CAST Highlight vs Checkmarx One comparison

The compared CAST and Checkmarx solutions aren't in the same category. CAST is ranked #18 in SCA , with an average rating of 7.5, and holds a 1.3% mindshare in the category. Checkmarx is ranked #2 in AS , with an average rating of 8.1, and holds a 8.8% mindshare. Additionally, 85% of CAST users are willing to recommend the solution, compared to 88% of Checkmarx users who would recommend it.

CAST Highlight

Read 7 CAST Highlight reviews

2,130 Views
980 Comparison Views

85% willing to recommend

Checkmarx One

Read 81 Checkmarx One reviews

22,245 Views
14,237 Comparison Views

88% willing to recommend

CAST Highlight

Checkmarx One

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between CAST Highlight and Checkmarx One based on real PeerSpot user reviews.

Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

To learn more, read our detailed CAST Highlight vs. Checkmarx One Report (Updated: September 2022).

Buyer's Guide

CAST Highlight vs. Checkmarx One

September 2022

Download the complete report

Helped 893,311 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

CAST Highlight

Average Rating

7.8

Reviews Sentiment

7.1

Number of Reviews

Ranking in other categories

Software Composition Analysis (SCA) (18th)

Checkmarx One

Average Rating

7.8

Reviews Sentiment

6.6

Number of Reviews

Ranking in other categories

Application Security Tools (2nd), Static Application Security Testing (SAST) (2nd), Vulnerability Management (16th), Container Security (15th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (10th), Application Security Posture Management (ASPM) (3rd), AI Security (1st)

Mindshare comparison

While both are Security Software solutions, they serve different purposes. CAST Highlight is designed for Software Composition Analysis (SCA) and holds a mindshare of 1.3%, up 0.9% compared to last year.
Checkmarx One, on the other hand, focuses on Application Security Tools, holds 8.8% mindshare, down 10.2% since last year.

Software Composition Analysis (SCA) Mindshare Distribution
Product	Mindshare (%)
CAST Highlight	1.3%
Snyk	10.9%
Black Duck SCA	9.9%
Other	77.9%

Software Composition Analysis (SCA)

Application Security Tools Mindshare Distribution
Product	Mindshare (%)
Checkmarx One	8.8%
SonarQube	13.6%
Snyk	5.1%
Other	72.5%

Application Security Tools

Featured Reviews

Jayanti Rode

Technical Associate Manager at Accenture

Identifies migration blockers and boosters while facing challenges with platform-specific roadblocks

The solution provides agnostic blockers for platforms as well as for containerization. Within that containerization, it offers generic blockers. However, my project might require it to provide Windows-specific blockers or Linux-specific blockers, as I often work with only one platform at a time. If I received categorization in containerization blockers, it would save time. Understanding only the OS-specific blockers means I would avoid resolving irrelevant issues, thus saving time. Initially, I receive a response from support, however, if there is involvement from R&D or other teams, it may take longer than expected. The support team is challenging when sharing source code. As this is a static code analysis tool, it sometimes requires source code for R&D. However, CAST clients may be restricted from sharing due to business logic and nondisclosure agreements. This creates a challenge, and I may have to share pseudo code or seek client approval, risking escalation.

Read full review

Shahzad Shahzad

Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution

Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance

Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The solution provides agnostic blockers for platforms as well as for containerization."

"In cloud migration, I use CAST highlight to identify blockers, which are the negative road patterns, and also the boosters, which are positive code patterns."

"It offers good performance."

"CAST Highlight is easy to use and has a good dashboard."

"The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable, and it works seamlessly with most languages."

"The most valuable features of the CAST Highlight are the interface and there are three notations that are very simple to understand and communicate with."

"The most valuable features of CAST Highlight are automation and speed."

"We've been using it for two years and found that it is really profitable to have the product in our arsenal."

More CAST Highlight pros

"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."

"One of the most important tools in our building process."

"The solution communicates where to fix the issue for the purpose of less iterations."

"It provides a graphical view of any vulnerabilities."

"The solution has good performance, it is able to compute in 10 to 15 minutes."

