Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs NAVEX One vs Veracode comparison

The compared Checkmarx and NAVEX solutions aren't in the same category. Checkmarx is ranked #3 in AS , with an average rating of 8.3, and holds a 9.9% mindshare in the category. NAVEX is ranked #19 in G , with an average rating of 7.0, and holds a 1.2% mindshare. Additionally, 87% of Checkmarx users are willing to recommend the solution, compared to 100% of NAVEX users who would recommend it.
Checkmarx One
Read 71 Checkmarx One reviews
  • 21,636 Views
  • 17,525 Comparison Views
87% willing to recommend
NAVEX One
Read 1 NAVEX One review
  • 467 Views
  • 224 Comparison Views
100% willing to recommend
Veracode
Read 202 Veracode reviews
  • 21,023 Views
  • 14,085 Comparison Views
89% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Checkmarx One, NAVEX One, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Application Security Tools Report (Updated: July 2025).
Buyer's Guide
Application Security Tools
July 2025
Download the complete report
Helped 862,499 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

Application Security Tools
GRC
Application Security Tools
 

Featured Reviews

Syed Hasan - PeerSpot reviewer
Partner experiences excellent technical support and seamless initial setup
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
Read full review
EV
Useful for risk assessment and has customization capability
The tool helps us with security incidents, policies, business continuity, disaster recovery, and internal audits. The feature I like the most is its customization capability. It acts like a blank canvas where you can construct forms and workflows according to your needs. You can configure and customize a lot yourself, whether starting from scratch or using some out-of-the-box options. The solution has impacted our operations by helping us manage and prioritize environmental risks. It also assists in establishing ownership of risks and enables us to mitigate or mediate existing risks. Additionally, it facilitates tracking risks throughout their entire lifecycle.
Read full review
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful."
"Vulnerability details is valuable."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"The administration in Checkmarx is very good."
"The most valuable features of Checkmarx are its integration with multiple SCM solutions and CICD tools, its ability to scale according to user licenses, and the quick scanning process."
"Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security."
"We use the solution for dynamic application testing."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
More Checkmarx One pros
"The tool helps us with security incidents, policies, business continuity, disaster recovery, and internal audits. The feature I like the most is its customization capability. It acts like a blank canvas where you can construct forms and workflows according to your needs. You can configure and customize a lot yourself, whether starting from scratch or using some out-of-the-box options."
"The best feature is definitely the detailed reports. It provides code-related queries in the order of high, medium, and low depending on what we need to do. Veracode is user-friendly as well."
"One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"The source composition analysis component is great because it gives our developers some comfort in using new libraries."
"The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."
"The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities."
"The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development."
"Tech support is outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing."
More Veracode pros
 

Cons

"Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features."
"We can run only one project at a time."
"If it is a very large code base then we have a problem where we cannot scan it."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Checkmarx is not good because it has too many false positive issues."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"Checkmarx needs to be more scalable for large enterprise companies."
"Checkmarx could improve the REST APIs by including automation."
More Checkmarx One cons
"We think there's room for improvement, especially with customizing NAVEX One. Their development on the roadmap can be slow."
"If you schedule two parallel scans under the same project, one of them will be a failure."
"There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. Also, the duration of the scan is a bit too long."
"The negative that I found is that it has a subscription-based model."
"I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."
"It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas."
"There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported. The false-positive rates are also something they can work on."
"The runtime code analysis could be improved so that we can see every element in one place."
"It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback."
More Veracode cons
 

