No more typing reviews! Try our Samantha, our new voice AI agent.

Checkmarx One vs PortSwigger Burp Suite Enterprise Edition comparison

Sponsored
 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 9, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Qualys TotalCloud
Sponsored
Ranking in Vulnerability Management
11th
Average Rating
8.6
Reviews Sentiment
7.3
Number of Reviews
39
Ranking in other categories
Container Security (11th), Cloud Workload Protection Platforms (CWPP) (7th), Cloud Security Posture Management (CSPM) (8th), SaaS Security Posture Management (SSPM) (1st), Cloud-Native Application Protection Platforms (CNAPP) (6th)
Checkmarx One
Ranking in Vulnerability Management
15th
Average Rating
7.8
Reviews Sentiment
6.6
Number of Reviews
81
Ranking in other categories
Application Security Tools (2nd), Static Application Security Testing (SAST) (2nd), Container Security (14th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (11th), Application Security Posture Management (ASPM) (3rd), AI Security (3rd)
PortSwigger Burp Suite Ente...
Ranking in Vulnerability Management
41st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
12
Ranking in other categories
Dynamic Application Security Testing (DAST) (8th)
 

Featured Reviews

RO
IT Security Expert at Alior Bank S.A.
Unified risk scoring has improved our cloud visibility and simplifies remediation priorities
Qualys TotalCloud provides unified vulnerability and threat assessment across both IAS and SaaS. This solution provides a single prioritized view of risk, which helps reduce the work I would have to do. We are no longer based on CVSS; we are based on Qualys risk scoring, which is based on CVSS plus internal findings made by Qualys, and then assigns its own score. The TruRisk insight feature has found a small number of assets with high vulnerability scores, though I am cautious since some information is classified. Qualys TotalCloud has positively impacted our bank's performance, and we have definitely seen benefits after implementing this solution.
Shahzad Shahzad - PeerSpot reviewer
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
OB
Studiant at Edifixio
Enables time-saving automated scanning and brute force attacks
The most appreciated functionality of PortSwigger Burp Suite is its ability to perform brute force attacks automatically. Its automated scanning feature saves time. Additionally, using this tool provides significant security insights, making our testing process more efficient and comprehensive, leading to considerable time savings, which in turn translates to financial benefits.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The best features in Qualys TotalCloud include the total asset management of the cloud environment. It is very easy to export the report and see the vulnerabilities related to the cloud specifically."
"I appreciate Qualys TotalCloud's ability to onboard any type of device with ease, including containers."
"TotalCloud provides the easiest and the best approach for cloud infrastructure management."
"CSPM is currently the most used feature, and we are enjoying the new feature, FlexScan, which is valuable for Internet-facing VMs."
"Qualys TotalCloud has significantly improved our organization by automating our reporting processes, reducing the time spent on report creation from two hours to less than fifteen to twenty minutes."
"TotalCloud has been excellent in providing us with immediate access to all the products and features we need, such as CSPM, TruRisk Insights, and compliance reports, including CIS and HIPAA."
"By integrating TotalCloud, we have significantly reduced vulnerabilities in our deployment pipeline."
"I would definitely recommend Qualys TotalCloud to other users."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
"It is a stable product."
"The consistency of code showed our team where they are inconsistent or where they have made simple omissions."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"The solution communicates where to fix the issue for the purpose of less iterations."
"The tool is loaded with many features that give us ROI."
"The product is easy to use."
"The product's initial setup phase was super easy."
"The initial setup is straightforward."
"Its automated scanning feature saves time."
"I like normal dynamic scanning, general web applications scanning, and vulnerability assessments."
"This tool helps identify vulnerabilities. We then provide the report to the developers, who address the issues identified automatically. Its most valuable feature is CI/CD integration."
"The most valuable part of it was probably the ability to intercept and modify calls."
 

