No more typing reviews! Try our Samantha, our new voice AI agent.

StackHawk vs Veracode comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

StackHawk
Ranking in Dynamic Application Security Testing (DAST)
10th
Average Rating
7.6
Reviews Sentiment
4.6
Number of Reviews
2
Ranking in other categories
No ranking in other categories
Veracode
Ranking in Dynamic Application Security Testing (DAST)
1st
Average Rating
8.0
Reviews Sentiment
6.9
Number of Reviews
208
Ranking in other categories
Application Security Tools (3rd), Static Application Security Testing (SAST) (3rd), Container Security (12th), Software Composition Analysis (SCA) (1st), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of July 2026, in the Dynamic Application Security Testing (DAST) category, the mindshare of StackHawk is 1.7%, up from 0.8% compared to the previous year. The mindshare of Veracode is 14.5%, down from 26.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Dynamic Application Security Testing (DAST) Mindshare Distribution
ProductMindshare (%)
Veracode14.5%
StackHawk1.7%
Other83.8%
Dynamic Application Security Testing (DAST)
 

Featured Reviews

Ney Roman - PeerSpot reviewer
DevOps Engineer at Deuna
Vulnerability visibility has improved across microservices but integration still needs refinement
StackHawk can be improved in the way that it is integrated, as at the very beginning, the idea was to, within the pipeline, mount the different resources that our microservices needed to start to run. For example, if we have a service that needed Redis, maybe Kafka, or a database to initialize, we did need to have a Docker Compose file, get up those services, and after that, do the analysis. It didn't have that; it wasn't reachable at the very beginning and it wasn't that good as we expected. But at some point, we decided to mount it as an agent in the Docker file, and it was waiting for new jobs. It was even better, and when we figured out how to integrate it within our EKS cluster, suddenly we started reaching to the services, knowing what was going on, and everything related to security. As long as we have a P2T to our QA site or cluster, we do not have garbage in our databases, but StackHawk does put a little information, a garbage information, doing their job. That's the main area I'm focusing on right now regarding needed improvements.
reviewer2753535 - PeerSpot reviewer
DevSecOps Engineer at a tech services company with 1,001-5,000 employees
Integrates security into the development process and improves team collaboration
Veracode helps organizations develop software by reducing the risk of security vulnerabilities through developer enablement and applications focused on governance. You can utilize different levels of processes to achieve better performance or a more scalable service. Since I started working with it in 2022, I’ve found it to be cost-effective as well. Overall, Veracode is a user-friendly security tool. It includes features such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). During the development phase, we can identify vulnerabilities in the application. This process occurs in the staging environment during development. When we're ready to go to production, we conduct a final check. Essentially, this tool helps identify vulnerabilities during the code development stage, including both high-level vulnerabilities and those related to open-source software composition. We utilize specific methodologies for this purpose. Additionally, it offers a feature that allows us to set up policies based on client requirements. This means we can customize the tool to meet the specific needs of our clients, ensuring that they receive the appropriate level of security in their applications. Veracode is user-friendly as well. Compared to other tools, their scans take 15 minutes or under. If you have a large scale of libraries or data, it might take longer, but based on my personal experience, the scan usually runs within fifteen minutes. For my case study using the Veracode tool, I worked on an internal project following industry standards. We used Veracode to improve our security posture and speed up the time to market by streamlining the development process. This enhanced collaboration between developers, operations, and security teams. The automated scanning process helped identify and fix vulnerabilities earlier in the development process. We maintained compliance with regulatory requirements, avoided fines, and built customer trust by integrating security into the development process. When we conduct this scan, we receive data on a list of vulnerabilities. This information improved our communication and increased transparency, which leads to better reports about the efforts being put in. This results in a more effective and efficient collaboration process, making it user-friendly for all involved. When considering costs, if we resort to manual processes, it can be time-consuming. Therefore, we utilize automated scans to identify and fix security issues. This allows us to address vulnerabilities early in the development process, as we discussed previously. This applies both to our in-house code and third-party libraries, using Software Composition Analysis (SCA) agent-based scans. In the future, we will also implement SCA agent-based scans as a separate feature within Veracode, which can help organizations avoid the expensive and time-consuming consequences of security issues. Furthermore, we have seen an increase in compliance, helping to maintain adherence to regulatory requirements and industry standards, thereby avoiding fines and reputational damage associated with noncompliance. Additionally, by integrating security into the development process, we enhance customer trust in our organization and its products.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"StackHawk has positively impacted my organization by introducing an automated process that did not exist previously, and it helped the company achieve PCI certification."
"StackHawk has positively impacted my organization by giving us a new vision of how vulnerabilities were seen, as we now have more visibility in that matter."
"The time savings has been tremendous. We saw ROI in the first six months."
"The most valuable feature is the dynamic application security testing."
"By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC."
"They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice."
"Static Scanning is the most valuable feature of Veracode."
"In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
"The article scanning is excellent, the composition analysis and common CBEs attached to it are quite good, and the solution offers a lot of really great analysis with lots of good data support."
"The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."
 

Cons

"On a scale of one to ten, I would rate StackHawk an eight, only because I wish the product was a little less expensive."
"StackHawk can be improved in the way that it is integrated, as at the very beginning, the idea was to, within the pipeline, mount the different resources that our microservices needed to start to run."
"The zip file scanning has room for improvement."
"The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Vercaode could add Docker image scanning."
"There is room for improvement in documentation."
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
"When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."
"Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."
"Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
"I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
 

Pricing and Cost Advice

Information not available
"Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money."
"The pricing is reasonable compared to other tools."
"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."
"It's very expensive, especially when you are a very small organization. If you're using Veracode at an individual level, for example, you're a developer or you run agents, the pricing might not affect you, but if you're using it at a company level to troubleshoot security issues, the pricing is not quite favorable. It may affect ROI."
"The pricing of the product depends upon the number of codes or the number of applications."
"It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in."
"The product’s price is a bit higher compared to other solutions."
"The pricing is fair. You get a lot out of the product."
report
Use our free recommendation engine to learn which Dynamic Application Security Testing (DAST) solutions are best for your needs.
902,894 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
No data available
Financial Services Firm
16%
Manufacturing Company
11%
Computer Software Company
9%
Construction Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise46
Large Enterprise114
 

Questions from the Community

What needs improvement with StackHawk?
I cannot think of anything I would add to StackHawk, with the possible exception of adding any additional code bases that might be out there. I am thinking about a situation where a company might b...
What is your primary use case for StackHawk?
My main use case for StackHawk is primarily as a PCI requirement for DAST. As a quick specific example of how I use StackHawk for that PCI requirement, it is one of the controls that sits alongside...
What advice do you have for others considering StackHawk?
StackHawk is deployed in my organization in the public cloud using the configuration on their site. I use AWS as my cloud provider. I rate this product an eight out of ten.
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What is the biggest difference between Veracode and Checkmarx?
According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed AppSec platform with strong focus on ease of use, it is SaaS delivery, and provide...
What is your experience regarding pricing and costs for Veracode Static Analysis?
My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.
 

Comparisons

 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

Information Not Available
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about StackHawk vs. Veracode and other solutions. Updated: June 2026.
902,894 professionals have used our research since 2012.