Pricing and Cost Advice

"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"The number of users and coverage for languages will have an impact on the cost of the license."
"I believe pricing is better compared to other commercial tools."
"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"The tool's pricing is fine."
"The solution's price is high and you pay based on the number of users."
More Checkmarx One pricing and cost advice
"NAVEX One's pricing comes in the middle range when compared to other products."
"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."
"The pricing of the product depends upon the number of codes or the number of applications."
"I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform."
"The product’s price is a bit higher compared to other solutions."
"The pricing for Veracode is high, making it difficult for beginners to afford."
"It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in."
"The pricing is reasonable compared to other tools."
"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
862,499 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
14%
Manufacturing Company
10%
Government
6%
Financial Services Firm
14%
Retailer
10%
Healthcare Company
9%
Computer Software Company
8%
Computer Software Company
16%
Financial Services Firm
16%
Manufacturing Company
8%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...
See all answers
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
See all answers
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
See all answers
What is your experience regarding pricing and costs for NAVEX One?
NAVEX One's pricing comes in the middle range when compared to other products.
See all answers
What needs improvement with NAVEX One?
We think there's room for improvement, especially with customizing NAVEX One. Their development on the roadmap can be...
See all answers
What is your primary use case for NAVEX One?
We use the solution to conduct risk assessments on our environment.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...
See all answers
 

Comparisons

SonarQube Server (formerly SonarQube) vs Checkmarx One Logo
SonarQube Server (formerly SonarQube) vs Checkmarx One
Compared 38% of the time
Checkmarx SAST vs Checkmarx One Logo
Checkmarx SAST vs Checkmarx One
Compared 7% of the time
OpenText Core Application Security vs Checkmarx One Logo
OpenText Core Application Security vs Checkmarx One
Compared 5% of the time
OWASP Zap vs Checkmarx One Logo
OWASP Zap vs Checkmarx One
Compared 5% of the time
GitHub Advanced Security vs Checkmarx One Logo
GitHub Advanced Security vs Checkmarx One
Compared 4% of the time
More Checkmarx One Competitors
Rapid7 InsightVM vs NAVEX One Logo
Rapid7 InsightVM vs NAVEX One
Compared 31% of the time
NAVEX Global vs NAVEX One Logo
NAVEX Global vs NAVEX One
Compared 25% of the time
OneTrust GRC vs NAVEX One Logo
OneTrust GRC vs NAVEX One
Compared 24% of the time
RSA Archer vs NAVEX One Logo
RSA Archer vs NAVEX One
Compared 20% of the time
More NAVEX One Competitors
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Compared 18% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 7% of the time
OpenText Core Application Security vs Veracode Logo
OpenText Core Application Security vs Veracode
Compared 4% of the time
Snyk vs Veracode Logo
Snyk vs Veracode
Compared 4% of the time
OpenText Static Application Security Testing vs Veracode Logo
OpenText Static Application Security Testing vs Veracode
Compared 4% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Checkmarx One
July 2025
Checkmarx One reportDownload Checkmarx One product report
Buyer's Guide
GRC
July 2025
NAVEX One reportDownload NAVEX One product report
Buyer's Guide
Veracode
June 2025
Veracode reportDownload Veracode product report
 

Also Known As

No data available
Lockpath Keylight
Crashtest Security , Veracode Detect
 

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • API security
  • Dynamic Application Security Testing (DAST)
  • Container security
  • IaC security
  • Correlation, prioritization, and risk management
  • Codebashing secure code training
  • AI security
  • Tech partnerships extending AppSec into runtime analysis
  • Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx
NAVEX. Building a safer, stronger, and sustainable future through intelligent risk management. We believe confidence in tomorrow begins with smart risk & compliance decisions today. With more than 13,000 customers worldwide, we offer the most comprehensive tools and support to help them better understand their risk and compliance health, and to manage their GRC program more simply and efficiently.

Our NAVEX One Platform offers solutions that are built on the world’s largest database of risk intelligence information. It enables organizations to create more effective and efficient governance, risk, compliance and ESG programs. NAVEX One provides the holistic view of risk, automated processes, and insights needed to promote strong cultures, protect against unwanted risk and preserve the environment through sustainable practices.

NAVEX

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Claims Recovery Financial Services (CRFS), Surescript, The University of Chicago
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Application Security Tools
July 2025
Download Free Report
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools. Updated: July 2025.
DOWNLOAD NOW
862,499 professionals have used our research since 2012.