Critical Capabilities for Application Security Testing

13 October 2025 - ID G00795985 - 45 min read
By Mark Horvath, Jason Gross,  and 2 more
Application security testing is evolving based on new technology, new threats and new ways of managing the security of all aspects of code. Cybersecurity leaders should identify the optimal mix of functionality required, and those vendors best positioned to fully address their needs.

Overview

Key Findings

  • Traditional tools like static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST) and software composition analysis (SCA) remain the core of most application security testing (AST) portfolios but are increasingly similar in performance. However, other tools like application security posture management (ASPM), software supply chain security (SSCS) and artificial intelligence (AI) code security assistants are increasingly needed as threats grow and diversify.
  • In a majority of cases, development and security teams share responsibility for the security of the applications they develop. Development teams take a very active role in tool selection and use, while security teams have begun to shift toward oversight and risk management roles.
  • AI code security assistants (ACSAs) have increased in popularity and quickly become a popular feature in most AST portfolios. However, they bring their own risks around accuracy, privacy and model management.
  • The security of AI/LLM models is increasingly becoming a must-have, especially for large enterprise organizations that often have a wide range of models they need to manage and secure.

Recommendations

Cybersecurity leaders responsible for application and data security should:
  • Ensure that decisions around which capabilities are relevant, and which vendors are best-suited to meet those needs, are cooperative efforts spanning security, development and engineering, and operations.
  • Deploy ASPM as a means of establishing control and visibility over AST tools and processes. This will allow teams to make prioritized use of their limited time for AppSec.
  • Expand SSCS to become a first-tier control for application security programs. SSCS is essential for managing application risk and security, and a key data source for security key performance indicators (KPIs).
  • Favor tools that include the scanning of AI data like Model Context Protocol (MCP) and data security artifacts as part of the overall application security process.

What You Need to Know

This Critical Capabilities research provides buyers of AST tools with rankings of 16 vendors’ ability to provide 15 capabilities across six common use cases. Buyers can view vendor rankings for each use case to help formulate lists of vendors that, based on Gartner assessments, are well-suited to address a given use case.
Where the predefined use cases do not offer an appropriate match to an organization’s specific requirements, the online interactive tool can be used to formulate custom use cases and corresponding vendor rankings. By adding weightings for specific capabilities, buyers can also identify vendors with a product offering that is well-suited for a specific function, such as analysis of SCA or APIs.
This analysis complements our Magic Quadrant for Application Security Testing, which defines the market and highlights a broader set of factors. These include corporate viability, vision, marketing and geographic focus, and specific strengths and cautions associated with the vendors offering these tools. We strongly recommend organizations use this research in conjunction with the Magic Quadrant, inquiries with Gartner analysts and other Gartner research to define their requirements and select the solutions that match their needs.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1: Vendor Product Scores for the Enterprise Use Case
Sixteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of the enterprise in application security testing, as of 9 September 2025. This allows comparison across a set of critical differentiators.
Figure 2: Vendor Product Scores for the Customer Use Case
Sixteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of the customer in application security testing, as of 9 September 2025. This allows comparison across a set of critical differentiators.
Figure 3: Vendor Product Scores for the DevSecOps Use Case
Sixteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of DevSecOps in application security testing, as of 9 September 2025. This allows comparison across a set of critical differentiators.
Figure 4: Vendor Product Scores for the Cloud-Native Use Case
Sixteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of cloud-native in application security testing, as of 9 September 2025. This allows comparison across a set of critical differentiators.
Figure 5: Vendor Product Scores for the ASPM Use Case
Sixteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of ASPM in application security testing, as of 9 September 2025. This allows comparison across a set of critical differentiators.
Figure 6: Vendor Product Scores for the SSCS Use Case
Sixteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of SSCS in application security testing, as of 9 September 2025. This allows comparison across a set of critical differentiators.

