No more typing reviews! Try our Samantha, our new voice AI agent.

Checkmarx One vs Kiuwan comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
7.8
Reviews Sentiment
6.6
Number of Reviews
81
Ranking in other categories
Vulnerability Management (15th), Container Security (14th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (11th), Application Security Posture Management (ASPM) (3rd), AI Security (3rd)
Kiuwan
Ranking in Application Security Tools
32nd
Ranking in Static Application Security Testing (SAST)
28th
Average Rating
8.6
Reviews Sentiment
7.0
Number of Reviews
23
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2026, in the Application Security Tools category, the mindshare of Checkmarx One is 8.2%, down from 9.8% compared to the previous year. The mindshare of Kiuwan is 1.2%, down from 1.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools Mindshare Distribution
ProductMindshare (%)
Checkmarx One8.2%
Kiuwan1.2%
Other90.6%
Application Security Tools
 

Featured Reviews

Shahzad Shahzad - PeerSpot reviewer
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
Mustufa Bhavnagarwala - PeerSpot reviewer
CyberRisk Solution Advisor at a consultancy with 10,001+ employees
Though a stable tool, the UI needs improvement
Kiuwan can improve its UI a little more. The user experience can be made better. Kiuwan offers a user interface that is similar to the one offered by Windows 7 or Windows 98, which I saw when I ran the tool and tried to scan the repository to find the security issues. The product's UI has certain shortcomings, where improvements are required.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The initial setup was very easy."
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"We have used this product to verify the dev department's code in order to minimize security holes."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile, and if the code has dependencies or build errors the scan fails, while with Checkmarx pre-compile scanning is seamless and allows us to scan more code."
"Checkmarx is probably one of the best static code analyzers available in the market at this point."
"It is a stable product."
"Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."
"We are using this solution to increase the quality of our software and to test the vulnerabilities in our tools before the customers find them."
"The solution will measure your development team, give a KPI for the CISO, reduce the time it takes to find and correct coding errors, and more."
"The technical support is very good, and we have received valid answers to our questions."
"I've found the reporting features the most helpful."
"We switched because Kiuwan covers the entire SDLC; provides direct information to act upon, for the developer, architects, QA, CIO and CISO, in a few seconds; automatically, fully integrated in any CI/CD setup."
"Saving time and money by automatically identifying problems is unbelievable."
"I find it immensely helpful because it's not just about generating code; it's about ensuring efficiency in the execution."
"The solution offers very good technical support."
 

Cons

"Checkmarx is not good because it has too many false positive issues."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"We have received some feedback from our customers who are receiving a large number of false positives."
"Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"This product requires you to create your own rulesets. You have to do a lot of customization."
"Updating and debugging of queries is not very convenient."
"I would like to see better integration with the Visual Studio and Eclipse IDEs."
"Improvement could be made with the integration of the programming tools."
"The QA developer and security could be improved."
"I would like to see better integration with Azure DevOps in the next release of this solution."
"It would be beneficial to streamline calls and transitions seamlessly for improved functionality."
"More languages and frameworks would enhance this tool."
"The solution seems to give us a lot of false positives. This could be improved quite a bit."
"Perhaps more languages supported."
 

Pricing and Cost Advice

"The tool's pricing is fine."
"If you want more, you have to pay more. You have to pay for additional modules or functionalities."
"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
"Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"We have purchased an annual license to use this solution. The price is reasonable."
"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
"Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications)."
"Check with your account manager."
"It follows a subscription model. I think the price is somewhere in the middle."
"The price of Kiuwan is lower than that of other tools on the market."
"Kiuwan is an open-source solution and free to use."
"Nothing special. It's a very fair model."
"This solution is cheaper than other tools."
"I recommend contacting a sales person who will create the best plan payment plan for you, as we did."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
904,748 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
16%
Manufacturing Company
9%
Computer Software Company
8%
Outsourcing Company
5%
Construction Company
12%
University
11%
Manufacturing Company
8%
Computer Software Company
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
By reviewers
Company SizeCount
Small Business16
Midsize Enterprise4
Large Enterprise6
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What is the biggest difference between Veracode and Checkmarx?
According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed AppSec platform with strong focus on ease of use, it is SaaS delivery, and provide...
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundle...
Ask a question
Earn 20 points
 

Comparisons

 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
DHL, BNP Paribas, Zurich, AXA, Ernst & Young, KFC, Santander, Latam, Ferrovial
Find out what your peers are saying about Checkmarx One vs. Kiuwan and other solutions. Updated: June 2026.
904,748 professionals have used our research since 2012.