"It's been a very positive experience overall."

"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."

"The solution allows us to create custom rules for code checks."

More Checkmarx One pros

Cons

"The reports that describe the issues of concern are rather abstract and the issues should be more clearly described to the user."

"Technical support could be better."

"If I received categorization in containerization blockers, it would save time."

"It is a pretty costly tool. A lot of customers are resistant to using it."

"There's a bit of a learning curve at the outset."

"Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. I would expect CAST Highlight to have the Help dashboard and the Engineering dashboard. These dashboards are currently a part of CAST AIP, and if these are made available in CAST Highlight, customers won't have to use two different products all the time."

"CAST Highlight could improve to allow us to comment and do a deep analysis by ourselves."

"CAST Highlight is an expensive solution. However, CAST Highlight is less expensive than the CAST AIP, but it remains too expensive and the professional services from CAST are also too expensive."

More CAST Highlight cons

"There are some downtimes when Checkmarx One is being upgraded to the latest version or some improvement is there."

"From an administrative standpoint, I would rate Checkmarx with a five out of ten."

"Checkmarx could improve the REST APIs by including automation."

"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."

"Checkmarx could improve the REST APIs by including automation."

"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe."

"It provides us with quite a handful of false positive issues."

"Unfortunately, Checkmarx doesn't do any automated backups which is quite inconvenient."

More Checkmarx One cons

Pricing and Cost Advice

"It is a pretty costly tool. A lot of customers are resistant to using it."

"CAST Highlight is an expensive solution. However, CAST Highlight is less expensive than the CAST AIP, but it remains too expensive and the professional services from CAST are also too expensive. The high price is part of the problem with the CAST solutions."

"CAST Highlight is an expensive solution."

"Basic support is included with the standard licensing feed but it can be upgraded for an additional cost."

"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."

"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."

"The solution's price is high and you pay based on the number of users."

"It is an expensive solution."

"Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."

"It's relatively expensive."

"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."

"The pricing was not very good. This is just a framework which shouldn’t cost so much."

More Checkmarx One pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.

See recommendations

893,311 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

15%

Computer Software Company

Government

Outsourcing Company

Financial Services Firm

17%

Manufacturing Company

Computer Software Company

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	2
Midsize Enterprise	1
Large Enterprise	5

By reviewers
Company Size	Count
Small Business	32
Midsize Enterprise	9
Large Enterprise	46

Questions from the Community

What is your experience regarding pricing and costs for CAST Highlight?

The pricing of CAST Highlight was not considered expensive or cheap, and no specific comment was made about the setup cost.

See all answers

What needs improvement with CAST Highlight?

See all answers

What is your primary use case for CAST Highlight?

For CAST, I use it in cloud migration roadmap and in open source safety issues. These are my two main use cases.

See all answers

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.

See all answers

What is your experience regarding pricing and costs for Checkmarx?

Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundle...

See all answers

What needs improvement with Checkmarx?

One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automaticall...

See all answers

Comparisons

Snyk vs CAST Highlight

Compared 15% of the time

Veracode vs CAST Highlight

Compared 14% of the time

SonarQube vs CAST Highlight

Compared 11% of the time

Black Duck SCA vs CAST Highlight

Compared 10% of the time

Sonatype Lifecycle vs CAST Highlight

Compared 6% of the time

More CAST Highlight Competitors

SonarQube vs Checkmarx One

Compared 37% of the time

Veracode vs Checkmarx One

Compared 3% of the time

Checkmarx SAST vs Checkmarx One

Compared 2% of the time

OpenText Core Application Security vs Checkmarx One

Compared 2% of the time

Fortify Software Security Center vs Checkmarx One

Compared 2% of the time

More Checkmarx One Competitors

Product Reports

Buyer's Guide

CAST Highlight

May 2026

Download CAST Highlight product report

Buyer's Guide

Checkmarx One

May 2026

Download Checkmarx One product report

Overview

CAST Highlight is a comprehensive platform that integrates with Azure DevOps, offering remote functionalities without direct codebase access. It quickly identifies cloud migration blockers and supports most programming languages with an easy setup.

