Try our new research platform with insights from 80,000+ expert users

Klocwork vs Veracode comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

ROI

Sentiment score
6.2
Klocwork enhances code quality and compliance, improving efficiency in defect resolution, especially in automotive sectors, despite ROI measurement challenges.
Sentiment score
6.8
Veracode saves time, reduces manual processes, decreases penetration tests, enhances compliance, and improves code quality to prevent costly breaches.
The main ROI factors include efficiency and how we meet compliance standards for various automotive requirements.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
 

Customer Service

Sentiment score
6.8
Klocwork's support is praised for responsiveness, effective problem-solving, and reducing user contact via comprehensive documentation, despite prioritization issues.
Sentiment score
7.3
Veracode's support is praised for expertise and responsiveness, but experiences vary, especially with complex issues and staffing.
The customer support team is very responsive, proactive, and engages in conversations to ensure our needs are met.
The issue is not about the knowledge of the support but about the prioritization of the tickets they handle.
During the initial phase, there was a need for follow-ups and clarifications.
Access to the engineering team is crucial for faster feedback on the product fix process.
They are very responsive and quick to help with queries within our scope.
They respond very quickly since security is something critical.
 

Scalability Issues

Sentiment score
6.7
Klocwork is scalable, efficient, and integrates well with SAST tools, suitable for teams of all sizes without scalability issues.
Sentiment score
7.5
Veracode offers robust scalability, efficiently managing diverse usage scenarios and volumes, maintaining smooth performance for various organizational sizes.
Klocwork supports our scalability needs without issues, even as project volumes increase.
The program-to-program enablement is scalable.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
 

Stability Issues

Sentiment score
6.8
Klocwork is reliable and stable, effectively handling large codebases but requires significant computing power and faster updates.
Sentiment score
7.9
Users find Veracode stable and reliable, with minimal downtime and effective workload handling despite minor issues.
Installation is easy, and the solution is stable.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
 

Room For Improvement

Klocwork needs improved language support, flexible reporting, better integration with Agile DevOps, and enhanced static and dynamic analysis.
Users seek improved false positives, dynamic scanning, UI/UX, language support, integration, reporting, and pricing in Veracode.
There are too many warnings, and it requires expertise to determine the correct category for them.
Klocwork sometimes provides too many additional warnings which require expertise to manage.
We would like Klocwork to connect to Git and notify developers of issues tied to specific commits.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
 

Setup Cost

Klocwork's flexible pricing models are valued, though opinions vary on cost-effectiveness, catering to diverse organizational needs.
Veracode's pricing is high but valued for comprehensive features, with flexible options and discounts available for enterprises.
It is less expensive than Coverity.
The solution is not very cheap, however, it is less expensive than Coverity.
Klocwork was competitively priced, making it a cost-effective solution for us.
It's not the most expensive solution.
If there's a security gap, you'll never know the cost or effect.
Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode.
 

Valuable Features

Klocwork provides efficient static code analysis with strong IDE integration, supporting multiple languages and enhancing code quality and collaboration.
Veracode offers scalable security with static/dynamic analysis, seamless integrations, low false positives, and compliance-focused reporting, enhancing developer workflows.
The most valuable feature of Klocwork is the static analysis tools, which help identify potential security threats and errors.
Its integration with the CI/CD pipeline has helped streamline the software development process.
It takes just half a day to set up.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
 

Categories and Ranking

Klocwork
Ranking in Application Security Tools
18th
Ranking in Static Application Security Testing (SAST)
16th
Ranking in Static Code Analysis
5th
Average Rating
8.0
Reviews Sentiment
6.8
Number of Reviews
25
Ranking in other categories
No ranking in other categories
Veracode
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Ranking in Static Code Analysis
1st
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
201
Ranking in other categories
Container Security (8th), Software Composition Analysis (SCA) (3rd), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of July 2025, in the Application Security Tools category, the mindshare of Klocwork is 1.4%, down from 1.4% compared to the previous year. The mindshare of Veracode is 9.0%, down from 10.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

AnirbanSarkar - PeerSpot reviewer
Lets you find defects during the development phase, so you don't have to wait till the development is over to find and address flaws
What needs improvement in Klocwork, compared to other products in the market, is the dashboard or reporting mechanisms that need to be a bit more flexible. The Klocwork dashboard could be improved. Though it's good, it's not as good as some of the other products in the market, which is a problem. The reporting could be more detailed and easier to sort out because sorting in Klocwork could be a bit more time-consuming, mainly when sorting defects based on filters, compared to how it's done on other tools such as Coverity. What I'd like added in the next release of Klocwork is the peer code review Cahoots which used to be a part of Klocwork, and the architecture analysis and both have been taken out of Klocwork. I found the two critical for specific deployments, so if those can be brought back to Klocwork, that would be very good.
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
861,481 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
25%
Computer Software Company
12%
Educational Organization
10%
Comms Service Provider
5%
Computer Software Company
16%
Financial Services Firm
16%
Manufacturing Company
8%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Klocwork?
It's integrated into our CI, continuous integration.
What is your experience regarding pricing and costs for Klocwork?
Klocwork's pricing seems attractive, as it uses a per-user license model that does not have a lot of overhead.
What needs improvement with Klocwork?
One area for improvement is that when customers use different static analysis tools, they report more issues compared to Klocwork. The static analysis engine of Klocwork has areas that need improve...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
 

Comparisons

 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

ACCESS Co Ltd, Risk-AI, Winbond Electronics, Bristol-Myers Squibb Pharmaceutical Research Institute, University of Southern California, Alebra Technologies, SIMULIA, Risk Management Solutions, Brigham Young University, SRD, HRL
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about Klocwork vs. Veracode and other solutions. Updated: July 2025.
861,481 professionals have used our research since 2012.