No more typing reviews! Try our Samantha, our new voice AI agent.

Checkmarx One vs Rapid7 AppSpider comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
7.8
Reviews Sentiment
6.6
Number of Reviews
81
Ranking in other categories
Application Security Tools (2nd), Vulnerability Management (15th), Container Security (14th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (11th), Application Security Posture Management (ASPM) (3rd), AI Security (3rd)
Rapid7 AppSpider
Ranking in Static Application Security Testing (SAST)
30th
Average Rating
7.8
Reviews Sentiment
6.7
Number of Reviews
14
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2026, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.1%, down from 10.1% compared to the previous year. The mindshare of Rapid7 AppSpider is 0.8%, up from 0.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
Checkmarx One9.1%
Rapid7 AppSpider0.8%
Other90.1%
Static Application Security Testing (SAST)
 

Featured Reviews

Shahzad Shahzad - PeerSpot reviewer
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
HW
Marketing Expert at J's communication
Clients benefit from broad authentication and effective crawling but need localization improvements
Our clients use AppSpider to address security concerns for their websites. It is particularly used by customers who require security assessments One of the most valuable features of AppSpider is its broad range of authentication identification, which is a key reason for its utilization.…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"The setup is fairly easy. We didn't struggle with the process at all."
"One of the most important tools in our building process."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The solution communicates where to fix the issue for the purpose of less iterations."
"It is a stable product."
"We use the solution for dynamic application testing."
"As an InfoSec consulting company, we come across major challenging projects, and Checkmarx has made life easy by reducing manual efforts in using test cases against any vulnerability found during source code reviews while intelligently finding the latest vulnerabilities beyond the OWASP Top Ten."
"When it is set up properly, it can do scanning on web apps with multiple engines automatically."
"The entire solution is interactive and has a point-and-click user experience, which makes it easy to find items or drill down on information, and you don't need specialized skills to use the product."
"Customer service has been quite good."
"The solution is highly stable, rated at ten out of ten."
"AppSpider's most valuable feature is reporting - everything is stored in the local database so it can be sent to other machines."
"Rapid7 AppSpider is good at managing different applications. It uses applets and generates reports to cover the PCA/GDPR compliance requirements."
"This solution is a leader in the industry."
"I would say that it is stable, as I am not aware of any major issues."
 

Cons

"There are some downtimes when Checkmarx One is being upgraded to the latest version or some improvement is there."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy."
"This solution is not very easily scalable, and seems to lack the capability to manage a high volume of applications."
"Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network."
"Checkmarx One can be improved on the side of faster scans, especially when our CI pipelines are scanning for vulnerabilities."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"Checkmarx One can be improved by reducing noise and improving false positive filtering."
"With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."
"Implementing Rapid7 AppSpider requires scanning and self-identification mechanisms. You can add different types of authentication to each scan."
"Support response times are slow and can be improved."
"For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users."
"This price of this solution is a little bit expensive."
"The tech support is responsive but issues remain unresolved."
"AppSpider has some problems with the RAM needed while scanning."
"Integration could be better. For example, while doing the scanning, using the recording username and passwords, there are issues."
"The performance of the solution could improve. When I compare the speed it is slower than others on the market. There are some tricks we use to help speed up the solution."
 

Pricing and Cost Advice

"The solution's price is high and you pay based on the number of users."
"I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone."
"The price of Checkmarx could be reduced to match their competitors, it is expensive."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"It is an expensive solution."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"I believe pricing is better compared to other commercial tools."
"The interface used to create custom rules comes at an additional cost."
"The price of Rapid7 AppSpider cost 9,000 annually but there is limited usage. Large companies are able to negotiate a better price or a better deal for the usage with the vendor."
"The licensing cost depends on the number of users."
"It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once."
"The price is pretty fair."
"AppSpider is closed-source software and you need to acquire a license in order to use it."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
903,147 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
16%
Manufacturing Company
9%
Computer Software Company
8%
Outsourcing Company
5%
Manufacturing Company
11%
University
10%
Financial Services Firm
10%
Construction Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
By reviewers
Company SizeCount
Small Business12
Midsize Enterprise2
Large Enterprise1
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What is the biggest difference between Veracode and Checkmarx?
According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed AppSec platform with strong focus on ease of use, it is SaaS delivery, and provide...
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundle...
What is your experience regarding pricing and costs for Rapid7 AppSpider?
The price is not high, but for Japanese customers, localization may incur additional costs.
What needs improvement with Rapid7 AppSpider?
For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users.
What is your primary use case for Rapid7 AppSpider?
Our clients use AppSpider to address security concerns for their websites. It is particularly used by customers who require security assessments.
 

Also Known As

No data available
AppSpider
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Microsoft
Find out what your peers are saying about Checkmarx One vs. Rapid7 AppSpider and other solutions. Updated: June 2026.
903,147 professionals have used our research since 2012.