0 filters active
Skip to Content
logo
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Access recent downloads
      • Check your compliance with standards
      • View analytics common to orgs, groups and portfolios
      • Download a report of detected vulnerabilities
      • View analytics for the group level only
      • View analytics for the portfolio level only
      • Use analytics charts options
      • View and download logs
      • Pentesters' tools
    • Machine
      • Import repositories fast and safely with OAuth
      • Manage environments
      • Manage repositories
      • Manage your credentials
      • Resolve events impeding tests
      • See retrieved repositories not yet added to any group
      • Invite contributing developers
      • Manage members
      • Manage your organization's authors
      • Understand roles
      • Create and delete groups
      • Create another organization
      • Know your Groups section
      • Manage a group's configuration
      • Register payment information
      • See the target of evaluation's status and SBOM
      • Sort groups into portfolios
      • Accept vulnerabilities
      • Manage fix prioritization policies
      • Manage security gates
      • Prevent the deployment of builds with vulnerabilities
      • View details of the security of your builds
      • Analyze your supply chain security
      • Assign treatments
      • Correlate your threat model to vulnerabilities
      • Examine the evidence of exploitability
      • Request a vulnerability be dismissed as Zero Risk
      • See vulnerabilities assigned to you
      • See where vulnerabilities are and more details
      • Verify fixes with reattacks
      • Enable and disable notifications
      • Explore the user menu
      • Leave group
      • Subscribe to news
      • Platform sections and header items
      • Sign-up and login authentication
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
      • Ask the AI Agent
      • Ask via chat
      • Post comments
      • Send Fluid Attacks an email
      • Talk to a Pentester
      • Watch certifiable tutorial videos or get a demo
    • Use the Platform
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Access to your assets
      • Cloud
      • Connector
      • Egress
      • Set up an AWS IAM role
      • Summary of mechanisms used to access assets
      • Types of authentication used
      • Fix code automatically with gen AI
      • Get AI-generated guides for remediation
      • Contribute to enhancing the scanners
      • Fluid Attacks' scanners
      • Know and reproduce the scanner’s OWASP Benchmark results
      • Access recent downloads
      • Check your compliance with standards
      • View analytics common to orgs, groups and portfolios
      • Download a report of detected vulnerabilities
      • View analytics for the group level only
      • View analytics for the portfolio level only
      • Use analytics charts options
      • View and download logs
      • Pentesters' tools
    • Machine
      • Import repositories fast and safely with OAuth
      • Manage environments
      • Manage repositories
      • Manage your credentials
      • Resolve events impeding tests
      • See retrieved repositories not yet added to any group
      • Invite contributing developers
      • Manage members
      • Manage your organization's authors
      • Understand roles
      • Create and delete groups
      • Create another organization
      • Know your Groups section
      • Manage a group's configuration
      • Register payment information
      • See the target of evaluation's status and SBOM
      • Sort groups into portfolios
      • Accept vulnerabilities
      • Manage fix prioritization policies
      • Manage security gates
      • Prevent the deployment of builds with vulnerabilities
      • View details of the security of your builds
      • Analyze your supply chain security
      • Assign treatments
      • Correlate your threat model to vulnerabilities
      • Examine the evidence of exploitability
      • Request a vulnerability be dismissed as Zero Risk
      • See vulnerabilities assigned to you
      • See where vulnerabilities are and more details
      • Verify fixes with reattacks
      • Enable and disable notifications
      • Explore the user menu
      • Leave group
      • Subscribe to news
      • Platform sections and header items
      • Sign-up and login authentication
      • Configure and use Sorts on your own
      • Introduction to Fluid Attacks' AI tool
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
        • 2023
        • 2024
        • 2025
        • 2026
      • Documentation sections
      • Roadmap
      • Supported AI functions
      • Supported attack surfaces
      • Supported binaries
      • Supported browsers
      • Supported CI/CD
      • Supported clouds
      • Supported CVEs for reachability analysis
      • Supported evidence formats
      • Supported frameworks
      • Supported IDE functionalities
      • Supported languages
      • Supported languages for vulnerability fixes
      • Supported package managers
      • Supported remediation
      • Supported SCM systems
      • Supported secrets
      • Supported standards
      • Supported ticketing systems
      • CVSS score adjustment
      • Find reachable dependency vulnerabilities
      • Vulnerability signature update
      • What is SCA?
      • APK scanner configuration file
      • DAST scanner configuration file
      • SAST scanner configuration file
      • SCA scanner configuration file
      • Scan with a configuration file
      • Ask the AI Agent
      • Ask via chat
      • Post comments
      • Send Fluid Attacks an email
      • Talk to a Pentester
      • Watch certifiable tutorial videos or get a demo
    • Use the Platform
      • Manage repositories
      • See vulnerabilities
      • Exclude findings from scan reports
      • Run scans locally
      • Understand the scanner output
      • Use standalone scanners
      • Use the scanners in CI/CD
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
  • Compliance
      • Clients
      • Password policies
      • Staff
      • Access revocation
      • Endpoint
      • Authorization for clients
      • Authorization for Fluid Attacks staff
      • Secret rotation
      • Secure employee termination
      • Session management
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Extensive hiring process
      • Monitoring
      • Production data not used for dev or test
      • Secure emails
      • Software Artifacts SLSA levels
      • Static website
      • Training plan
      • Everything as code
      • Extensive logs
      • Data privacy policy
      • Data policies
      • Email obfuscation
      • Employee time tracking software
      • Manual for the National Database Registry (NDR)
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Retention
      • Secure delivery of sensitive data
      • Transparent use of cookies
      • Unsubscribe email
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • How does Fluid Attacks’ solution compare to Checkmarx’s?
  • Organization
  • Service
  • Product
  • Integrations
  • More like Checkmarx
Tags
CompareCheckmarx

