Coming October 25: PeerSpot Awards will be announced! Learn more
Julia Frohwein - PeerSpot reviewer
Senior Director of Delivery at PeerSpot (formerly IT Central Station)
  • 24
  • 2909

What is your experience regarding pricing and costs for Veracode?

Hi Everyone,

What is your experience regarding pricing and costs for Veracode?

Thanks for sharing your thoughts with the community!

PeerSpot user
42 Answers
Karen Meohas - PeerSpot reviewer
Information Assurance Manager at xMatters
Real User
Top 10
08 November 20

Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive. There is also a fee for the support package, which I think is extremely expensive. We used to have the premium support and we didn't use most of it, so we're downgrading to the basic support, and even the basic support is expensive.

Prateek Agarwal - PeerSpot reviewer
Manager at NISG
Real User
Top 5Leaderboard
23 August 22

It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year. Security is a major concern for any organization. The developers do hard work in developing code, but if that code has some security flaws, it would be a challenge for any organization.

David Jellison - PeerSpot reviewer
Senior Director, Quality Engineering at Everbridge
Real User
Top 20
06 June 22

Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able to add and remove microservices and scale them that way. The pricing is solid. I think with the current consolidated pricing that we have is pretty consistent every year.

Ajit Matthew - PeerSpot reviewer
Sr. Partner IT and Information Security at TheMathCompany
Real User
27 April 22

The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us. It's an expensive product but we are paying for quality.

Sr. VP Engineering at a tech vendor with 51-200 employees
Real User
Top 20
28 October 21

I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.

Nachu Subramanian - PeerSpot reviewer
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5
23 August 21

Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license fee that is over $1 million.

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
635,162 professionals have used our research since 2012.
Senior Project Manager at a computer software company with 501-1,000 employees
Real User
06 April 21

I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.

Founder & CEO at a healthcare company with 1-10 employees
Real User
Top 5Leaderboard
17 February 21

The pricing for qualified startups such as Neo4j could be improved. It allows startups to develop a secure product, but it takes time for startups to get money for the products. Veracode could provide the services, at a significantly lower price during that period with a condition that the moment that it becomes production, Veracode has to be paid. If they would change that, it would be phenomenal for the entire industry and for them. Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.

Mauro Verderosa - PeerSpot reviewer
Cybersecurity Expert at PSYND
Real User
Top 10
19 November 20

The pricing is quite standard. It's not cheaper, it's not more expensive.

Deepak Naik - PeerSpot reviewer
Product Owner - DevOps at Digite
Real User
Top 10
11 November 20

If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.

Head Of Information Security at a media company with 51-200 employees
Real User
Top 20
11 November 20

The pricing is really fair compared to a lot of other tools on the market. It's not like a typical SaaS offering. Let's say you got SaaS software from G Suite. You're going to get Google Docs and Google Drive and Google Sheets, etc. It's going to be the same for everybody. But in Veracode, it's not. You buy a license for specific kinds of scanners. I had two licenses for static analysis scanners and one license for a dynamic analysis scanner.

Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
Real User
Top 20
09 November 20

It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent. We bought the product for its expected benefits, in terms of all the bells and whistles that we saw during the sales cycle. When it came time to really implement it, that is where we have been having buyer's remorse.

IT Cybersecurity Analyst at a educational organization with 11-50 employees
Real User
Top 20
08 November 20

The solution is very pricey.

Security Architect at a financial services firm with 1,001-5,000 employees
Real User
Top 20
04 November 20

In addition to the standard licensing fees there's a support cost and an implementation cost at the beginning.

DevSecOps Consultant at British Telecom
Real User
Top 10
14 October 20

Veracode's price is high. I would like them to better optimize their pricing.

Christian Camerlengo - PeerSpot reviewer
Senior Programmer/Analyst at FIS
Real User
30 August 20

I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good. It's just a good product, overall.

reviewer1360617 - PeerSpot reviewer
Sr. Security Architect at a financial services firm with 10,001+ employees
Real User
28 May 20

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Managing Principal Consultant at a tech vendor with 11-50 employees
11 June 19

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

Sebastian Toma - PeerSpot reviewer
Engineering Security Manager at Nextiva
23 May 19

They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works. We are in negotiations with Veracode. The old model was about $500 for dynamic analysis and about $4500 for the static analysis, per app or service, per year. Veracode offers a lot of other license options that you can put on top of what we just discussed, but I don't think we ever looked into any of those. The way we implemented it was very straightforward. You have your app and you pay this much for both dynamic and static licensing. That's all we cared about per year.

it_user673734 - PeerSpot reviewer
Chief Technology Officer at Birst
Real User
12 November 18

No issues, the pricing seems reasonable.

Evan Christoe - PeerSpot reviewer
AVP, IS Manager with 1,001-5,000 employees
Real User
12 November 18

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

Chief Information Security Officer with 501-1,000 employees
Real User
01 November 18

We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you pay for too. Vendors need to be fair and I think Veracode has been fair. We use their SaaS solution and it's just an annual subscription.

