Software Risk Manager ASPM vs Veracode comparison

Black Duck and Veracode are both solutions in the Static Application Security Testing (SAST) category. Black Duck is ranked #32, while Veracode is ranked #2 with an average rating of 8.1. Additionally, 90% of Veracode users are willing to recommend the solution.

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Dec 21, 2025

Veracode and Software Risk Manager ASPM are competing in the application security domain. Software Risk Manager ASPM holds an edge due to its advanced capabilities.

Features: Veracode includes static analysis, dynamic scanning, and software composition analysis, offering comprehensive protection. Software Risk Manager ASPM integrates vulnerability management with predictive risk scoring and focuses on actionable insights.

Ease of Deployment and Customer Service: Veracode features a streamlined SaaS deployment with effective customer support for smooth onboarding. Software Risk Manager ASPM provides flexible cloud and on-premise deployment options with responsive support for diverse infrastructure needs.

Pricing and ROI: Veracode's competitive pricing and high ROI offer cost-effective security solutions. Software Risk Manager ASPM may have higher setup costs but provides significant ROI through advanced features and risk management capabilities, appealing to companies prioritizing comprehensive security over initial cost savings.

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: November 2025).

Buyer's Guide

Static Application Security Testing (SAST)

November 2025

Download the complete report

Helped 879,259 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Cortex Cloud by Palo Alto N...

Featured Reviews

Nuno-Santos

Cybersecurity Analyst at a tech services company with 11-50 employees

Has improved real-time threat detection and unified cloud protection through AI and automation

Cortex Cloud by Palo Alto Networks is creating some confusion in terms of names because this is recent. They changed the names of the products and are now clarifying their offer. The family of the products is not easy to follow because it's very recent. Regarding the generative AI security tool, I know for sure it's Agentic. Based on my experience with Palo Alto, I can suggest what Cortex Cloud by Palo Alto Networks could make better or what additional functions could be added. This is the best tool in the market. It's not the time to tell what they could do better because it's a recent tool. The market is now adopting it. Our experience doesn't show that they need to do more.

Read full review

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

Facilitates continuous assessment of applications, covering both static and dynamic security aspects

Code Dx lacks one aspect, the dynamic security part, known as DAST. It's not an on-premise solution; it's in the cloud now. There are compliance standards and data standards where the customer might need to have the data on-premises for dynamic security testing. So that is one shortfall. An area of improvement could be developing an on-premise DAST solution. The current one is a complete cloud-based solution, and that can be one of the areas of improvement.

Read full review

reviewer2703864

Head of Security Architecture at a healthcare company with 5,001-10,000 employees

Onboarding developers successfully while improving code security through IDE integration

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"Overall, Cortex Cloud by Palo Alto Networks is a technically strong product, and I rate it ten out of ten."

"The AI and automation features in detecting and responding to high-risk threats are impressive; it's one of the best tools regarding AI technology and unifies security in one platform in real-time, improving vulnerability analysis, incident response, and compliance reporting."

"I have seen several benefits from using Cortex Cloud by Palo Alto Networks: It was easy to use and easy to migrate from the IBM platform."

"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."

"Provides the ability to understand the black zones in our system."

"Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation."

"The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process."

"We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."

"Using an automated tool brings cost reduction and more security."

"It gives me an idea about the most important vulnerabilities and fast remediation tips."

"The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers."

"Stable and scalable, with good reporting features. Helps in detecting and managing vulnerabilities and risks."

More Veracode pros

Cons

"Overall, I rate Cortex Cloud by Palo Alto Networks as an eight out of ten. I think that it could improve on price, as I know that the Google solution has the best price, and this is one of the conditions."

"Some aspects of the GUI can be confusing and make it difficult for me to find certain options or navigate where needed."

"Cortex Cloud by Palo Alto Networks is creating some confusion in terms of names because this is recent."

"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."

"The security labs integration has room for improvement."

"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."

"It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period."

"Improvements can be made to Veracode, particularly in terms of process. If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly."

"The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity."

"There is room for improvement in documentation."

"We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process."

"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."

More Veracode cons

Pricing and Cost Advice

Information not available

"It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody."

"It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."

"Veracode's price is high. I would like them to better optimize their pricing."

"Pricing/licensing is complicated."

"Veracode provides value for the cost, with no additional charges apart from the standard licensing fee."

"The price of Veracode Static Analysis could improve."

"No issues, the pricing seems reasonable."

"The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."

"The pricing is a bit high."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

879,259 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Performing Arts

11%

Financial Services Firm

Manufacturing Company

Computer Software Company

Financial Services Firm

18%

Manufacturing Company

10%

Government

Computer Software Company

Financial Services Firm

17%

Computer Software Company

14%

Manufacturing Company

10%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

By reviewers
Company Size	Count
Small Business	70
Midsize Enterprise	44
Large Enterprise	113

Questions from the Community

What is your experience regarding pricing and costs for Cortex Cloud by Palo Alto Networks?