Checkmarx

How does Fluid Attacks’ solution compare to Checkmarx’s?

The following comparison table enables you to discern the performance of both providers across various attributes essential for meeting your company's cybersecurity needs. To better understand each attribute, read their descriptions in the dedicated page .

Organization
AttributeEssentialAdvancedCheckmarx
Focus

Native ASPM  with in-house scanners 

AI-powered PTaaS  on top of native ASPM  with in-house scanners 

Native ASPM with in-house scanners

Extras

None

None

None

Headcount

157 

Same 

997

Headcount distribution

Engineering 40% , IT 14%, sales 15%, marketing 2%, operations 4% and others 25%

Same 

Engineering 30%, IT 18%, sales 17%, marketing 3%, operations 3% and others 29%

Headcount growth

+14% , +15%, -1%

Same 

+1%, +8%, +6%

Headquarters

CO  and US

Same 

FR, IN, IL, PT, SG, UK and US

Countries

AR , BO, CA, CL, CO, DO, MX, PA, PE and US

Same 

IL, IN, PT and US

Reputation

9.76 from 228 reviews over 8 years on Gartner  and Clutch 

Same

8.51 from 221 reviews over 11 years on G2, Gartner, PeerSpot, Software Advice and TrustRadius

Followers

22K based on the following: Facebook , Instagram , LinkedIn , X  and YouTube 

Same

149K based on the following: Facebook, LinkedIn, X and YouTube

Research firms

None

None

Forrester, Frost & Sullivan, GigaOM, IDC, Info-Tech Research Group and Nucleus Research