Associate Director
Real User
03 July 18

It is pricey. There is a lot of value in the product, but it is a costly tool. The customer should demand better turnaround times for the money that they are paying, especially around the reporting and standing up processes that we need to go through. It needs much more technical information on the platform with a tool that can help with information or have 24/7 support available, then it will be worth the price that we are paying, because right now, we don't have many options. There are not may companies who are in the market for Veracode, who want this type of in-depth analysis and examination. That is why customers, with the money that they are paying, have room for improvement in the scope of the Veracode product. I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms. I suggest just not to get tied up with a long-term commitment, because I have seen with Black Duck that they are almost one-third of the price of the big platforms. Once there are the same features and functionality (or lot better performance) available in the market, people are going to migrate away from this platform. The market is changing so fast, and with the Black Duck acquisition, it is also expected that we may get a solution with a much faster platform with much better service at a cheaper price.

it_user877104 - PeerSpot reviewer
VP Worldwide Delivery Acceleration at a financial services firm
Real User
23 May 18

Negotiate for the best deal.

it_user873405 - PeerSpot reviewer
Lead Security Engineer at a tech vendor with 201-500 employees
Real User
16 May 18

The pricing is good for static code analysis.

Elina Petrovna - PeerSpot reviewer
Professor at BitBrainery University
Real User
04 May 18

Costs are reasonable. No special infrastructure is required and the license model is good.

it_user866175 - PeerSpot reviewer
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
Real User
02 May 18

I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others. Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money. You really need to understand how your application is going to be delivered and not think of it just as, "This is a website and this is a mobile app," or "This is a website and this is a fat client." Often, with new frameworks, you have websites - especially with Java specifically, which is not even a new framework - running Java, but you also have things running in a local Java sandbox on the machine, or on a Java virtual machine. You really want to understand how that application is being delivered to the end-user, and not just think of it as applications on a box and websites.

it_user854784 - PeerSpot reviewer
Director Security and Risk OMNI Cloud Operations at Manhattan Associates
Real User
12 April 18

We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach. So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily. I'd say many customers might not quite go to that level. But that's their choice.

it_user854049 - PeerSpot reviewer
Chief Compliance Officer at a financial services firm with 51-200 employees
Real User
11 April 18

Negotiate some, but their prices are reasonable.

it_user854052 - PeerSpot reviewer
Head of Technology. at a tech services company with 11-50 employees
Real User
11 April 18

Pricing/licensing is complicated.

it_user854046 - PeerSpot reviewer
DevOps Release Engineer at a tech services company with 51-200 employees
Real User
11 April 18

We are satisfied.

it_user846645 - PeerSpot reviewer
VP Development
Real User
28 March 18

We get good value out of what we have right now.

it_user842937 - PeerSpot reviewer
Systems Architect at a tech vendor with 201-500 employees
Real User
22 March 18

If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price.

it_user841116 - PeerSpot reviewer
Information Security Lead Analyst at a consumer goods company with 10,001+ employees
Real User
20 March 18

I'm not the pricing guy. Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.

Dave Cheli - PeerSpot reviewer
Chief Technology Officer
Real User
15 March 18

I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. About licensing, just go ahead and get them. Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code.

it_user837504 - PeerSpot reviewer
Information Technology at a insurance company with 51-200 employees
Real User
14 March 18

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was. The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

it_user836430 - PeerSpot reviewer
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Real User
13 March 18

Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.

Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
Real User
11 March 18

Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need.

it_user833553 - PeerSpot reviewer
CISSP, CISM at a tech services company with 1,001-5,000 employees
Real User
08 March 18

Pricing is worth the value.

it_user833550 - PeerSpot reviewer
VP of Services at Avatier
Real User
08 March 18

It's worth the value.

Director Software Engineering at a tech services company with 51-200 employees
Real User
07 March 18

I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform.

it_user831864 - PeerSpot reviewer
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
Real User
06 March 18

The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

Related Questions
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Nov 15, 2021
Why is one better than the other?
2 out of 6 answers
Senior Product Specialist at Meteonic Innovation Pvt. Ltd.
06 September 21
Mauro Verderosa - PeerSpot reviewer
Cybersecurity Expert at PSYND
06 September 21
They are mainly two different products.  If your goal is to set the quality on code then SonarQube is your answer.  On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
User at Securities America
Jul 08, 2020
I am looking for pros and cons for the Checkmarx vs SonarQube, in particular regarding: false positives tuning Sonarqube to reduce false positives without introducing false negatives.  I am also wondering if SonarQube could allow developers to delint their code before submitting it to SAST with either Checkmarx or Veracode. 
2 out of 3 answers
Donovan Greeff - PeerSpot reviewer
Head of Software Delivery at a tech services company with 51-200 employees
06 July 20
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Factory Head, Web (Digital), Social, Mobile Enterprise COE at a pharma/biotech company with 10,001+ employees
07 July 20
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
31 July 22
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
05 August 22
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 04, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
Ram Chenna - PeerSpot reviewer
Enterprise Architect at Blueray Digital Services
Dec 15, 2021
Privacy Concerns in an RPA Implementation Program. The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were: 1. Regulatory and Compliance issues. 2. InfoSec and Security issues. 3. Audit Issues. Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
Tjeerd Saijoen - PeerSpot reviewer
CEO at Rufusforyou
Sep 03, 2021
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.  Why is Performance related to security? For the following reasons:  Today we need more than one tool to protect our environment. You need anti-spoofing...
See 2 comments
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
01 September 21
Very good insights about correlation for security with performance.
Johann Delaunay - PeerSpot reviewer
Key Account Manager at ITRS Group
03 September 21
Interesting positioning and way of thinking, thank you very much for the article!
Related Solutions
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
635,162 professionals have used our research since 2012.