Checkmarx

Security Plane

Security Suites

Source

Closed

What is Checkmarx?

Checkmarx One is an application security platform that unifies capabilities such as SAST, SCA, IaC, secrets detection, and ASPM to help teams prioritize and remediate exploitable, high-impact risks from code to cloud.

Profile

Checkmarx is a unified application security platform that consolidates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), API security, container scanning, Infrastructure as Code analysis, and secrets detection into a single integrated solution. Founded in 2006 and currently owned by private equity firm Hellman & Friedman, the platform serves over 1,700 enterprise customers across 70 countries, including 40 percent of Fortune 100 companies. Checkmarx addresses the complexity of securing applications throughout the software development lifecycle by correlating findings across multiple testing methodologies through its Application Security Posture Management (ASPM) engine, reducing alert noise and enabling teams to prioritize genuinely exploitable vulnerabilities rather than overwhelming developers with undifferentiated vulnerability counts.

Focus

Checkmarx solves the fundamental challenge of maintaining strong security posture while enabling developer velocity by consolidating disparate application security testing tools into a unified platform. Traditional approaches using separate point tools for SAST, DAST, SCA, and other testing methodologies create tool sprawl, fragmented workflows, overwhelming alert volumes, and lack of context about which vulnerabilities genuinely impact business risk. The platform targets enterprise organizations with substantial development teams, complex technology stacks, and regulated compliance requirements. By correlating signals across code, cloud, and supply chain through its ASPM engine, Checkmarx surfaces only the most relevant, exploitable issues, dramatically improving signal-to-noise ratio and enabling data-driven prioritization of remediation efforts based on exploitability, business impact, and organizational context.

Background

Checkmarx was founded in 2006 by Emmanuel Benzaquen and Maty Siman in Israel, pioneering static application security testing as a market category. The company received an $84 million investment from Insight Partners in 2015, enabling expansion from approximately 150 to over 700 employees. In April 2020, Hellman & Friedman acquired Checkmarx for $1.15 billion, with TPG holding a minority interest and Insight Partners retaining a stake. Sandeep Johri assumed the CEO role in February 2023, bringing extensive experience from leading Tricentis and growing HP's software division from $600 million to $3.5 billion in revenue. The platform is actively maintained with regular releases and serves notable customers including SAP, Samsung, and Salesforce, plus substantial government and public sector representation.

Main features

Comprehensive static application security testing with high-accuracy code analysis

Checkmarx SAST analyzes application source code without requiring compilation, identifying vulnerabilities through advanced code graph analysis that understands data flows and execution paths rather than surface-level patterns. The scanner supports 75+ programming languages and frameworks including Java, Python, C#, C++, Go, Swift, JavaScript, TypeScript, PHP, Ruby, and COBOL, providing coverage for virtually any enterprise technology stack. The platform executes hundreds of pre-configured security analysis queries against internal code graph representations, with organizations able to customize detection rules through the Checkmarx Auditor tool for organization-specific security policies and compliance requirements. Independent benchmarking demonstrates a 0.98 true positive rate and 1.94 percent false negative rate, significantly outperforming competitors while identifying more than twice as many genuine vulnerabilities.

Software composition analysis with exploitable path detection

Checkmarx SCA identifies, prioritizes, and enables remediation of vulnerabilities in open-source components by scanning dependency manifest files and resolving dependencies against comprehensive vulnerability databases. The platform supports major package managers including npm, Maven, NuGet, and PIP across diverse technology stacks. A distinguishing capability is Exploitable Path analysis, which determines whether vulnerable open-source components are actually invoked during application execution, addressing the critical challenge where teams often incorporate libraries containing known vulnerabilities but never execute the vulnerable code paths. This capability enables teams to prioritize remediation on vulnerabilities posing genuine risk rather than spending effort on theoretical issues that cannot be exploited in their specific implementation context.

Application security posture management with intelligent risk correlation

Checkmarx ASPM aggregates data from multiple testing methodologies—SAST, DAST, SCA, API security, container scanning, and IaC analysis—correlating findings across code, cloud, and supply chain to surface only the most relevant, exploitable issues. The platform applies proprietary algorithms to identify exploitable paths, business context, and relative risk, providing aggregated risk scoring for each application that accounts for exploitability, business impact, and organizational context. This correlation capability addresses the fundamental reality that organizations discover far more vulnerabilities than they can remediate in reasonable timeframes, enabling AppSec teams to make data-driven decisions about where to focus remediation efforts. The unified visibility and control across entire application portfolios enables centralized policy management, compliance reporting, and strategic security decision making.

Website

Docs