Vendors

Apiiro
Apiiro offers AST capabilities as part of its Application Security Posture Management (ASPM) platform, including SAST, SCA, secrets and sensitive data detection, API security, IaC scanning and pipeline security, which address a majority of the capabilities outlined in this research. Built on a graph-based core, Apiiro detects, ingests and deduplicates findings from first- and third-party scanners to correlate and prioritize risk throughout the software development life cycle (SDLC). The platform embeds closed-loop security workflows using native integrations with tools throughout the development tool ecosystem (for example, IDE, source code management [SCM], CI/CD, CMDB, ticketing and SIEM) and supports on-premises, air-gapped and SaaS deployment models.
Apiiro earns high marks for risk-based prioritization and deep code analysis, scoring particularly well for the ASPM use case. Its Risk Graph Explorer aggregates findings from multiple sources and leverages business criticality, sensitive data presence and exploitability context to identify code-to-runtime application risks based on organizational policies and to assign actionable risk scores. This helps teams focus on the most urgent issues. The vendor’s patented Deep Code Analysis (DCA) continuously scans code commits, pull requests, builds and repositories to create comprehensive software architecture extended bills of materials (XBOMs), including internal or external AI models and cryptographic BOMs, enabling precise visibility into attack surfaces. Additionally, the platform’s native remediation guidance and fix automation in the IDE, pull requests and tickets, coupled with automated threat-modeling triggers from DCA’s material change detection, demonstrate strong SDLC integration that can accelerate developer adoption.
While Apiiro excels at correlating and contextualizing risk, the platform currently lacks comprehensive dynamic testing and cloud-native security capabilities. Notable gaps include native capabilities for DAST, IAST, IaC and container security. Addressing these areas would enable Apiiro to deliver a truly unified, end-to-end application security solution.
Apiiro placed in the middle in most use cases except for ASPM and SSCS, where it showed considerable strength. Apirio is a good fit for organizations that want a risk-based view of their security, or larger organizations that may want to add security tools covering core functions, or augment their current AST tools with a dedicated ASPM.
Black Duck
Black Duck, having spun out from Synopsys in October 2024, operates as an independent company while retaining its intellectual property, client base, sales teams and senior leadership, remaining minimally changed. The vendor continues to offer a broad range of AST capabilities.
Black Duck offers a modern ACSA called Code Sight, a free IDE plug-in for its SAST and SCA tools. Black Duck Assist is a SAST ACSA that offers remediation guidance, AI-generated code fixes and a natural language interface. Both Code Sight and Black Duck Assist have received good reviews from developers and clients, demonstrating higher-than-median values for developer acceptance of automated remediation suggestions.
The vendor’s ASPM offering, Software Risk Manager, is well-integrated into the Black Duck toolset and provides a comprehensive view of application risk by consolidating scan results, enforcing policies, deduplicating and normalizing findings, and managing compliance effectively. Notably, Software Risk Manager incorporates results not only from Black Duck’s own tools, but also from non-Black Duck tools, offering a holistic security overview.
Black Duck placed in the top third in all use cases. However it may not be an ideal fit for small and midsize companies that are primarily seeking basic functionality like quick SCA or SAST scans before deployment, largely due to cost and complexity issues. While most of Black Duck’s AST capabilities can be delivered through the Polaris SaaS platform or deployed on-premises, some advanced features like Coverity’s code quality analysis and Software Risk Manager’s ML-powered triage assistant are not currently available in Polaris.
Checkmarx
Checkmarx offers a broad range of AST capabilities through Checkmarx One, the vendor’s SaaS platform. Checkmarx One delivers static (SAST), dynamic (DAST) and composition (SCA) analysis, along with capabilities for container security, API security, IaC analysis and AI security, plus a Repository Health module for detecting SCM misconfigurations. The platform is available in single-tenant, multitenant or managed service deployment models. For customers requiring on-premises installations, Checkmarx continues to support CxSAST for SAST and its legacy Checkmarx OSA for SCA.
Checkmarx delivers strong performance across most use cases, with top marks for ASPM. Checkmarx ASPM aggregates findings from Checkmarx and third-party scanners, then applies severity, exploitability indicators, business criticality and environmental context to produce actionable risk scores for prioritizing remediation. Developer enablement is also a standout: the AI Security Champion program embeds context-aware remediation guidance in IDEs and pull requests, while the ACSA offers real-time secure-coding guidance during code authorship. The MCP, as part of the AI coding assistants (for example, GitHub Copilot and Cursor), works by enriching prompts with security context and validating their responses.
While Checkmarx delivers broad coverage, it lacks native Interactive AST and built-in mobile binary scanning, relying on partner solutions. Dynamic testing for AI-specific risks (such as LLM injections and prompt vulnerabilities) is not yet fully supported, although its SAST engine can flag some AI-related issues. Customers report complexity in navigating multiple engines, integrations and result views, which can slow new user onboarding.
Checkmarx is a good fit for organizations looking to start or add to an existing application security program and that are not yet heavily invested in developing AI-enabled applications.
Contrast Security
Contrast Security offers a comprehensive runtime application security platform that is made up of Contrast Application Detection and Response (ADR) and Contrast Application Security Testing (AST). It includes Contrast Assess (IAST), Contrast Protect (RASP), Contrast Scan (SAST), Contrast Application Vulnerability Monitoring (AVM) and Contrast Software Composition Analysis (SCA). These are also available as a managed service through Contrast One.
Contrast is a well-integrated platform that effectively unifies and correlates findings from its IAST, SAST and SCA solutions, enriching them with real-time attack data to provide a single, actionable view of application risk across the entire SDLC and into production. A significant differentiator for Contrast is its dynamic risk prioritization methodology, Contrast Score. Contrast Score uses contextual and dynamically adjusted risk ratings for both individual findings and entire applications, with their accuracy informed by real-time risk data augmented by a proprietary digital twin, the Contrast Graph. The use of a digital twin is unique in AST. It integrates runtime telemetry, application metadata, and threat intelligence, allowing teams to optimize their remediation efforts with greater reliability than traditional methods.
