A Product Person’s Guide to the Application Security Market: SAST, 2025
Welcome to my 2025 series of deep dives on specific submarkets in the Application Security Testing software market! To start, we’ll dig into the SAST market. Since cybersecurity markets shift constantly, please be aware that this data and my views are valid as of the time of publishing (April 2025).
All of these observations are my own, and I don’t hold stock or serve as an advisor to any companies listed below. This analysis is the result of my deep familiarity in the space, having built in and alongside it for many years. As an outsider looking in, I might have gotten some details wrong or might not have the most up to date information, but an attempt was made, and I hope you’ll excuse any errors.
Let’s get started!
SAST — An introduction
Static Application Security Testing (SAST) is what most of us think of when we hear “application security”. Fundamentally, it is looking at written code and returning suspected security issues. In the past, this was done with regex and rules engines and other techniques that got close to good results, but have always been plagued by false positives and the need to understand broader code context to define what is a “false positive”. Today’s modern SAST tools are all starting to incorporate AI to get better detections and custom rules, aimed at reducing the huge burden of reviewing results that often falls to DevOps, Developers, or Security Engineers. In general, when considering a SAST tool, you should look at coverage for your specific programming language and how a tool is using AI to increase customization and decrease manual finding reviews.
Overall, the SAST market is completely saturated with almost zero differentiation between vendors. It is fundamentally a commodity and most vendors are aware of that, so are fighting for deals based on price and claims about low false positive rates. For those reasons, it’s very important that when evaluating a SAST tool, you actually test it out on your code in your languages — example code is fine, but seeing how these tools perform on your specific code is significantly more enlightening for decision making purposes.
If you’re buying a SAST tool right now (2025), I highly recommend buying a tool that already has advanced AI features baked into it, or you likely will find yourself replacing it in 2–3 years. SAST vendors who aren’t innovating here will be obsolete soon, and it’s best to avoid the pain of “rip and replace” if possible.
If you’re a founder considering building in the SAST space, I would not recommend it, unless you have a very compelling pitch. The competition is tough and SAST buyers are getting hundreds of pitches a week from the large field.
SAST Open Source Tools
Open Source tooling in SAST have been around for a long time and there are some very common and standout tools that most software development shops can adopt easily.
Leading the way is Semgrep, which started as an open source tool and then received VC funding (most recently in 2023) in order to grow to profitability. The SAST tool is open source and available in a wide range of languages (over 30) and can be incorporated into a software team’s workflows in multiple ways, making it easy to adopt. Semgrep has used its VC funding to develop many more application security tools, and we’ll see them in other categories. Recently there was a little drama around their decision to move certain features behind their paywall — which we can’t blame them for, because they took VC funding. Just be sure to read through the docs to be sure the portion of the tool that you need is available still as open source.
SonarQube is a tool from SonarSource that has been free and open source since its launch in the ’00s. It has coverage of many older and enterprise languages, making it popular in mainframe organizations (hard to find other tools for scanning your COBOL code, for example…). It’s still a good, free, flexible SAST tool.
SAST tools are extremely language specific, so depending on your language, you have additional specific options available to you. Some common options are Brakeman (Ruby), Bandit (Python), and GoSec (Go).
SAST Small Players
Many vendors claim to do SAST and most of the time those tools are using one of the above mentioned open source SAST tools “under the hood”. I’ve seen this specifically mentioned for tools like Aikido but this doesn’t usually get advertised, so it’s always worth asking a vendor if their SAST analysis is homegrown or not. This is true for both smaller SAST and larger SAST players, of course, but smaller SAST companies with broad language support are very likely leveraging some open source tools. Whether that’s a turn off for you depends on how you feel about that fact (what are you actually paying for vs what you could do on your own with the open source tool).
Smaller SAST vendors are fighting for visibility and differentiation from the bigger players, so generally this class of tools try to check as many boxes as possible (for example, Aikido claims 10 features that replace existing tools and tells you which tools they replace by name).
