Checkmarx One vs Fortify Application Defender vs Veracode comparison

Fortify Application Defender

Read 200 Veracode reviews

14,613 Views
9,530 Comparison Views

90% willing to recommend

Checkmarx One

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Checkmarx One, Fortify Application Defender, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools.

To learn more, read our detailed Application Security Tools Report (Updated: June 2025).

Application Security Tools

Download the complete report

Helped 858,649 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of June 2025, in the Application Security Tools category, the mindshare of Checkmarx One is 10.0%, down from 14.5% compared to the previous year. The mindshare of Fortify Application Defender is 0.7%, down from 0.8% compared to the previous year. The mindshare of Veracode is 9.2%, down from 10.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Application Security Tools

Featured Reviews

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

Saroj-Patnaik

Software Development Engineer 3 at Ernst & Young

Reliable solution with excellent machine learning algorithms but expensive and lacking support

I primarily use Fortify Application Defender to assess whether our products can defend against applications Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications. Fortify Application Defender gives…

Read full review

David-Robertson

Director Enterprise Architecture at Exeter Finance Corp.

Static scanning and software composition analysis are very helpful, but the usability needs improvement

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables. They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"It gives the proper code flow of vulnerabilities and the number of occurrences."

"The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."

"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."

"Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes."

"Apart from software scanning, software composition scanning is valuable."

"Helps us check vulnerabilities in our SAP Fiori application."

"Less false positive errors as compared to any other solution."

"The most valuable feature is the application tracking reporting."

More Checkmarx One pros

"The product saves us cost and time."

"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."

"The most valuable feature is that it analyzes data in real-time."

"The most valuable features of Fortify Application Defender are the code packages that are default."

"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."

"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."

"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."

"Its ability to find security defects is valuable."

More Fortify Application Defender pros

"I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them."

"We use it to get our scan results and see where our software is vulnerable or not vulnerable."

"Good static analysis and dynamic analysis."

"One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."

"There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."

"It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things."

"With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."

"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."

More Veracode pros

Cons

"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."

"We have received some feedback from our customers who are receiving a large number of false positives."

"The pricing can get a bit expensive, depending on the company's size."

"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."

"Checkmarx could improve the speed of the scans."

"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."

"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."

"The plugins for the development environment have room for improvements such as for Android Studio and X code."

More Checkmarx One cons

"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."

"I encountered many false positives for Python applications."

"Fortify Application Defender gives a lot of false positives."

"Support for older compilers/IDEs is lacking."

"The licensing can be a little complex."

"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."

"The false positive rate should be lower."

"The workbench is a little bit complex when you first start using it."

More Fortify Application Defender cons

"The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary."

"There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved."

"The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."

"It needs more timely support for newer languages and framework versions."

"It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback."

"Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues."

"Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."

"Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."

More Veracode cons

Pricing and Cost Advice

"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."

"The price of Checkmarx could be reduced to match their competitors, it is expensive."

"The pricing was not very good. This is just a framework which shouldn’t cost so much."

"The number of users and coverage for languages will have an impact on the cost of the license."

"Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications)."

"I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone."

"If you want more, you have to pay more. You have to pay for additional modules or functionalities."

"The interface used to create custom rules comes at an additional cost."

More Checkmarx One pricing and cost advice

"I rate the solution's pricing a five out of ten. It comes as an annual cloud subscription. The tool's pricing is around 50 lakhs."

"Fortify Application Defender is very expensive."

"The licensing is very complex, it's project based and can range from $10,000 to $200,000+ depending on the project type and size."

"The base licensing costs for the SaaS platform is about $900 USD per application, per year."

"The price of this solution could be less expensive."

"The product’s price is much higher than other tools."

"I believe the price is fair according to market standards."

"The pricing for Veracode is high, making it difficult for beginners to afford."

"The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."

"It is pricey. There is a lot of value in the product, but it is a costly tool."

"The pricing is fair. You get a lot out of the product."

"Aside from the standard licensing fees, we also have to pay for a competent Success Manager."

"It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better."

"The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

858,649 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

21%

Computer Software Company

14%

Manufacturing Company

10%

Government

Financial Services Firm

20%

Manufacturing Company

16%

Computer Software Company

13%

Government

10%

Computer Software Company

17%

Financial Services Firm

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

What do you like most about Fortify Application Defender?

I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy.

What needs improvement with Fortify Application Defender?

The product should integrate industry-standard code review tools internally with its system. This would streamline th...

What is your primary use case for Fortify Application Defender?

We use the solution for fast code review. It is integrated into our DevOps pipeline.

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...

SonarQube Server (formerly SonarQube) vs Checkmarx One

Comparisons

Compared 36% of the time

Checkmarx SAST vs Checkmarx One

Compared 6% of the time

OpenText Core Application Security vs Checkmarx One

Compared 6% of the time

OWASP Zap vs Checkmarx One

Compared 5% of the time

Kiuwan vs Checkmarx One

Compared 1% of the time

More Checkmarx One Competitors

SonarQube Server (formerly SonarQube) vs Fortify Application Defender

Compared 14% of the time

Qualys Web Application Scanning vs Fortify Application Defender

Compared 13% of the time

Coverity vs Fortify Application Defender

Compared 13% of the time

CAST Application Intelligence Platform vs Fortify Application Defender

Compared 11% of the time

Snyk vs Fortify Application Defender

Compared 9% of the time

More Fortify Application Defender Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 19% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

OpenText Core Application Security vs Veracode

Compared 5% of the time

Snyk vs Veracode

Compared 4% of the time

OpenText Static Application Security Testing vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Checkmarx One

Download Checkmarx One product report

Application Security Tools

Download Fortify Application Defender product report

Download Veracode product report

May 2025

Also Known As

No data available

HPE Fortify Application Defender, Micro Focus Fortify Application Defender

Crashtest Security , Veracode Detect

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps you manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time.

OpenText

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

ServiceMaster, Saltworks, SAP

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Application Security Tools