Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs Rapid7 AppSpider comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
3rd
Average Rating
7.6
Reviews Sentiment
6.9
Number of Reviews
71
Ranking in other categories
Application Security Tools (3rd), Vulnerability Management (24th), Static Code Analysis (3rd), API Security (5th), DevSecOps (5th), Risk-Based Vulnerability Management (9th)
Rapid7 AppSpider
Ranking in Static Application Security Testing (SAST)
32nd
Average Rating
7.8
Reviews Sentiment
6.7
Number of Reviews
14
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2025, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.5%, down from 12.7% compared to the previous year. The mindshare of Rapid7 AppSpider is 0.5%, down from 0.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Syed Hasan - PeerSpot reviewer
Partner experiences excellent technical support and seamless initial setup
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
Rizwan-Alam - PeerSpot reviewer
Easy automated web app scanning, but gives many false positives and isn't always stable
One of the challenges I have with AppSpider is that it gives you a lot of false positives, especially when compared to other solutions. This is the main aspect that I hope to see Rapid7 improve on. Beyond reducing false positives, I would also like to see them implement better reporting features, particularly in the executive summary type of reports which need to be user-friendly and easily understood by non-technical people. The recommendations and solutions on these reports could always be improved to make them more relevant, too. Lastly, the stability isn't that great, and sometimes it becomes non-responsive. I feel like the stability of the application is very average and currently needs more work.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"The most valuable features of Checkmarx are its integration with multiple SCM solutions and CICD tools, its ability to scale according to user licenses, and the quick scanning process."
"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
"The most valuable feature is the application tracking reporting."
"The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code."
"The report function is the solution's greatest asset."
"The initial deployment is very straightforward and simple. The product is stable if configured properly."
"It is really accurate and the rate of false positives is very low."
"It scans all the components developed within a web application."
"I would say that it is stable, as I am not aware of any major issues."
"The most valuable feature is the reporting, which is compliant with international standards."
"When it is set up properly, it can do scanning on web apps with multiple engines automatically."
"The setup is usually straightforward."
"The most valuable feature of Rapid7 AppSpider is the vulnerability reporting data. Additionally, the data is reported in a convenient way rather than seeing them as a PDF. We are able to generate all the reports exactly what we want in a flexible way."
 

Cons

"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"It is an expensive solution."
"They could work to improve the user interface. Right now, it really is lacking."
"Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed."
"With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."
"The pricing can get a bit expensive, depending on the company's size."
"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"This price of this solution is a little bit expensive."
"AppSpider has some problems with the RAM needed while scanning."
"The dashboard and interface are crucial and they need some improvement."
"One of the challenges I have with AppSpider is that it gives you a lot of false positives, especially when compared to other solutions."
"Implementing Rapid7 AppSpider requires scanning and self-identification mechanisms. You can add different types of authentication to each scan."
"The solution is too slow. It could take a full day to scan. Competitors are much faster."
"Integration could be better."
"It needs better integration with mobile applications."
 

Pricing and Cost Advice

"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
"This solution is expensive. The customized package allows you to buy additional users at any time."
"The solution's price is high and you pay based on the number of users."
"It is an expensive solution."
"Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications)."
"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
"The licensing cost depends on the number of users."
"The price of Rapid7 AppSpider cost 9,000 annually but there is limited usage. Large companies are able to negotiate a better price or a better deal for the usage with the vendor."
"The price is pretty fair."
"AppSpider is closed-source software and you need to acquire a license in order to use it."
"It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
862,514 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
14%
Manufacturing Company
10%
Government
6%
Financial Services Firm
17%
Computer Software Company
12%
Manufacturing Company
10%
Government
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
What is your experience regarding pricing and costs for Rapid7 AppSpider?
The price is not high, but for Japanese customers, localization may incur additional costs.
What needs improvement with Rapid7 AppSpider?
For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users.
What is your primary use case for Rapid7 AppSpider?
Our clients use AppSpider to address security concerns for their websites. It is particularly used by customers who require security assessments.
 

Also Known As

No data available
AppSpider
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Microsoft
Find out what your peers are saying about Checkmarx One vs. Rapid7 AppSpider and other solutions. Updated: July 2025.
862,514 professionals have used our research since 2012.