Like others in the AST space, Contrast Security offers remediation automation through its Contrast AI SmartFix capability. This feature utilizes real-time context derived directly from IAST to automatically generate actionable vulnerability fixes. These generated fixes are then sent via Contrast’s MCP server, facilitating seamless integration with widely adopted coding assistants such as GitHub Copilot, or can be directly provided as pull requests through GitHub Actions, accelerating the overall remediation life cycle.
Contrast Security placed in the bottom five in most use cases, mostly due to its focus on runtime telemetry, but is a good fit for organizations looking for a modern alternative to the usual SAST/DAST tools.
Cycode
Cycode offers a unified application security platform that combines AST, SSCS and ASPM capabilities. Where Cycode differentiates itself is specialization in securing software development pipelines, giving it a distinct edge for pipeline security capabilities. Cycode was one of the earliest examples of combining strong SSCS and ASPM.
Cycode differentiates itself from other offerings with its Risk Intelligence Graph (RIG), a hybrid data architecture that maps relationships between code, assets, developers, pipelines and findings, enabling complex queries, risk correlation and real-time visibility across the entire SDLC. This is further powered by an in-house-developed multiagent AI framework for functions including secrets detection, change impact analysis, natural language querying of the RIG, and generating remediation guidance and code fixes.
While offering strong SAST, SSCS and ASPM capabilities, Cycode only offers DAST and API security through partnerships, requiring additional tooling management. Cycode additionally does not offer IAST capabilities and only offers non-native support for container security.
Cycode is consistently in the middle of the pack for most use cases except for SSCS and ASPM, where it finishes first and second, respectively. It is a good fit for organizations that want a fast, effective way of starting their ASPM or SSCS journey, but may already have other core AST tooling they wish to keep.
Data Theorem
Data Theorem’s product portfolio consists of five core products — Mobile Secure, API Secure, Code Secure, Web Secure and Cloud Secure — which address a majority of the capabilities outlined within this research. Each of the vendor’s products include core AST capabilities, tuned for the application types for which they’re intended, with added runtime protections for APIs, mobile applications and cloud workloads.
The vendor scores particularly well for cloud-native application security use cases, achieving above-average marks across the supporting capabilities in these domains. Notably, Data Theorem demonstrates strong performance in container security, API security, and infrastructure as code (IaC) testing. The introduction of Code Secure’s SAST+ is a differentiator, as it leverages dynamic testing to validate the exploitability of static findings, thereby reducing false positives and helping development teams prioritize remediation efforts more efficiently.
While Data Theorem provides robust AST capabilities, including SCA, its platform currently lacks comprehensive SSCS. Notable areas of opportunity for improvement include the detection of risks within development pipelines, to include vulnerable plug-ins used and the lack of artifact signing and verification prior to deployments, as well as misconfigurations within the development tool ecosystem. Data Theorem has recently announced new capabilities addressing these issues; however, that was after the cutoff for this iteration of the Critical Capabilities.
Data Theorem takes the lead position in the cloud-native use case and is in the top five in the other use cases. It is an excellent fit for organizations looking for a single vendor solution, and those that value a utilitarian approach to AST.
GitHub
GitHub offers AST capabilities through GitHub Advanced Security (GHAS), an add-on for GitHub Team and GitHub Enterprise, and through unbundled stand-alone SKUs, called Code Security and Secret Protection. GHAS includes Code Security, which provides built-in static analysis, AI-powered remediation with Copilot Autofix, advanced dependency scanning and proactive vulnerability management. GHAS also includes Secret Protection, which offers enterprise controls for secret hygiene including secret scanning, push protection, validity checks and Copilot secret scanning. These AST capabilities are native to GitHub and available for organizations using Azure DevOps as their underlying DevOps platform.
Much of GitHub’s innovation and differentiation lie in its natively integrated platform and developer workflow, surfacing alerts directly within pull requests for early triage and remediation. For example, Secret Protection detects and prevents secret leaks in real time, blocking sensitive credentials from being pushed to repositories. Additionally, GitHub excels in the SSCS use case, given its ownership and tight integration with the GitHub source code repository and npm registry.
GitHub’s product innovation lags behind that of the leading providers in the market in terms of securing the outer development loop, where it relies on third-party integrations — examples include DAST, IAST, fuzz testing, IaC scanning, API security and container security. GitHub Copilot Autofix and GitHub Copilot Chat, which provide AI-generated explanations and fix suggestions for security issues, explicitly require a persistent internet connection to GitHub.com. This means that organizations utilizing strictly on-premises or air-gapped GitHub deployments would not be able to leverage these advanced AI-driven security capabilities.
GitHub is consistently in the middle of the pack for all use cases, and is considered a good fit for small and midsize organizations that value integration with source code repositories, and large organizations that already have supplementary tools like DAST.
GitLab
GitLab provides AST capabilities as part of its broader DevSecOps platform. GitLab offers SAST, SCA, IaC scanning, container scanning, secret push protection, DAST, dependency scanning, fuzz testing and posture management. The vendor has transitioned all of its AST capabilities to its Ultimate edition, so enterprises will need to invest in the top-tier offering to meet their security and compliance requirements. Since the last time GitLab was evaluated, it has advanced its SAST capabilities by developing a purpose-built engine, with improvements in accuracy and scalability.
GitLab’s core value proposition is a single, AI-native DevSecOps platform that integrates a broad spectrum of security capabilities. This enables shared visibility and reduces cognitive load, making it easier for teams to adopt AST practices. GitLab has full visibility and traceability into the software delivery pipeline, from code commit to applications running in production. This is a substantial advantage in securing the software supply chain.
