Try our new research platform with insights from 80,000+ expert users

HCL AppScan vs OpenText Dynamic Application Security Testing vs Veracode comparison

HCLSoftware and OpenText are both solutions in the Dynamic Application Security Testing (DAST) category. HCLSoftware is ranked #6 with an average rating of 8.3, while OpenText is ranked #3 with an average rating of 8.0. HCLSoftware holds a 9.6% mindshare in DAST, compared to OpenText’s 11.0% mindshare. Additionally, 84% of HCLSoftware users are willing to recommend the solution, compared to 83% of OpenText users who would recommend it.
HCL AppScan
Read 44 HCL AppScan reviews
  • 4,542 Views
  • 1,090 Comparison Views
84% willing to recommend
OpenText Dynamic Applicatio...
Read 22 OpenText Dynamic Application Security Testing reviews
  • 3,095 Views
  • 1,145 Comparison Views
83% willing to recommend
Veracode
Read 208 Veracode reviews
  • 18,975 Views
  • 2,846 Comparison Views
89% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between HCL AppScan, OpenText Dynamic Application Security Testing, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Veracode, Checkmarx, OpenText and others in Dynamic Application Security Testing (DAST).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Dynamic Application Security Testing (DAST) Report (Updated: January 2026).
Buyer's Guide
Dynamic Application Security Testing (DAST)
January 2026
Download the complete report
Helped 881,733 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of February 2026, in the Dynamic Application Security Testing (DAST) category, the mindshare of HCL AppScan is 9.6%, down from 11.6% compared to the previous year. The mindshare of OpenText Dynamic Application Security Testing is 11.0%, up from 9.5% compared to the previous year. The mindshare of Veracode is 18.2%, down from 30.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Dynamic Application Security Testing (DAST) Market Share Distribution
ProductMarket Share (%)
Veracode18.2%
OpenText Dynamic Application Security Testing11.0%
HCL AppScan9.6%
Other61.2%
Dynamic Application Security Testing (DAST)
 

Featured Reviews

Ravi Khanchandani - PeerSpot reviewer
Ravi Khanchandani
Founder Director at Techsa Services
Has improved identification of encryption and authentication issues across cloud and on-prem applications
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interface. However, there is one feature called SCA, which stands for Software Composition Analysis, that could be improved. When I'm doing an application scan, HCL AppScan has the ability to generate information about what components are in use. For example, if I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present. I would like to see more detailed reports from the tool. Currently, you can find out the components belonging to a specific software, but if detailed reporting became available, you would be in a better position to identify vulnerabilities. For instance, I could identify that I had the Log4j vulnerability and know that I need to fix my application accordingly. If they add the features I'm describing, I would consider giving them a higher rating. However, I've only been experienced with the product for three months.
Read full review
AP
ArnabPaul
Cyber Security Consultant at a tech vendor with 10,001+ employees
Enhancements in manual testing align with reporting and integration features
WebInspect works efficiently with Java-based or .NET based applications. However, it struggles with Salesforce applications, where it requires approximately 20-24 hours to crawl and audit but produces minimal findings, necessitating manual verification. The solution offers customization features for crawling and vulnerability detection. It includes various security frameworks and allows selection of specific vulnerability types to audit, such as OWASP Top 10 or JavaScript-based vulnerabilities. When working with APIs, we can select OWASP API Top 10. The tool also supports custom audit features by combining different security frameworks. For on-premises deployment, the setup is complex, particularly regarding SQL server configuration. Unlike Burp Suite or OpenText Dynamic Application Security Testing, which have simpler setup processes, WebInspect requires SQL server setup to function.
Read full review
reviewer2703864 - PeerSpot reviewer
reviewer2703864
Head of Security Architecture at a healthcare company with 5,001-10,000 employees
Onboarding developers successfully while improving code security through IDE integration
Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."
"AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further."
"AppScan's most valuable features include its ability to identify vulnerabilities accurately, provide detailed remediation steps, and the newly introduced AI-powered features that enhance its functionality further."
"The most valuable feature of the solution is Postman."
"It identifies all the URLs and domains on its own and then performs tests and provides the results."
"The UI was very intuitive."
More HCL AppScan pros
"The most valuable feature of this solution is the ability to make our customers more secure."
"The user interface is ok and it is very simple to use."
"The accuracy of its scans is great."
"Guided Scan option allows us to easily scan and share reports."
"The tool provides comprehensive vulnerability assessments which help ensure our deliverables are as free from vulnerabilities as possible. It has also streamlined our web application vulnerability assessments, assisting us in delivering secure applications to our clients."
"The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
"Good at scanning and finding vulnerabilities."
"There are lots of small settings and tools, like an HTTP editor, that are very useful."
More OpenText Dynamic Application Security Testing pros
"I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use."
"Veracode has positively impacted my organization by helping secure our critical applications, and it has impacted very well."
"Valuable features for us are the static scanning of the software, which is very important to us; the ability to set policy profiles that are specific to us; the software composition analysis, to give us reports on known vulnerabilities from our third-party components."
"The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers."
"The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
"What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities."
"I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well."
"The security team can track the remediation and risk acceptance statistics."
More Veracode pros
 