Cons

"Two areas for improvement in Qualys TotalCloud are the speed of the public cloud platform and vulnerability detection."
"The main area needing improvement is integration. Although the team is strengthening TotalCloud, integration can be enhanced with SIEM, SOAR, ITSM, and other sources."
"Qualys TotalCloud has the potential to improve by integrating a hybrid platform for comprehensive management of both on-premises and cloud infrastructures."
"There is room for improvement in vulnerability scanning, particularly for PaaS environments. Currently, Qualys does not have full access to these instances, which limits its effectiveness."
"In a future release, I suggest that zero-day vulnerabilities should be predicted in advance using AI technologies. The system is not 100% secure yet, so proactive threat hunting could be enhanced to be more proactive than the current system."
"The onboarding process is a bit difficult. In the initial phase, it is very difficult to understand the features, what the dashboard contains, and what criteria they are using."
"I think Qualys TotalCloud needs to improve its handling of zero-day vulnerabilities and supply chain management because modern ransomware attacks not only target prime critical infrastructures but also the supply chain system."
"Qualys' customer service provides quality answers, but the response time is long, even though it is within the SLA."
"We can run only one project at a time."
"It takes around 30 to 40 minutes for checking a build. If you can make it within five minutes or 10 minutes, that would be great."
"Their licensing fees are rigid and this causes two main issues. One is a restriction in terms of scaling the product at an enterprise level."
"When we have many applications to check, I need to wait a long time in the queue."
"If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time)."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"It could be improved with more reporting of false positives and the understanding of file references."
"They could work to improve the user interface. Right now, it really is lacking."
"The solution is a bit expensive."
"The cost per license per user could be cheaper, specifically for individual licensing."
"From my personal experience, the solution's performance could be improved."
"The stability of the scans could be improved."
"Scalability could be better."
"There are features or functionality missing, but PortSwigger Burp Suite Enterprise Edition does try to update frequently to alleviate the shortcomings."
"It would be better if the solution is cloud-based."
"It would be beneficial if Burp Suite provided predefined payloads for each attack category, such as SQL injection and cross-site scripting, to automate some tasks more effectively."
 

Pricing and Cost Advice

"TotalCloud's price is about right where I would expect it to be."
"Qualys TotalCloud offers good pricing that is affordable and competitive with the market. Our partnership also provides us with additional benefits."
"Qualys TotalCloud is cost-efficient and was selected for its value compared to other products."
"Its price seems higher compared to other tools, but it is worth it. If they could adjust the pricing and make it comparable with other tools, that would be great."
"Qualys TotalCloud is expensive."
"As a middle management member, I do not have direct pricing knowledge, but based on the knowledge from our meetings, its pricing is competitive."
"Qualys TotalCloud offers competitive pricing given its comprehensive suite of features, including integration, assessment, remediation, and detection capabilities, all within a single platform."
"Qualys TotalCloud is expensive, but it offers a premier solution with no headaches."
"​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
"The interface used to create custom rules comes at an additional cost."
"It's relatively expensive."
"This solution is expensive. The customized package allows you to buy additional users at any time."
"If you want more, you have to pay more. You have to pay for additional modules or functionalities."
"It is the right price for quality delivery."
"The solution's price is high and you pay based on the number of users."
"Although the solution can be a bit expensive for small companies, its pricing is fairly reasonable for its capabilities."
"The tool's pricing is reasonable and costs around 400 dollars per year."
"For Professional, it's about $400 per year."
"PortSwigger Burp Suite Enterprise Edition is neither a cheap nor an expensive product. PortSwigger Burp Suite Enterprise Edition is a good tool for companies."
"PortSwigger Burp Suite Enterprise Edition is expensive compared to other solutions."
report
Use our free recommendation engine to learn which Dynamic Application Security Testing (DAST) solutions are best for your needs.
902,894 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
17%
Financial Services Firm
14%
Construction Company
8%
Comms Service Provider
7%
Financial Services Firm
16%
Manufacturing Company
9%
Computer Software Company
8%
Government
5%
Financial Services Firm
19%
Computer Software Company
7%
Construction Company
6%
Manufacturing Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business9
Midsize Enterprise4
Large Enterprise29
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
By reviewers
Company SizeCount
Small Business5
Midsize Enterprise2
Large Enterprise7
 

Questions from the Community

What needs improvement with Qualys TotalCloud?
Areas that need improvement in every solution include the remediation part. The remediation steps should be simple en...
What is your primary use case for Qualys TotalCloud?
Our use case involves the assets that we have under cloud, the assets exposed to the internet, and the internal appli...
What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...
What is the biggest difference between Veracode and Checkmarx?
According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed Ap...
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additi...
What is your experience regarding pricing and costs for PortSwigger Burp Suite Enterprise Edition?
I am using the Community Edition, which is free, however, I understand there might be extra expenses for additional f...
What needs improvement with PortSwigger Burp Suite Enterprise Edition?
It would be beneficial if Burp Suite provided predefined payloads for each attack category, such as SQL injection and...
What is your primary use case for PortSwigger Burp Suite Enterprise Edition?
I work with security testing tools for SaaS, focusing on static application security testing and using tools like Bur...
 

Also Known As

Qualys TotalCloud with FlexScan
No data available
No data available
 

Overview

 

Sample Customers

Information Not Available
YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Nasa, Disney, Dow Jones, Iberia Bank, IBM, Ernest and Young, Apple, Ryanair, Thyssenkrupp, Delivery Hero
Find out what your peers are saying about Checkmarx One vs. PortSwigger Burp Suite Enterprise Edition and other solutions. Updated: June 2026.
902,894 professionals have used our research since 2012.