The first smaller tool I’ll mention is Aikido, because I’malready talking about them. I find Aikido interesting because they’re one of the first appsec tools I’ve seen announce a direct integration into one of the many popular AI-driven IDEs. Aikido announced early in December that it integrates directly with Cursor AI, and for any dev shop currently doing the “how many AI tools can I leverage to get code shipped faster” dance, I’m sure this makes a big difference. We’ve already seen how AI generated code can be full of security issues, so this is a smart play by Aikido. I expect the rest of the SAST market will follow suit.
Another tool that is very promising is DryRun Security. Although I would place them only partially in the SAST category, their AI powered code reviews are compelling and feel like they could replace a traditional SAST tool easily. The AI application is really effective here, and not just puff features. Recently, they have published head-to-head comparisons with some of the big SAST players, and the results are compelling. If you haven’t read through it, I recommend it, and you can find the C# edition here.
Other smaller SAST for-profit vendors to spotlight are Backslash and DerScanner. Backslash is a seed stage Israeli based SAST tool that was founded in 2022. They are banking on the 2024 application security trend of “Reachability” to separate themselves from the pack. Backslash argues that their ability to tell you which findings are both real and able to be exploited by attackers puts them above the big players we’ll talk about in the next section. Besides that, there’s nothing super special or interesting about the product at this point. DerScanner (created by DerSecur) is another entry into the crowded SAST field, claiming 43 supported languages. One of the interesting things about DerScanner is what they claim as “AI-driven Fuzzy Logic analysis”, which sounds like pattern matching over large data sets. This to me is a “no duh” application of AI in application security and I’m glad to see someone talk about it so clearly. It also is unique in that it claims to be able to handle executables well, such as .jar, .exe, and .dlls, which many SAST tools struggle with.
SAST Big Players
Everyone already knows the big players in SAST, but for completeness sake, this is who you have to choose from if you generally want enterprise features and broad language support.
- Checkmarx
- Veracode
- Snyk
- Mend
- Semgrep Pro
- Fortify
- GitHub
- Gitlab
Most of these are undifferentiated — it depends mostly on what price you can get and if you’re interested in a “one stop shop” vendor or not. All these tools are somewhere on the other market analyst’s charts and graphs, and they offer similar language support and bells and whistles. I consider SAST to be a totally saturated market at this point, as mentioned before, and if you don’t have any special requirements, I recommend shopping based on price, since all the features are more or less the same.
A few tools though I’ll call out specifically:
Checkmarx and Snyk have been making substantial progress in making themselves an “everything app” for application security. Checkmarx most notably has agreed to sponsor ZAP (we’ll cover them in the upcoming DAST edition) while Snyk now offers an ASPM tool (made possible through acquisitions). These two vendors stand out if you want solid coverage for all application security categories while only paying 1 vendor.
Also worth calling out that Snyk has notably created their own proprietary AI (called “DeepCode”) which they use for in their SAST product to (supposedly) reduce manual research and provide remediation guidance for their SAST findings. This is notable as it doesn’t (appear to) leverage a name brand AI vendor, so it might be more comfortable for many CISOs.
Another special mention is for GitHub and Gitlab. These tools are the CI/CD for most companies, and it makes the most sense to have your SAST (and your SCA and DAST and….) right in that tool. All the SAST players have these integrations of course, but for dev teams who want the lowest possible lift, the devops tools are definitely worth considering.
GitHub has been building their Advanced Security product for years now and it’s relatively mature, with improving AI (via GitHub Copilot) features. GitHub Advanced Security also has an excellent security team that authors GitHub Security Advisories, which most of the cybersecurity industry uses as a vulnerability data source. “From the horse’s mouth” seems like a no-brainer for many cybersecurity pros.
Not to be left out, Gitlab has been extensively building out their security features. With the 2024 acquisition of OxEye (formerly in the SAST category), Gitlab is accelerating their security roadmap. I expect we’ll see big updates here in the coming months, focusing on developer workflows. While they are lacking in their focused security research compared to GitHub, I expect we’ll see more focus there from Gitlab soon. If you’re already a Gitlab customer and looking for new application security tooling, I would definitely start with them.
That’s a wrap for SAST! Another Application Security Testing subcategory is coming soon. I hope this was helpful, and I’d welcome comments or feedback!