Cons

"Sometimes it doesn't work so well."
"We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices."
"The solution could improve by having a mobile version."
"They should have a better UI for dashboards."
"We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"The penetration testing feature should be included."
"There is not a central management for static and dynamic."
More HCL AppScan cons
"Fortify WebInspect's shortcoming stems from the fact that it is a very expensive product in Korea, which makes it difficult for its potential customers to introduce the product in their IT environment."
"The initial setup was complex."
"The solution needs better integration with Microsoft's Azure Cloud or an extension of Azure DevOps. In fact, it should better integrate with any cloud provider. Right now, it's quite difficult to integrate with that solution, from the cloud perspective."
"I'm not sure licensing, but on the pricing, it's a bit costly. It's a bit overpriced. Though it is an enterprise tool, there are other tools also with similar functionalities."
"The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."
"Not sufficiently compatible with some of our systems."
"I would like WebInspect's scanning capability to be quicker."
"The main area for improvement in Fortify WebInspect is the price, as it is too high compared to the market rate."
More OpenText Dynamic Application Security Testing cons
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
"The training lab is not very user-friendly and takes a long time to set up."
"There were some additional manual steps or work involved that we should not have needed to do."
"Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement."
"Straightforward to set up, but the configuration of the rules engine is difficult and complicated."
"The UI is not user-friendly and can be improved."
"Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided."
"We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git"
More Veracode cons
 

Pricing and Cost Advice

"The product has premium pricing and could be more competitive."
"The solution is cheap."
"With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level."
"The product is moderately priced, though it's an investment due to extensive code analysis needs."
"AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost."
"The price is very expensive."
"The tool was expensive."
"I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool."
More HCL AppScan pricing and cost advice
"Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
"Our licensing is such that you can only run one scan at a time, which is inconvenient."
"Fortify WebInspect is a very expensive product."
"The price is okay."
"This solution is very expensive."
"The pricing is not clear and while it is not high, it is difficult to understand."
"It’s a fair price for the solution."
"We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach. So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily."
"When I looked at the pricing, it was definitely a value. In terms of the service and what it's checking, the cost was very reasonable, particularly because we could have multiple code bases as part of a project."
"The cost of Veracode is high."
"Negotiate some, but their prices are reasonable."
"The price of Veracode Static Analysis is on the higher side."
"Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig."
"It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
"The pricing is a bit high."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Dynamic Application Security Testing (DAST) solutions are best for your needs.
See recommendations
881,733 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
12%
Government
11%
Financial Services Firm
11%
Manufacturing Company
10%
Government
15%
Financial Services Firm
14%
Manufacturing Company
10%
Computer Software Company
8%
Financial Services Firm
17%
Computer Software Company
13%
Manufacturing Company
10%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business14
Midsize Enterprise6
Large Enterprise31
By reviewers
Company SizeCount
Small Business7
Midsize Enterprise1
Large Enterprise15
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise44
Large Enterprise115
 

Questions from the Community

What do you like most about HCL AppScan?
The most valuable feature of HCL AppScan is its integration with the SDLC, particularly during the coding phase.
See all answers
What needs improvement with HCL AppScan?
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL...
See all answers
What is your primary use case for HCL AppScan?
I'm currently working with BigFix and HCL AppScan. At least three people in my company are using HCL AppScan. Since w...
See all answers
What is your experience regarding pricing and costs for Fortify WebInspect?
While I am not directly involved with licensing, I can share that our project's license for 1-9 applications costs be...
See all answers
What needs improvement with Fortify WebInspect?
WebInspect works efficiently with Java-based or .NET based applications. However, it struggles with Salesforce applic...
See all answers
What is your primary use case for Fortify WebInspect?
I am currently working with several tools. For Fortify, I use SCA and WebInspect. Apart from that, I use Burp Suite f...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...
See all answers
What do you like most about Veracode Static Analysis?
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...
See all answers
What is your experience regarding pricing and costs for Veracode Static Analysis?
My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.
See all answers
 