Founded

2001 

Same 

2006

Funding

Bootstrapped

Same

$92M USD in 4 rounds from 6 investors

Acquisitions

None

None

Acquired 0 times and made 4 acquisitions

Revenue

10M  to 15M

Same 

100M to 500M

CVEs as CNA Researcher

289 CVEs reported  to MITRE , ranked in the top 10 CVE labs worldwide 

Same 

11 CVEs reported to MITRE

Compliance

SOC 2 Type II  and SOC 3 

Same 

CSA STAR Level 1, FedRAMP Authorized, HIPAA, ISO/IEC 27001 and SOC 2 Type II

Bug bounty

Yes 

Yes 

No

Visits

27K  per month. Top 3: 34% PE, 33% CO, 6% CL. Others 27%

Same 

69K per month. Top 3: 32% US, 14% IN, 5% IL and others 49%

Authority

31 out of 100 

Same 

44 out of 100

Public vulnerability DB

Discovered  and third-party

Same 

Discovered and third-party

Content

Blog , documentation , e-books , glossary , reports, success stories , videos , webinars and white papers

Same

Analysis reports, blog, customer testimonials, documentation, infographics, reports, solution briefs, videos, webinars and white papers

Comprehensive documentation

13 documentation sections , 7 in common and 6 additional

Same 

8 documentation sections, 7 in common and 1 additional

Community

Forum 

Same 

Forum

Sync training

1 workshop 

Same 

2 live security education courses (subscription-based)

Async training

3 product use courses , all free

Same 

Security education platform (subscription-based)

