No more typing reviews! Try our Samantha, our new voice AI agent.

Checkmarx One vs Nucleus Security comparison

Sponsored
 

Comparison Buyer's Guide

Executive SummaryUpdated on Feb 23, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Qualys TotalCloud
Sponsored
Ranking in Vulnerability Management
11th
Average Rating
8.6
Reviews Sentiment
7.2
Number of Reviews
39
Ranking in other categories
Container Security (11th), Cloud Workload Protection Platforms (CWPP) (7th), Cloud Security Posture Management (CSPM) (8th), SaaS Security Posture Management (SSPM) (1st), Cloud-Native Application Protection Platforms (CNAPP) (6th)
Checkmarx One
Ranking in Vulnerability Management
15th
Average Rating
7.8
Reviews Sentiment
6.6
Number of Reviews
81
Ranking in other categories
Application Security Tools (2nd), Static Application Security Testing (SAST) (2nd), Container Security (14th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (11th), Application Security Posture Management (ASPM) (3rd), AI Security (3rd)
Nucleus Security
Ranking in Vulnerability Management
40th
Average Rating
8.0
Reviews Sentiment
7.3
Number of Reviews
2
Ranking in other categories
Application Security Tools (28th), Risk-Based Vulnerability Management (14th), Continuous Threat Exposure Management (CTEM) (13th)
 

Featured Reviews

RO
IT Security Expert at Alior Bank S.A.
Unified risk scoring has improved our cloud visibility and simplifies remediation priorities
Qualys TotalCloud provides unified vulnerability and threat assessment across both IAS and SaaS. This solution provides a single prioritized view of risk, which helps reduce the work I would have to do. We are no longer based on CVSS; we are based on Qualys risk scoring, which is based on CVSS plus internal findings made by Qualys, and then assigns its own score. The TruRisk insight feature has found a small number of assets with high vulnerability scores, though I am cautious since some information is classified. Qualys TotalCloud has positively impacted our bank's performance, and we have definitely seen benefits after implementing this solution.
Shahzad Shahzad - PeerSpot reviewer
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
VK
manager at a computer software company with 201-500 employees
Unified vulnerability workflows have transformed how our teams prioritize and resolve critical risks
While the platform is incredibly powerful, the initial configuration curve of Nucleus Security can be a bit steep. When first setting up complex, multi-layered automation rules and asset groupings, the interface can feel a little overwhelming. Having more intuitive step-by-step visualized wizards or guided templates for building complex triage workflows would make the onboarding process much smoother for new team members. Dashboard customization and reporting would definitely be on my wish list. While the default dashboards are great for a general overview, it can take a bit of manual tweaking when building highly tailored workspace views for different engineering groups. Having a more flexible drag-and-drop widget system where individual teams can prioritize exactly what metrics they see first on their layout would be a huge quality of life update. On the reporting side, the data it generates is solid, but I would like to see more granular control over formatting within the platform itself. Sometimes leadership wants data tailored in very specific ways, and currently, we occasionally have to export the data and clean it up externally to meet those exact visual preferences.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Vulnerability and threat detection and assessment of the criticality of the vulnerabilities exposed are most valuable."
"Once you have your vulnerabilities fixed and your patches pushed out using Qualys TotalCloud, then you are able to eliminate threats and cyber risk."
"The scalability is good as well. I would rate it ten out of ten."
"Qualys TotalCloud's most valuable feature is its agent versatility."
"The most valuable feature of Qualys TotalCloud is the visibility it provides."
"It is a cloud-native app that integrates with both IaaS and SaaS. It seamlessly integrates with other platforms."
"TotalCloud has been excellent in providing us with immediate access to all the products and features we need, such as CSPM, TruRisk Insights, and compliance reports, including CIS and HIPAA."
"The most valuable feature is extensibility."
"Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."
"The scalability of the solution is good."
"The user interface is excellent. It's very user friendly."
"After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them."
"The most valuable feature is the simple user interface."
"If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution."
"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
"Checkmarx One has positively impacted the organization, and since replacing the previous tool, SAST and SCA scans are conducted in a couple of minutes instead of hours or days, saving time and increasing speed to market by reducing the timeline from three or four days to one day only."
"The best features that Nucleus Security offers in my experience are the unified integrations with all of the different vulnerability management platforms."
"Nucleus Security has fundamentally changed how we manage our vulnerability lifecycle and made our entire incident response process much more proactive, organized, and reliable."
 