The solution is costly, with high-end capabilities suitable for enterprises. It is less affordable for startups or sm...

See all answers

What needs improvement with Cortex Cloud by Palo Alto Networks?

There are areas that could be improved from Palo Alto's side. I think that we need to start using the AI module becau...

See all answers

What is your primary use case for Cortex Cloud by Palo Alto Networks?

Our main use cases involve working with QRadar, which is the IBM solution. We are now starting to migrate customers t...

See all answers

Ask a question

Earn 20 points

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

See all answers

What do you like most about Veracode Static Analysis?

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...

See all answers

What is your experience regarding pricing and costs for Veracode Static Analysis?

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

See all answers

Comparisons

Prisma Cloud by Palo Alto Networks vs Cortex Cloud by Palo Alto Networks

Compared 22% of the time

Wiz vs Cortex Cloud by Palo Alto Networks

Compared 19% of the time

Microsoft Defender for Cloud vs Cortex Cloud by Palo Alto Networks

Compared 10% of the time

SentinelOne Singularity Cloud Security vs Cortex Cloud by Palo Alto Networks

Compared 7% of the time

AWS GuardDuty vs Cortex Cloud by Palo Alto Networks

Compared 6% of the time

More Cortex Cloud by Palo Alto Networks Competitors

PortSwigger Burp Suite Professional vs Software Risk Manager ASPM

Compared 22% of the time

Snyk vs Software Risk Manager ASPM

Compared 13% of the time

SonarQube vs Software Risk Manager ASPM

Compared 11% of the time

Polaris Platform vs Software Risk Manager ASPM

Compared 11% of the time

Acunetix vs Software Risk Manager ASPM

Compared 8% of the time

More Software Risk Manager ASPM Competitors

SonarQube vs Veracode

Compared 14% of the time

Checkmarx One vs Veracode

Compared 8% of the time

GitHub Advanced Security vs Veracode

Compared 6% of the time

OWASP Zap vs Veracode

Compared 4% of the time

Coverity Static vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Buyer's Guide

Cloud Detection and Response (CDR)

December 2025

Cortex Cloud by Palo Alto Networks report

Download Cortex Cloud by Palo Alto Networks product report

Buyer's Guide

Application Security Posture Management (ASPM)

November 2025

Download Software Risk Manager ASPM product report

Buyer's Guide

Veracode

December 2025

Download Veracode product report

Also Known As

No data available

Code Dx

Crashtest Security , Veracode Detect

Overview

Cortex Cloud by Palo Alto Networks provides comprehensive cybersecurity management, focusing on enhancing security operations with advanced automation and threat intelligence, addressing complex security challenges efficiently.

Cortex Cloud by Palo Alto Networks integrates cloud-scale data analytics and automation to streamline security operations, enabling faster threat detection and response. It leverages AI and machine learning to provide real-time threat intelligence and automate routine tasks, reducing the burden on security teams. Users benefit from improved visibility across networks and greater operational efficiency, making it crucial for enterprises aiming to secure their digital assets against evolving cyber threats.

What are the key features of Cortex Cloud by Palo Alto Networks?

Automated Threat Detection: Identifies and mitigates threats in real-time using AI algorithms.
Advanced Analytics: Provides in-depth data insights for proactive threat prevention.
Incident Management: Streamlines incident response with automated workflows.
Scalable Architecture: Offers flexibility to grow with organizational needs.

What benefits or ROI should you expect from Cortex Cloud by Palo Alto Networks reviews?

Increased Efficiency: Automation reduces manual efforts in threat management.
Enhanced Security Posture: Improved visibility leads to better threat preparedness.
Cost Savings: Minimizes expenses related to manual threat detection and response.
Scalability: Grows with the organization, reducing the need for constant upgrades.

Cortex Cloud by Palo Alto Networks is favored in sectors like finance, healthcare, and telecommunications, where data security is paramount. Its ability to integrate with existing infrastructure and provide real-time insights makes it a preferred choice for securing sensitive information and ensuring compliance within industry regulations.

Palo Alto Networks

Software Risk Manager is an application security posture management (ASPM) solution that enables security and development teams to manage their application security programs at enterprise scale. By unifying policy, test orchestration, correlation, prioritization, and built-in static application security testing (SAST) and software composition analysis (SCA) engines, organizations can streamline their security activities across the enterprise.

Black Duck

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode

Sample Customers

Information Not Available

Discover why companies like: CGI said, "Synopsys and Software Risk Manager have provided the results we’re looking for".

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Buyer's Guide

Static Application Security Testing (SAST)

November 2025

Download Free Report

Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: November 2025.

DOWNLOAD NOW

879,259 professionals have used our research since 2012.

See our list of best Static Application Security Testing (SAST) vendors, best Software Composition Analysis (SCA) vendors, and best Application Security Posture Management (ASPM) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.