No more typing reviews! Try our Samantha, our new voice AI agent.

HCL AppScan vs Xygeni comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

HCL AppScan
Ranking in Application Security Tools
21st
Average Rating
7.6
Reviews Sentiment
5.9
Number of Reviews
44
Ranking in other categories
Static Application Security Testing (SAST) (17th), Dynamic Application Security Testing (DAST) (6th)
Xygeni
Ranking in Application Security Tools
23rd
Average Rating
9.0
Reviews Sentiment
7.0
Number of Reviews
4
Ranking in other categories
Software Composition Analysis (SCA) (15th), Software Supply Chain Security (14th), Application Security Posture Management (ASPM) (13th)
 

Mindshare comparison

As of July 2026, in the Application Security Tools category, the mindshare of HCL AppScan is 2.4%, down from 2.7% compared to the previous year. The mindshare of Xygeni is 0.9%, up from 0.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools Mindshare Distribution
ProductMindshare (%)
HCL AppScan2.4%
Xygeni0.9%
Other96.7%
Application Security Tools
 

Featured Reviews

Ravi Khanchandani - PeerSpot reviewer
Founder Director at Techsa Services
Has improved identification of encryption and authentication issues across cloud and on-prem applications
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interface. However, there is one feature called SCA, which stands for Software Composition Analysis, that could be improved. When I'm doing an application scan, HCL AppScan has the ability to generate information about what components are in use. For example, if I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present. I would like to see more detailed reports from the tool. Currently, you can find out the components belonging to a specific software, but if detailed reporting became available, you would be in a better position to identify vulnerabilities. For instance, I could identify that I had the Log4j vulnerability and know that I need to fix my application accordingly. If they add the features I'm describing, I would consider giving them a higher rating. However, I've only been experienced with the product for three months.
AI
Business development manager at RSsecurity
Unified monitoring has reduced alert noise and provides accurate, proactive application security
Xygeni was highly effective for us, but there are areas where improvements could be made. More customization options for dashboards and reports would help teams tailor the platform to their specific metrics and workflows. I also occasionally encounter DevOps tools that are not yet supported natively. Expanded coverage for niche or emerging tools would make onboarding even smoother. These points, however, are minor compared to the overall value the platform delivers, especially given the strength of its AI-driven detection, remediation, and supply chain protection capabilities. It would also be an improvement for licensing with regard to on-premise variants. Perhaps we could have an on-premise option for standard subscription.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Usually when we deploy the application, there is a process for ethical hacking. The main benefit is that, the ethical hacking is almost clean, every time. So it's less cost, less effort, less time to production."
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"I mainly use AppScan for vulnerability scanning and database bridging."
"IBM Applications Security has contributed to the maturity of our AppSec risk management program."
"For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
"You can easily find particular features and functions through the UI."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"For its first initial release, the integration was pretty good."
"The visibility of our open-source supply chain dependencies and real-time detection of vulnerabilities have been invaluable."
"The best Xygeni feature is the ability to filter what is truly important, which really helps me focus on the key vulnerabilities in the software that I am building."
"Since using Xygeni, the time to review vulnerabilities has decreased."
"Xygeni provides a comprehensive and developer-friendly approach to securing the entire software supply chain."
 

Cons

"They could add a software component analysis tool."
"The performance could be better. Sometimes it doesn't work so well."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"AppScan needs to improve its handling of false positives."
"There are so many lines of code with so many different categories that I am likely to get lost. ​"
"The databases for HCL are small and have room for improvement."
"The penetration testing feature should be included."
"Scans become slow on large websites."
"Xygeni was highly effective for us, but there are areas where improvements could be made."
"Xygeni could be improved if on-premise options were available starting from the starter packages, not only the enterprise models."
"There should be more configuration options that make it easier to target the issues that are more important in your organization's context."
"Xygeni can be more automated."
 

Pricing and Cost Advice

"The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase."
"I would rate the product's pricing a nine out of ten. The product's pricing is expensive compared to the features that they offer."
"I rate the product's price a seven on a scale of one to ten, where one is low, and ten is high. HCL AppScan is an expensive tool."
"With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level."
"The product has premium pricing and could be more competitive."
"Our clients are willing to pay the extra money. It is expensive."
"The price is very expensive."
"AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost."
Information not available
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
902,988 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
11%
Manufacturing Company
9%
Government
9%
Computer Software Company
8%
Comms Service Provider
22%
Outsourcing Company
11%
Security Firm
11%
Construction Company
10%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business14
Midsize Enterprise6
Large Enterprise31
No data available
 

Questions from the Community

What needs improvement with HCL AppScan?
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interf...
What is your primary use case for HCL AppScan?
I'm currently working with BigFix and HCL AppScan. At least three people in my company are using HCL AppScan. Since we are a reseller, we run it in both lab environments and live production applica...
What is your experience regarding pricing and costs for HCL AppScan?
AppScan is considered more cost-effective than Veracode, although I have not updated the exact pricing details. Companies often choose based on budget constraints, with Veracode being on the higher...
What is your experience regarding pricing and costs for Xygeni?
The pricing is reasonable. Xygeni provided me with the pricing list that is already public on the web, so it is very clear.
What needs improvement with Xygeni?
Xygeni can be more automated. The team is currently working on auto-remediation pipelines, which could be really helpful. There is probably room for improvement, but for me, it is one of the best t...
What is your primary use case for Xygeni?
I use Xygeni to perform SAST and SCA analysis, and to gain better understanding of how my deployment pipelines are configured. Xygeni helps me understand what I am deploying and the level of integr...
 

Comparisons

 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
No data available
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
BKool, Onum, Napptive, Fintonic, Adaion, Metricool, Arexdata, ...
Find out what your peers are saying about HCL AppScan vs. Xygeni and other solutions. Updated: June 2026.
902,988 professionals have used our research since 2012.