Like many other providers in this Critical Capabilities research, GitLab has limited support for DAST, lacking integrations into testing tools like Selenium or Postman, and does not offer an IAST capability. Additionally, GitLab’s detection of AI-related risk is limited to published vulnerabilities within libraries discovered by SCA. Finally, GitLab still utilizes nonproprietary tooling for IaC scanning and container security.
GitLab consistently ranks in the middle of the pack in all use cases, and is a good fit for organizations that value an integrated security experience, regardless of size.
HCLSoftware
HCLSoftware is known for its comprehensive AST solutions. It offers SAST, DAST, SCA and IAST, as well as enterprise features like IaC, secrets detection, API security and an ACSA within its AppScan product set. While the vendor continues to iterate on improving its core AST tools, it has also significantly expanded its Intelligent Findings Analytics and Intelligent Code Analytics engines, leading to improved accuracy and detection. These enhancements benefit existing tools like CodeSweep and DAST Intelligent Finding Analytics. AppScan also features CodeSweep for real-time IDE feedback and AI-powered autofix recommendations accompanied by GenAI-summarized explanations.
The vendor has improved dashboarding, correlation, new industry-standard and regulatory compliance policies, updated reporting, and policy customization capabilities for its ASPM. Additionally, AppScan has partnered with OX Security for SSCS. HCLSoftware performs well across most use cases in this analysis, with rankings in the top half for the enterprise, DevSecOps, and client use cases.
While AppScan demonstrates strong capabilities across many AST domains, users report that it may not perform as effectively with API business logic vulnerabilities, suggesting that a third-party tool might be necessary for certain use cases in this area.
HCLSoftware ranks first in the enterprise use case, and is in the top five for all other use cases. It has a good, well-rounded offering that can easily accommodate large, complex clients.
JFrog
JFrog provides AST capabilities as part of its Software Supply Chain Platform that address a majority of the capabilities outlined in this research. JFrog Advanced Security delivers SAST, secrets detection, container-image scanning and IaC analysis, while JFrog Xray provides SCA. JFrog Curation detects and prevents risk from open-source components at the edge, and JFrog Runtime supplies real-time telemetry for contextual prioritization, image integrity and traceability. The platform integrates natively with source control (SCM), CI/CD, CMDB, and ticketing systems to embed security throughout the development life cycle. JFrog’s products support on-premises, air-gapped and multitenant SaaS deployment models.
The vendor scores particularly well for SSCS use cases, earning high marks for SCA and policy enforcement, with coverage that extends to open-source AI models. Its Contextual Analysis engine, part of JFrog Advanced Security, validates runtime exploitability to facilitate risk-based prioritization. JFrog also excels in developer experience, offering local SAST scans and actionable remediation guidance via IDE extensions, CLI tools and SCM plug-ins (Frogbot).
While JFrog excels at securing the software supply chain, the platform lacks native dynamic testing and comprehensive API security capabilities. Its IaC capability is currently limited to Terraform and its broader platform is not available as a stand-alone offering. JFrog may not be the best fit for companies seeking best-of-breed solutions or those that are not already using its platform.
JFrog is a good fit for organizations building out their application security program or those that need to emphasize supply chain security in their program.
Mend.io
Mend.io delivers the Mend AppSec Platform with capabilities for static analysis, SCA, IaC testing and container security. Mend SCA stands out among other providers by providing assessment of open-source and container images, blocking and detecting malicious code, and supporting the importing and exporting of software bills of materials (SBOMs) for software components, containers and AI models. Mend.io automates remediation across the SDLC: Mend Renovate Enterprise keeps dependencies current by creating pull requests for open-source and private packages, while Mend SAST delivers AI-powered fixes directly in IDEs or through pull requests.
Unlike the last time Mend.io was evaluated, DAST and IAST capabilities are now offered, but through OEM partners, so this may require clients to manage additional tools and vendors. This could make Mend.io less attractive for organizations looking for a full suite of tools.
In other use cases, the platform supports IaC misconfiguration scanning, but it lacks secrets detection and cannot identify configuration drift in production environments. Finally, some prospects have cited pricing concerns, especially when comparing Mend.io to point solutions or repository vendors, suggesting challenges with perceived value for cost.
Mend.io consistently places in the middle for all use cases. Gartner considers Mend.io a good fit for organizations looking to focus on AST fundamentals and enterprise clients that want to supplement their existing tools.
OpenText
OpenText’s Fortify portfolio consists of a broad range of products covering the AST capabilities outlined in this research. The portfolio, available in a wide variety of deployment models, includes Static Code Analyzer (SAST), Fortify WebInspect (DAST and IAST) and Debricked (SCA). OpenText Core Application Security (formerly Fortify on Demand) delivers these capabilities as a SaaS offering, whereas OpenText Application Security, its on-premises platform, delivers SCA functionality through a long-standing OEM arrangement with Sonatype. ASPM capabilities are included in both the SaaS and on-premises offerings.
OpenText delivers consistent performance across each use case covered in this research, demonstrating a balanced, enterprise-grade feature set. The platform scores particularly well for AI risk detection, identifying known risks within open-source AI components and surfacing prompt injection, excessive information disclosure and insecure input handling for AI-enabled applications. All AI-related findings feed into ASPM for correlation and risk-based prioritization alongside those from OpenText’s native tools and third-party scanners for a unified view of risk.
Despite its breadth, the Fortify portfolio lacks dedicated offerings for container security and supply chain risk detection within development pipelines and development tooling ecosystems. Additionally, the portfolio’s wide range of deployment options and legacy licensing structures can create pricing complexity, making it challenging for buyers to evaluate costs and streamline procurement.