Cons

"We would like to see Windows-based sensors available in Qualys, as this would make the platform more versatile and support a broader range of environments."
"Qualys TotalCloud's increasing complexity, due to the development and deployment of multiple solutions, is making the GUI difficult to navigate."
"In TotalCloud, I would suggest improvements in policy checks to cater to various inventory types like VPCs, subnets, S3 buckets, or IAMs. There is a lack of data segregation according to criticality or inventory."
"TotalCloud could improve the classification of vulnerabilities. Specifically, it could enhance the categorization of what aspects fall under patches resolved by OS or software updates and what pertains to configuration adjustments."
"I think Qualys TotalCloud needs to improve its handling of zero-day vulnerabilities and supply chain management because modern ransomware attacks not only target prime critical infrastructures but also the supply chain system."
"I would appreciate additional integration options to connect Qualys TotalCloud with our other vulnerability management tools."
"There is a lack of data segregation according to criticality or inventory."
"TotalCloud could improve its scanning of niche devices like Wi-Fi dongles and USB modems because they are often untested. It covers everything else, like laptops, mobile devices, and Bluetooth IoT devices. They can improve on the small IoT devices because hackers and testers use these."
"The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management."
"The solution's user interface could be improved because it seems outdated."
"C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported."
"Checkmarx is not good because it has too many false positive issues."
"Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features."
"The stability of Checkmarx could improve. We're having issues with it, and the scan reliability is sometimes impacted so we sometimes have to restart the services to allow scans out of the queue."
"Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."
"Checkmarx One can be improved by reducing noise and improving false positive filtering."
"While the platform is incredibly powerful, the initial configuration curve of Nucleus Security can be a bit steep."
"Nucleus Security needs a better view into exposure management, as exposure management and attack path management are missing."
 

Pricing and Cost Advice

"It isn't cheap, but it's reasonable. It helps us to manage things with very few resources."
"Qualys TotalCloud offers cost-effective licensing flexibility."
"Qualys TotalCloud offers competitive pricing given its comprehensive suite of features, including integration, assessment, remediation, and detection capabilities, all within a single platform."
"The pricing for TotalCloud is attractive and competitive in the market. Given the features, especially the dashboard, I have no concerns regarding pricing."
"As a middle management member, I do not have direct pricing knowledge, but based on the knowledge from our meetings, its pricing is competitive."
"The pricing is comparable. It is built into our other product, so I cannot piecemeal it. It is a part of our subscription."
"While Qualys TotalCloud's pricing is currently acceptable, it is becoming increasingly expensive and may soon be considered overpriced."
"The cost is high, but it meets our organizational needs."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"For around 250 users or committers, the cost is approximately $500,000."
"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
"I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone."
"The tool's pricing is fine."
"If you want more, you have to pay more. You have to pay for additional modules or functionalities."
"It is an expensive solution."
Information not available
report
Use our free recommendation engine to learn which Risk-Based Vulnerability Management solutions are best for your needs.
903,933 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
16%
Financial Services Firm
13%
Construction Company
8%
Comms Service Provider
7%
Financial Services Firm
16%
Manufacturing Company
9%
Computer Software Company
8%
Outsourcing Company
5%
Computer Software Company
13%
Financial Services Firm
13%
Construction Company
8%
Manufacturing Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business9
Midsize Enterprise5
Large Enterprise29
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
No data available
 

Questions from the Community

What needs improvement with Qualys TotalCloud?
Areas that need improvement in every solution include the remediation part. The remediation steps should be simple en...
What is your primary use case for Qualys TotalCloud?
Our use case involves the assets that we have under cloud, the assets exposed to the internet, and the internal appli...
What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...
What is the biggest difference between Veracode and Checkmarx?
According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed Ap...
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additi...
What is your experience regarding pricing and costs for Nucleus Security?
I have a good experience with that, so we don't have much problem dealing with pricing, setup, and licensing.
What needs improvement with Nucleus Security?
Nucleus Security needs a better view into exposure management, as exposure management and attack path management are ...
What is your primary use case for Nucleus Security?
My main use case for Nucleus Security is unifying the vulnerability management landscape, providing a single source o...
 

Also Known As

Qualys TotalCloud with FlexScan
No data available
No data available
 

Overview

 

Sample Customers

Information Not Available
YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Information Not Available
Find out what your peers are saying about Qualys, Horizon3.ai, Tenable and others in Risk-Based Vulnerability Management. Updated: June 2026.
903,933 professionals have used our research since 2012.