CAST Highlight stands out with its user-friendly interface and dashboard, enabling efficient scanning for environment quality. Its automation and speed are particularly valued, making it distinct in the software analysis domain. While users encounter challenges with language-specific insights and expensive licensing, they benefit from its capability to assess code base states during mergers, acquisitions, and cloud migration planning. Technical support poses issues, and some users face hurdles with configuration customization and issue reporting clarity. Despite these challenges, CAST Highlight demonstrates effectiveness in identifying application service quality and ensuring legal, security, and IP compliance.

What features define CAST Highlight?

Seamless Integration: Works with Azure DevOps for enhanced functionality.
Remote Functionality: Operates without direct codebase access, offering flexibility.
Cloud Migration Assistance: Identifies blockers and boosters for cloud strategies.
Programming Language Support: Compatible with a wide range of languages.
Easy Setup: Simplifies the process for quick implementation.

What are the benefits of using CAST Highlight?

Speed and Automation: Delivers quick scans and automated processes for efficiency.
Application Quality Insights: Provides detailed assessments for application portfolios.
Enhanced Communication: Simple notations improve team communication.
Legal and Security Compliance: Ensures compliance insights are accessible.

CAST Highlight is adopted across industries for tasks such as assessing code during mergers, managing application portfolios, and planning cloud migrations. It facilitates open source safety checks and replatforming architectures, serving roles in firewall and storage management. Users rely on it for service quality verification and distinguishing applications from competitors.

CAST

Checkmarx One delivers robust security through seamless integration with SCM and CI/CD tools, ensuring reliable SAST and SCA. Primarily used by organizations for vulnerability detection, it supports cloud and on-premises deployment to enhance secure coding practices.

Checkmarx One provides organizations with comprehensive tools for secure software development, integrating effectively with CI/CD pipelines to scan thousands of applications. Its capabilities extend to identifying vulnerabilities in both code bases and third-party software. Enhancing workflow by supporting SCM solutions, it assists in maintaining secure coding standards and compliance. While excelling in various areas, it requires improvements in scan speed, reduction of false positives, and broader platform integration, particularly for COBOL and Swift. Its pricing model is noted as high, and demand exists for better tutorials and documentation.

What are the key features of Checkmarx One?

Comprehensive Integration: Seamlessly connects with SCM, CI/CD tools to streamline security workflows.
Accurate SAST and SCA: Precisely identifies vulnerabilities down to the exact line of code.
Custom Rules Configuration: Allows tailored security measures to match specific needs.
Quick Scanning: Provides fast analysis to speed up the development process.
Automated Code Remediation: Helps in efficiently fixing code vulnerabilities.

What benefits should users expect in reviews?

Improved Security: Enhances code safety, reducing vulnerabilities efficiently.
Effective False Positivity Management: Optimizes time spent on genuine issues.
Enhanced Development Processes: Integrates smoothly to boost secure coding initiatives.
Comprehensive Language Support: Facilitates scanning in multiple programming languages, accommodating diverse needs.

Industries implement Checkmarx One for secure coding compliance and vulnerability management across varying environments, choosing between cloud and on-premises deployment based on requirements. Its extensive language support and integration with DevSecOps practices make it a popular choice for organizations aiming to enhance software security.

Checkmarx

Sample Customers

Wells Fargo, Bank of NY Mellon, Northern Trust, Microsoft, Amazon, IBM, BMW, AT&T, US Army, US Air Force, US Navy, John Hancock, Marsh & McLennan, Ernst & Young, PwC, Volkswagen, Boston Consulting Group, London Stock Exchange, Telefonica, Saur France, Total Energies France, SNCF

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

Buyer's Guide

CAST Highlight vs. Checkmarx One

September 2022

Free Report: CAST Highlight vs. Checkmarx One

Find out what your peers are saying about CAST Highlight vs. Checkmarx One and other solutions. Updated: September 2022.

DOWNLOAD NOW

893,311 professionals have used our research since 2012.

See our CAST Highlight vs. Checkmarx One report.

We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.