OpenText is a good fit for mature, enterprise-grade organizations with complex application portfolios, or those that operate in regulated industries with requirements for dedicated and air-gapped deployments.
Semgrep
Semgrep is a newcomer in the AST market, building its solution on the basis of semantic, grep-like analysis, thus the name “Semgrep.” Before launching as a commercial offer, Semgrep started as an open-source tool, a fork of which is still freely available as Opengrep (now called Semgrep Community Edition). Semgrep includes offerings for SAST (Semgrep Code), SCA (Semgrep Supply Chain) and secrets detection (Semgrep Secrets). The Semgrep AppSec Platform is available as a hosted multitenant or single-tenant SaaS solution; a hosted, single-tenant SaaS solution; or can be deployed on a customer’s private infrastructure. Semgrep Assistant provides AI-generated, step-by-step remediation guidance based on Semgrep rules and code context.
Semgrep operates directly on raw source code, applying custom SAST rules with a flexible YAML-based syntax to detect specific code patterns or vulnerabilities and enforce coding standards. This gives Semgrep a distinct advantage for customizing the performance and behavior of both Semgrep Code and Semgrep Supply Chain. Semgrep extends support for SAST rules with a library of stand-alone and community-contributed rules that can be copied, modified or extended, enabling users to tailor detection to their specific needs.
Semgrep lacks a number of core capabilities including DAST, IAST, API security and container security. This can make Semgrep less attractive for organizations looking for a suite of security tools to cover all security concerns. And despite its name, Semgrep Supply Chain offers SCA capabilities, but does not offer any capabilities for pipeline security. Lastly, Semgrep does not provide unified visibility or workflow orchestration across multiple security tools, which is required to provide full AST coverage.
Semgrep is a good fit for small and midsize businesses looking to start their AST program, or enterprise-scale organizations looking to take advantage of their core capabilities.
Snyk
Snyk offers a full suite of solutions that include Snyk Code (SAST), Snyk Open Source (SCA), Snyk Container, Snyk Infrastructure as Code, Snyk API & Web, and Snyk ASPM. In 2024, Snyk integrated Probely’s DAST technology to launch Snyk API & Web, providing DAST as a fully integrated solution within its platform.
One of Snyk’s key differentiators is in its ASPM capabilities, delivered through Snyk AppRisk. This solution unifies findings from both native Snyk scanners and third-party tools, enriching and prioritizing these risks by incorporating business context, runtime telemetry and threat intelligence. This allows for the evaluation of applications against customizable, code-defined policies that dictate specific risk thresholds and security controls.
Snyk continues its strong commitment to developer enablement by deeply integrating with common developer tools across the entire SDLC. This integration provides essential feedback, granular remediation guidance and even automated remediation directly within IDEs, SCM workflows, CI/CD pipelines and ticketing systems. The platform also has AI risk detection capabilities, systematically identifying and surfacing known risks associated with open-source AI components employed in AI-enabled applications. Notably, Snyk treats outputs generated by LLMs as inherently untrusted inputs, thereby ensuring heightened scrutiny during the critical testing phases.
Snyk is a wide-ranging product that consistently scores in the top five for all use cases and in the top third for most. Synk is a reliable choice for enterprises and organizations focused on DevSecOps that value developer enablement and support and are comfortable with AI suggestions.
Sonatype
Sonatype maintains a strong emphasis on SSCS and early-stage risk prevention. The company, which is U.S.-based with a client base primarily in the U.S., U.K., EU, and the Asia/Pacific region offers capabilities encompassing core SCA, SSCS, binary/artifact scanning and AI/LLM model, as well as container security.
Sonatype has an OEM partnership with OpenText Fortify, reselling its SAST offering. This is a strategic shift, where Sonatype is no longer offering support for its own SAST engine, allowing it to concentrate on the segments of the market it addresses better and more directly. A notable feature is the Sonatype Repository Firewall, which provides perimeter protection and blocks malicious open-source components.
A distinctive capability highlighted by Sonatype is its LLM Component Detection. The vendor employs heuristics, metadata analysis and SBOM inspection to identify AI/LLM components within software. Policies can then be established to block or flag these components based on various risk signals, such as unclear or restrictive licenses, untrusted model sources, noncompliant datasets, low-maintenance AI tools, provenance gaps, and privacy or legal concerns.
Sonatype’s core solution currently does not include capabilities for DAST, IAST or IaC scanning, nor a dedicated ASPM tool. While the partnership with Fortify for SAST can be useful, such alliances can be fragile and subject to change without warning
Sonatype is a good fit for businesses that prioritize managing the risk due to their software supply chain, AI/LLM models and code libraries.
Veracode
Veracode offers comprehensive AST capabilities that include SAST, DAST, SCA, a package firewall, container scanning, IaC scanning, pen testing as a service, application security and remediation consulting, as well as hands-on experiential and course-based security training for developers. During the past year, Veracode has strengthened its DAST and penetration testing capabilities with the acquisition of Crashtest Security. Veracode’s acquisition of Jaroona’s ML-powered vulnerability remediation technology has enabled it to detect and remediate software vulnerabilities through proprietary AI.
Veracode scored high for its SAST and SCA capabilities, which are must-haves for inclusion in this Critical Capabilities research. Being a SaaS-only offering, Veracode responded to data residency requirements from customers by supporting a dedicated European region that currently provides static analysis and SCA capabilities, dynamic analysis and API scanning, container and IaC security, and e-learning. This can help organizations in Europe that are concerned about data residing in locations outside of European jurisdiction.
Veracode has added new capabilities to meet public-sector regulatory requirements in the U.S. as well. In 2022, Veracode achieved the U.S. Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization.
Veracode performed well across all use cases. It has strengthened its cloud-native security and supply chain capabilities by adding support for container scanning and SBOM generation. The product is a good fit for enterprise use cases, and the support for peer benchmarking enables security leaders in enterprises to benchmark the maturity of their application security program against their peers.