Comparisons

SonarQube vs HCL AppScan Logo
SonarQube vs HCL AppScan
Compared 10% of the time
PortSwigger Burp Suite Professional vs HCL AppScan Logo
PortSwigger Burp Suite Professional vs HCL AppScan
Compared 8% of the time
Acunetix vs HCL AppScan Logo
Acunetix vs HCL AppScan
Compared 7% of the time
Checkmarx One vs HCL AppScan Logo
Checkmarx One vs HCL AppScan
Compared 7% of the time
GitHub Code Scanning vs HCL AppScan Logo
GitHub Code Scanning vs HCL AppScan
Compared 4% of the time
More HCL AppScan Competitors
PortSwigger Burp Suite Professional vs OpenText Dynamic Application Security Testing Logo
PortSwigger Burp Suite Professional vs OpenText Dynamic Application Security Testing
Compared 22% of the time
Checkmarx One vs OpenText Dynamic Application Security Testing Logo
Checkmarx One vs OpenText Dynamic Application Security Testing
Compared 7% of the time
OWASP Zap vs OpenText Dynamic Application Security Testing Logo
OWASP Zap vs OpenText Dynamic Application Security Testing
Compared 5% of the time
Acunetix vs OpenText Dynamic Application Security Testing Logo
Acunetix vs OpenText Dynamic Application Security Testing
Compared 5% of the time
Invicti vs OpenText Dynamic Application Security Testing Logo
Invicti vs OpenText Dynamic Application Security Testing
Compared 5% of the time
More OpenText Dynamic Application Security Testing Competitors
SonarQube vs Veracode Logo
SonarQube vs Veracode
Compared 11% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 8% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 5% of the time
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
Compared 3% of the time
JFrog Xray vs Veracode Logo
JFrog Xray vs Veracode
Compared 3% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
HCL AppScan
January 2026
HCL AppScan reportDownload HCL AppScan product report
Buyer's Guide
OpenText Dynamic Application Security Testing
January 2026
OpenText Dynamic Application Security Testing reportDownload OpenText Dynamic Application Security Testing product report
Buyer's Guide
Veracode
January 2026
Veracode reportDownload Veracode product report
 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Micro Focus WebInspect, WebInspect
Crashtest Security , Veracode Detect
 

Overview

IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.

HCLSoftware

OpenText Dynamic Application Security Testing offers robust scalability, ease of use, and high accuracy in scanning, making it a valuable tool for enterprises.

This security testing platform is known for its centralized dashboard, guided scans, and comprehensive reporting. It integrates seamlessly with tools like Fortify code scanner and supports extensive vulnerability detection and analysis, enhancing efficiency in security management. Despite its strengths, users suggest improvements in cloud integration, cost-effectiveness, and installation processes. Faster scans, reduced false positives, and improved mobile testing features are also desired.

What are the key features of OpenText Dynamic Application Security Testing?
  • Scalability: Easily adapts to changing enterprise needs.
  • Ease of Use: User-friendly interface with guided scans.
  • Comprehensive Reporting: Detailed vulnerability analysis and reporting.
  • Integration Capabilities: Works with Fortify code scanner and user authentication scanning.
  • Wide Vulnerability Detection: Identifies extensive security vulnerabilities.
What benefits should users expect from reviews?
  • Efficient Vulnerability Management: Streamlines security management in development environments.
  • Detailed Analysis: Provides in-depth insights into security issues.
  • Quick Setup: Easy to deploy within existing systems.
  • Enterprise Preference: Supports enterprise environments efficiently.

In industries like BFSI, OpenText Dynamic Application Security Testing is employed for performance network application testing, dynamic and static application security testing, and code checks. Security and QA teams use it in development processes to ensure application security prior to release, proving integral in both enterprise and testing environments.

OpenText

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Aaron's
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Dynamic Application Security Testing (DAST)
January 2026
Download Free Report
Find out what your peers are saying about Veracode, Checkmarx, OpenText and others in Dynamic Application Security Testing (DAST). Updated: January 2026.
DOWNLOAD NOW
881,733 professionals have used our research since 2012.