Distribution

Direct  or with any of its 14 partners 

Same

Direct or with any of its 66 partners

Marketplaces

AWS 

Same 

AWS

Freemium

No

No

No

Free trial

21-day free trial 

PoV 

PoC

Demo

Yes 

Yes 

Yes

Open demo

No

No

No

Pricing

Contact sales  and marketplace 

Contact sales 

Contact sales and marketplace

Pricing tiers

1 plan 

1 plan 

5 plans (SAST, SSCS, essentials, professional, enterprise). None transparent

Minimum term

Monthly 

Monthly 

Annually

Minimum payment period

Monthly 

Monthly 

Annually

Minimum capabilities

ASPM , binary SAST, DAST, IaC, SAST, SCA and secrets

Same plus: AI SAST , API security testing, PTaaS, RE and SCR

SAST

Minimum scope

1 author 

Same 

1 license

Pricing drivers

Authors 

Same 

Developers

Free implementation

Yes 

Yes 

No

Free support

Yes 

Yes 

No

Service
AttributeEssentialAdvancedCheckmarx
PTaaS

No

Yes 

No

Reverse engineering

No

Yes 

No

Secure code review

No

Yes 

No

Pivoting

No

Yes 

No

Exploitation

No

Yes 

No

Manual reattacks

Not applicable

Unlimited reattacks 

Not applicable

Zero-day vulnerabilities

None

Continuous zero-day  vulnerability research

Continuous zero-day vulnerability research

SLA

Availability 

Accuracy , availability  and response 

Availability and response

Minimum availability

99.95%  per minute LTM

Same 

99.5% per period

After-sale guarantees

No

Yes

No

Accreditations

CNA  and Penetration Testing by CREST 

Same 

CNA, DevOps ISV Competency and Security ISV Competency

Hacker certifications

Not applicable

202 from 59 different types 

Not applicable

Type of contract

Employee

Same

Employee

Endpoint control

No

Total 

Not applicable

Channel control

No

Total

Not applicable

Standards

Some requirements from 67 standards , 18 in common and 49 additional

All requirements from the same standards 

20 standards, 18 in common and 2 additional

Detection method

Automated tools 

Automated tools , AI  and human intelligence

Automated tools and AI

False positives

3.87 times better

6.66 times better

12% F0.5 score per quantity

False negatives

5.6 times better

17.98 times better

4% F2.0 score per severity

Remediation

5 , 3 in common and 2 additional

Same, plus 1 

4, 3 in common and 1 additional

Output

5 , 4 in common and 1 additional

Same, plus 2 

6, 4 in common and 2 additional

Product
AttributeEssentialAdvancedCheckmarx
ASPM

Yes 

Yes 

Yes

API

GraphQL with JSON 

Same 

REST with JSON

IDE

5 functionalities , 4 in common and 1 additional

Same , plus 1 functionality

6 functionalities, 4 in common and 2 additional

CLI

Yes 

Yes 

Yes

CI/CD

Breaks the build 

Same 

Breaks the build

Vulnerability sources

4 sources , 1 in common and 3 additional

Same 

6 sources, 1 in common and 5 additional

Threat model alignment

Yes 

Yes 

Yes

Priority criteria

CVSS v4.0 , CVSSF , EPSS  and KEV

Same 

CVSS v4.0, EPSS and KEV

Custom prioritization

Priority score 

Same 

Project classification

Scanner origin

In-house 

In-house 

In-house and external (ZAP for DAST and KICS for IaC)

SCA

19 package managers , 15 in common and 4 additional

Same 

20 package managers, 15 in common and 5 additional

AI security

No

Yes 

No

Reachability

12 languages 

Same 

No information

Reachability type

Deterministic 

Same 

Deterministic

SBOM

22 package managers , 11 in common and 11 additional

Same 

20 package managers, 11 in common and 9 additional

Malware detection

Yes

Yes

Yes

Autofix on components

No

No

Yes

Source SAST (languages)

12 , 11 in common and 1 additional

Same 

36, 11 in common and 25 additional

Source SAST (frameworks)

22 , 10 in common and 12 additional

Same 

52, 10 in common and 42 additional

Custom rules

No

No

Policies

IaC

6 , 5 in common and 1 additional

4 , all in common

12, 9 in common and 3 additional

Binary SAST

1 type of binary 

Same , plus 2 types of binaries

No

DAST

7 attack surface types , 2 in common and 5 additional

Same 

3 attack surface types, 2 in common and 5 additional

API security testing

No

4 types of APIs , 3 in common and 1 additional

3 types of APIs, all in common

IAST

No

No

No

ASM

No

No

No

Secrets

15 secrets types , 5 in common and 10 additional

Same , plus verify other attack vectors and secrets exploitability

5 secrets types, all in common

AI

3 functions , 2 in common and 1 additional

Same 

3 functions, 2 in common and 1 additional

MCP

Yes 

Yes 

Yes

Open-source

MPL-2 license , totally equivalent  to the paid version 

Not applicable

Apache License version 2, partially equivalent to the paid version

Provisioning as code

Yes 

Yes 

Yes

Deployment

SaaS (multi-tenant) 

Same 

SaaS (multi-tenant) + on-premises (single-tenant)

Regions

US 

Same 

AE, ANZ, EU, IN, IL, SG and US

Status

Yes 

Yes 

Yes

Incidents

4 per year 

Same 

7.6 per year

Integrations
AttributeEssentialAdvancedCheckmarx
SCM

6 , 3 in common and 3 additional

Same 

4, 3 in common and 1 additional

Binary repositories

None

None

5

Ticketing

3 , all in common

Same 

5, 3 in common and 2 additional

ChatOps

None

None

2

IDE

3 , 2 in common and 1 additional

Same 

4, 2 in common and 2 additional

CI/CD

21 , 10 in common and 11 additional

Same 

17, 10 in common and 7 additional

SCA

Native 

Same 

Native

SAST

Native 

Same 

Native

DAST

Native 

Same 

Native powered by ZAP

IAST

None

None

None

Cloud

3 , all in common

Same 

3, all in common

Secrets

Native 

Same 

Native

Remediation

None

None

3

Bug bounty

None

None

None

Vulnerability management

None

None

4

Compliance

None

None

None

The latest update to this comparison was on Feb 12, 2026. The primary sources of information were checkmarx.com and docs.checkmarx.com, which were supplemented by specialized information-gathering sites, social media, and other sources.

More like Checkmarx

  1. Aikido 
  2. GitLab Ultimate 
  3. Jit 
  4. Snyk 

Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial  and discover the benefits of the Continuous Hacking  Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form .

Last updated on February 13, 2026
Burp SuiteCloudGuard
Fluid Attacks 2026. All rights reserved.