

Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.
This can be translated to being able to do the same amount of work with less technicians.
Tasks that previously took days are completed in significantly less time.
I can say it saves us time related to coding and also saves money, making it a very reliable tool for our organization with great features.
They have various options in the vulnerability management process, and when we initially bought our license, we didn't realize we needed PCI for better results, which isn't included in the default configurations.
Once we purchase the license, we have access to top-notch support.
I have dealt with Qualys's technical support, and any enhancements are challenging.
Their documentation and community are very active, so most of the time when problems occur, I get a solution.
Customer support and services for Semgrep are very reliable and good.
Customer support is really good and there is also strong community support.
My concern remains the lack of deep dive analysis and that it produces similar vulnerability results as other tools such as Nessus based on version checks instead of real impact checks.
It is licensed for assets, so we just contact the team for additional licenses if needed.
At one point, there was a limitation on reporting for 100,000 assets at a time.
I was able to control it from 10 repositories or 10 services to thousands of repositories in a couple of minutes very simply.
This is an open-source tool, so it absolutely does the job, but if you were to implement a tool such as this in an enterprise, this would probably not be scalable.
Semgrep makes it easy to integrate and grow within any environment without concern for crashes.
If there is no master branch or default branch, the tool fails to identify it and will never scan it unless manually somebody looks into it and fixes the issue.
Since I have been using it, I have not experienced any downtime.
With the growing reliance on AI, Qualys Web Application Scanning should be updated to handle AI-based applications and LLM-based attacks.
Qualys Web Application Scanning does IP-level testing, requiring direct input of credentials, and can only scan a few pages to provide known generic vulnerabilities.
I would like it to be cheaper because it is a bit expensive compared to competitors like Tenable Nessus.
The UI and additional dashboarding and other details would definitely make the tool more user-friendly and more of a candidate to be implemented in an enterprise.
Currently, they are working on identifying business logic vulnerabilities or privilege escalation vulnerabilities by looking at the code, and they should continue to focus on and improve this effort.
More advanced dependency analysis features in the SCA part and deeper vulnerability databases would be beneficial.
They offer discounts on bulk licenses, making it cheaper compared to competitors like Veracode DAST.
I find it a bit expensive compared to other competitors.
Regarding pricing, I think for personal use, it is costly, but if organizations are ready to pay, then it is fine as they are using it.
It is basically open-source, so the cost to set up is no cost.
It offers very reasonable pricing and costs.
It effectively detects vulnerabilities like the OWASP Top 10 without any issues in reporting.
Credential scanning is very effective because it goes in-depth into the system, crawling the pages, and reporting on vulnerabilities.
Qualys Web Application Scanning is accurate and provides minimal false positives.
When you triage with AI, it gathers context around the finding and reduces the noise about 80 to 90 percent of the time, asking you to focus only on findings that really matter.
The Software Composition Analysis is the most valuable feature in Semgrep.
The best feature of Semgrep is its ability to highlight high priority issues during scanning, making it critical for developers to address these vulnerabilities promptly.
| Product | Mindshare (%) |
|---|---|
| Semgrep | 2.3% |
| Qualys Web Application Scanning | 1.9% |
| Other | 95.8% |


| Company Size | Count |
|---|---|
| Small Business | 8 |
| Midsize Enterprise | 6 |
| Large Enterprise | 27 |
| Company Size | Count |
|---|---|
| Small Business | 4 |
| Large Enterprise | 3 |
Qualys Web Application Scanning offers advanced vulnerability management, progressive scheduling, and seamless integration with DevOps environments. Its user-friendly design enables enterprises to enhance security with comprehensive scanning and detailed forensic insights.
Qualys Web Application Scanning addresses enterprise-level security challenges by providing robust solutions for vulnerability management, penetration testing, and compliance checks. While easing the navigation process, it supports risk mitigation with precise risk ratings, minimal false positives, and detailed reporting. However, it faces challenges with its complex interface, authenticated scanning, and automation features. Integrating smoothly with CI/CD pipelines, it is suitable for continuous and automated scanning, adapting to diverse company requirements.
What are the standout features of Qualys Web Application Scanning?Organizations across sectors like education, banking, and international data centers leverage Qualys Web Application Scanning for conducting penetration testing, scanning web applications, and managing vulnerabilities. It aids in audit security and compliance, identifying threats, and generating user-friendly reports, making it a valuable asset for maintaining strong security postures.
Semgrep is an advanced static analysis tool designed to identify vulnerabilities and enforce coding standards, catering primarily to professionals with a focus on enhancing code security and quality.
Engineered for software development environments, Semgrep delivers efficient security feedback with minimal setup. By offering a rich collection of rule sets, it allows customization and integration into CI/CD pipelines, supporting continuous code examination. Semgrep not only uncovers hidden flaws but also enforces best practices, making it a valuable asset for development teams seeking to build secure and reliable software.
What are the most important features of Semgrep?In industry applications, Semgrep is a popular choice for sectors such as finance and healthcare, where code integrity and security are paramount. Its integration capabilities allow for effective oversight of compliance and secure coding standards without disrupting existing workflows. This adaptability ensures it meets sector-specific requirements, making it a trusted tool in fields where data privacy and protection are critical.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.