulnerabilities has decreased."
"The visibility of our open-source supply chain dependencies and real-time detection of vulnerabilities have been invaluable."
"The best Xygeni feature is the ability to filter what is truly important, which really helps me focus on the key vulnerabilities in the software that I am building."
"Xygeni provides a comprehensive and developer-friendly approach to securing the entire software supply chain."
 

Cons

"The initial setup of Black Duck is complex. It's not very straightforward. You need a lot of support and hand-holding from the Black Duck team itself for it to be deployed successfully across the organization."
"Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."
"The tool's documentation and support are areas of concern where improvements are required."
"I would like to see improvements in Black Duck's reporting capabilities."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"The initial setup is complex."
"The documentation is quite scattered."
"You have to upload the code to the Black Duck cloud system. You have to give the code, which is a drawback."
"Xygeni could be improved if on-premise options were available starting from the starter packages, not only the enterprise models."
"Xygeni was highly effective for us, but there are areas where improvements could be made."
"Xygeni can be more automated."
"There should be more configuration options that make it easier to target the issues that are more important in your organization's context."
 

Pricing and Cost Advice

"The pricing is a little high."
"The price charged by Black Duck is exorbitant."
"The price is quite high because the behavior of the software during the scan is similar to competing products."
"Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."
"The price is low. It's not an expensive solution."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."
"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
"It is expensive."
Information not available
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
902,894 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
16%
Manufacturing Company
16%
Computer Software Company
11%
University
5%
Comms Service Provider
22%
Outsourcing Company
11%
Security Firm
11%
Construction Company
10%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business6
Large Enterprise17
No data available
 

Questions from the Community

How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
What needs improvement with Black Duck?
I think Black Duck SCA needs to improve on the overall approach. I assume that the people who developed Black Duck SCA believe that users will use this tool for some time in a full-fledged way with...
What is your primary use case for Black Duck?
The primary use cases are compliance and scanning in terms of license compliance and trying to identify snippets, particularly if there are any snippets being identified that are coming from open s...
What is your experience regarding pricing and costs for Xygeni?
The pricing is reasonable. Xygeni provided me with the pricing list that is already public on the web, so it is very clear.
What needs improvement with Xygeni?
Xygeni can be more automated. The team is currently working on auto-remediation pipelines, which could be really helpful. There is probably room for improvement, but for me, it is one of the best t...
What is your primary use case for Xygeni?
I use Xygeni to perform SAST and SCA analysis, and to gain better understanding of how my deployment pipelines are configured. Xygeni helps me understand what I am deploying and the level of integr...
 

Comparisons

 

Also Known As

Blackduck Hub, Black Duck Protex, Black Duck Security Checker
No data available
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Samsung, Siemens, ScienceLogic, BryterCX, Dynatrace
BKool, Onum, Napptive, Fintonic, Adaion, Metricool, Arexdata, ...
Find out what your peers are saying about Black Duck SCA vs. Xygeni and other solutions. Updated: June 2026.
902,894 professionals have used our research since 2012.