Context

The AST market continues to mature, driving increased demand for security and development teams. Most organizations are focused beyond static analysis and SCA as the basis for testing, although they remain core tools. However, most of the new capabilities in the market are coming from tools related to software supply chain, ASPM and AI.
Market dynamics observed while preparing this iteration of the Critical Capabilities for Application Security Testing include the following.

Core AST Tools Have Reached a High Level of Commoditization

One of the things Gartner noticed when evaluating the dataset for this research is the relative homogeneity of the set of core tools. In this case, those are the traditional tools (SAST, DAST, IAST and SCA) and some of the adjacent tools, like IaC, secrets detection and pipeline security assessments. While individual vendors may have tools, or more commonly features of tools, that distinguish them from their competitors, overall the market has matured to offer similar (but not identical) results for common functions. This is to be expected in a market that has been maturing for more than a decade, and is a healthy sign that AST has become mainstream. This trend is reflected in some of the critical capabilities scoring, which shows a reduced range of scores over the domain of common features.
While it is increasingly difficult for vendors to differentiate on core features, price has become a key decision factor for many Gartner clients. Typically, the security team and the development group share responsibility and budget for the selection of AST tools, and Gartner sees increasing agreement between the two on desired outcomes. That is, both want to lower security risk with faster time to market and improved developer satisfaction.
Gartner pricing reviews show that most clients have established a specific price per developer when budgeting for AST tools. This, combined with the relative ease in switching between cloud-based toolsets, allows clients to switch vendors at the end of their existing contracts. That said, the reinstrumentation of pipelines still requires nontrivial effort. With vendor focus moving away from perfecting core tools, Gartner sees renewed energy in the market for innovation that addresses new issues like AI, SSCS and code quality.
Increasingly, as this trend evolves, Gartner sees AST becoming a broader application security platform. These platforms are composed of tools and processes that support a more holistic view of application security using telemetry and data from a wider variety of sources. They have core tools, along with coverage for SSCS, ASPM, CNAPP and WAPP. While vendors have not yet reached a point where they are offering a complete ASP, many larger clients have assembled early versions of this on their own, and it seems clear that the technical challenges are approachable.

