No more typing reviews! Try our Samantha, our new voice AI agent.

Checkmarx One vs Rapid7 AppSpider comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
7.8
Reviews Sentiment
6.6
Number of Reviews
81
Ranking in other categories
Application Security Tools (2nd), Vulnerability Management (15th), Container Security (14th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (11th), Application Security Posture Management (ASPM) (3rd), AI Security (3rd)
Rapid7 AppSpider
Ranking in Static Application Security Testing (SAST)
30th
Average Rating
7.8
Reviews Sentiment
6.7
Number of Reviews
14
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2026, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.1%, down from 10.1% compared to the previous year. The mindshare of Rapid7 AppSpider is 0.8%, up from 0.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
Checkmarx One9.1%
Rapid7 AppSpider0.8%
Other90.1%
Static Application Security Testing (SAST)
 

Featured Reviews

Shahzad Shahzad - PeerSpot reviewer
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
HW
Marketing Expert at J's communication
Clients benefit from broad authentication and effective crawling but need localization improvements
Our clients use AppSpider to address security concerns for their websites. It is particularly used by customers who require security assessments One of the most valuable features of AppSpider is its broad range of authentication identification, which is a key reason for its utilization.…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The value you can get out of the speedy production may be worth the price tag."
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"The solution communicates where to fix the issue for the purpose of less iterations."
"It provides a graphical view of any vulnerabilities."
"The user interface is excellent. It's very user friendly."
"We are using Checkmarx for analyzing threats."
"It is a stable product."
"It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results."
"It is really accurate and the rate of false positives is very low."
"AppSpider's most valuable feature is reporting - everything is stored in the local database so it can be sent to other machines."
"It scans all the components developed within a web application."
"This solution is a leader in the industry."
"Rapid7 AppSpider is good at managing different applications. It uses applets and generates reports to cover the PCA/GDPR compliance requirements."
"Customer service has been quite good."
"I would say that it is stable, as I am not aware of any major issues."
"The most valuable feature is the reporting, which is compliant with international standards."
 

Cons

"The reports are good, but they still need to be improved considering what the UI offers."
"If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time)."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"Checkmarx is not good because it has too many false positive issues."
"Presently they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment."
"We had to lock the number of CPUs used to not crash the Checkmarx Audit."
"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"The product needs to be able to scale for large companies, like ours. We have millions of IP addresses that need to be scanned, and the scalability is not great."
"The enterprise interface is too simple. It should be more customizable."
"The solution is too slow. It could take a full day to scan. Competitors are much faster."
"The dashboard and interface are crucial and they need some improvement."
"Implementing Rapid7 AppSpider requires scanning and self-identification mechanisms. You can add different types of authentication to each scan."
"Integration could be better."
"This price of this solution is a little bit expensive."
"AppSpider could improve in the area of integration. They need to add more integration opportunities."
 

Pricing and Cost Advice

"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
"This solution is expensive. The customized package allows you to buy additional users at any time."
"We have purchased an annual license to use this solution. The price is reasonable."
"The solution's price is high and you pay based on the number of users."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"The solution is costly."
"If you want more, you have to pay more. You have to pay for additional modules or functionalities."
"The number of users and coverage for languages will have an impact on the cost of the license."
"It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once."
"AppSpider is closed-source software and you need to acquire a license in order to use it."
"The price of Rapid7 AppSpider cost 9,000 annually but there is limited usage. Large companies are able to negotiate a better price or a better deal for the usage with the vendor."
"The price is pretty fair."
"The licensing cost depends on the number of users."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
904,016 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
16%
Manufacturing Company
9%
Computer Software Company
8%
Comms Service Provider
5%
Manufacturing Company
11%
University
10%
Financial Services Firm
9%
Construction Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
By reviewers
Company SizeCount
Small Business12
Midsize Enterprise2
Large Enterprise1
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What is the biggest difference between Veracode and Checkmarx?
According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed AppSec platform with strong focus on ease of use, it is SaaS delivery, and provide...
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundle...
What is your experience regarding pricing and costs for Rapid7 AppSpider?
The price is not high, but for Japanese customers, localization may incur additional costs.
What needs improvement with Rapid7 AppSpider?
For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users.
What is your primary use case for Rapid7 AppSpider?
Our clients use AppSpider to address security concerns for their websites. It is particularly used by customers who require security assessments.
 

Also Known As

No data available
AppSpider
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Microsoft
Find out what your peers are saying about Checkmarx One vs. Rapid7 AppSpider and other solutions. Updated: June 2026.
904,016 professionals have used our research since 2012.