AI Is Becoming a Primary Tool in Application Security

It is perhaps obvious at this point, but no discussion of the AST market would be complete without acknowledging the role AI has come to play in the last two years. For the first time, in the 2025 Critical Capabilities survey, we started asking specific questions about how vendors are addressing the challenge, and found that there are almost as many answers as there are vendors. Overall, Gartner is seeing three major uses for AI: ACSAs, AI model security management, and improving overall efficiency in detecting and correlating vulnerable code.
ACSAs are technologies that help developers identify and remediate security vulnerabilities in code. To do so, they offer autoremediation suggestions and direct code assistance or chatbots, using forms of AI such as generative AI (GenAI). ACSAs are primarily delivered as features of AST products. They use cloud services to analyze code and make recommendations.
Vendors have also started to support security coverage for AI-powered applications. This can include features such as AI component and AI model detection, risk and analytics, scanning for malicious models, threat analysis for conversational AIs, and other proactive protection for modern applications.
While a holistic view of vulnerable code has been an unreachable goal for AST for some time, modern AI tools allow a marked improvement in both detecting (and correcting) vulnerabilities, and may soon improve visibility about the overall security of code.
Finally, with new technology comes new attack vectors. With a rise in business and development teams exploring vibe coding (see Why Vibe Coding Needs to Be Taken Seriously), Gartner is seeing a potential new vector for threats where people without a lot of development experience are using AI to write code based on the plain text description of the application. This AI often produces runnable results; however, the code tends to be unmanaged and often exists outside established code security procedures. This becomes a security issue as noncoders are poorly placed to recognize or correct issues in their ad hoc code. This represents a new attack surface that AI can bring to the codebase.

Risk Has Become a Primary KPI

With the advent of ASPM as an addition to the AST suite, we are finally seeing the promise of correlating results from a variety of AST tools start to be realized. Gartner is seeing more security and development teams reporting risk metrics instead of just traditional security indicators. For example, we are starting to see overall application risk, risk reductions per development cycle and SSCS risks as primary KPIs, in addition to the traditional severity/criticality security metrics. Again, this represents an increased level of maturity in the market overall, and makes security metrics more understandable for nonsecurity stakeholders and is more compatible with other existing line-of-business metrics. This allows cybersecurity leaders to trade off various risks to optimize the combination of security, performance, features and business risks in a transparent and logical way.

Market Definition

Gartner defines the application security testing (AST) market as consisting of providers of products that enable organizations to assess applications for the presence and management of risk. These products identify risk by evaluating source code, performing runtime tests and inspecting supply chain components. AST products can be integrated throughout development workflows for continuous assessment or be used to perform ad hoc evaluations. They enable organizations to manage application risks by providing an integrated set of capabilities for risk identification, prioritization and triage, policy evaluation and enforcement, and remediation assistance. Market offerings are available in on-premises, SaaS and hybrid delivery models.
Organizations leverage AST products to assess applications for the presence of security vulnerabilities and other risks (e.g., legal and operational) throughout their life cycle. These assessments are used to measure and manage the risks within individual applications, application components or groups of applications in the context of their business criticality and other key attributes (e.g., environment, sensitive data handling, etc.). AST products further enable organizations to evaluate software for compliance with internal policies as well as regulatory requirements established by governments or authoritative industry groups.

Mandatory Features

The minimum, mandatory features for products in this market include those essential for vulnerability identification, test result evaluation and management, supply chain risk identification and communication, and developer enablement.
  • Vulnerability identification:
    • Static AST (SAST): Assesses, using a variety of analytical techniques, an application’s source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC).
    • Software composition analysis (SCA): Identifies third-party components, open-source or commercial, included in the development of an application. In addition to dependency details, provides information regarding known vulnerabilities, potential licensing concerns, operational risks, and malicious package identification.
  • Application security posture management:
    • Policy evaluation: Evaluates assessment results and applications against predefined, or customer-defined criteria for the introduction, or acceptable duration of risk presence.
    • Prioritization and triage: Recommends and allows for the adjustment of remediation priorities based on publicly available and proprietary information related to scanned artifacts, scan findings and risk considerations.
    • Posture and performance reporting: Provides measurements at the application and application portfolio level to quantify and measure adherence to expectations for introducing and addressing risk.
  • Software supply chain security:
    • Software bill of materials (SBOM) life cycle management: Supports the ingestion, creation, and sharing of SBOMs for the purposes of identifying and communicating an inventory of third-party components, commercial or open-source, contained within an application and the risks therein.
  • Developer enablement:
    • Developer education: Includes just-in-time training and/or remediation guidance for individual scan findings as well on-demand training material for secure software development.

Common Features

Common features are those appearing in the product compositions offered by most sellers. Products often contain an assortment of these capabilities from each category, whereas those from niche players (e.g., AST for embedded systems) or those who focus on a particular category may be more selective.
  • Vulnerability identification:
    • Dynamic AST (DAST): Externally probes applications in their running (i.e., dynamic) state during the testing and operational phases of the SDLC. DAST simulates attacks against an application, appraises the application’s reactions and identifies the presence of vulnerabilities.
    • Interactive AST (IAST): Instruments, via the injection of a software-based sensor, an application to be tested. When the application is run (e.g., during functional testing), the sensor monitors and records multiple aspects of application activity, such as data and control flow. The tool then analyzes the information gathered to identify vulnerabilities.
    • Secrets detection: Specialized testing capabilities for the identification of exposed secrets (e.g., credentials, tokens, API keys, etc.) within code, configuration files or other artifacts.
    • API security testing: Specialized testing capabilities, including support for protocols used by APIs, payload analysis and checks for vulnerabilities unique to APIs. The ability to discover APIs in both development and production environments, as well as the ability to ingest recorded traffic or API definitions to support the testing of an API are common features.
    • Container security testing: Examination of container images, or a fully instantiated container prior to deployment, for the presence of security issues. Container security tools typically address both configuration hardening and vulnerability assessment tasks. Tools may also scan for the presence of secrets, such as hard-coded credentials or authentication keys.
    • Infrastructure-as-code (IaC) scanning: Review of IaC directives supporting the dynamic creation, provisioning and configuration of software-defined compute (SDC), network and storage infrastructure.
  • Application security posture management:
    • Unified visibility and correlation: Supports third-party tool assessment ingestion to include cloud and infrastructure vulnerabilities and misconfigurations, deduplication and correlation of findings.
    • Security workflow orchestration: Policy-based configuration and initiation of security tests, controls and workflows for risk detection and response throughout an application’s life cycle.
  • Software supply chain security:
    • Pipeline security: Inventories and assesses security controls within development pipelines as well as the infrastructure and systems they both pull from and run from.
  • Developer enablement:
    • Secure coding assistants: Resources that help developers, often through the use of AI, avoid the creation of insecure code or that provide suggestions for the automated remediation and/or mitigation of security bugs within existing code.

Product/Service Trends

AST suites are groups of varied AST technologies from a single vendor. They blend SAST, SCA and often DAST, IAST and other capabilities into one offering. These solutions are delivered as a tool and/or service. Ideally, the individual tools are integrated within a single enterprise console and reporting framework.

Critical Capabilities Definition

Static AST
SAST analyzes an application’s source, bytecode or binary code for security vulnerabilities, typically during the programming or testing phases of the SDLC. Findings should be categorized in a way that enables a focus on the highest confidence, most severe issues.
An SAST solution must be able to analyze the source code, bytecode or binary code of multiple programming languages. The solution should enable enterprises to customize and fine-tune testing according to specific organizational or standardized coding practices, reducing the occurrence of false positives and “uninteresting” findings. An SAST solution can be deployed as a tool and in the cloud.
Software Composition Analysis
SCA is used to identify open-source and, less frequently, commercial components in use in an application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.
The evaluation of tools considers their ability to proactively enforce the organization’s open-source software security and governance policy at the time of component onboarding, the breadth of component information offered, and guidance provided to developers for resolving identified issues. AST vendors increasingly offer SCA functionality as a proprietary feature of their offerings. However, some AST vendors still partner with third-party, stand-alone SCA vendors, and these are evaluated in this research. The level of granularity, breadth and integration of the solution (in the case of partnerships with SCA vendors) all play an important role.
Policy Evaluation
Policy evaluation entails evaluating assessment results and applications against predefined or customer-defined criteria for the introduction or acceptable duration of risk presence.
Prioritization & Triage
This capability recommends and allows for the adjustment of remediation priorities based on publicly available and proprietary information related to scanned artifacts, scan findings and risk considerations.
Posture & Performance Reporting
Posture and performance reporting covers how applications are matched against existing defense in depth, CI/CD pipelines and workflow.
It is composed of several related functions:
  • Unified visibility and correlation: Supports third-party tool assessment ingestion, including cloud and infrastructure vulnerabilities and misconfigurations, deduplication, and correlation of findings
  • Security workflow orchestration: Entails policy-based configuration and initiation of security tests, controls and workflows for risk detection and response throughout an application’s life cycle
  • Policy evaluation: Evaluates assessment results and applications against predefined or customer-defined criteria for the introduction or acceptable duration of risk presence
  • Prioritization and triage: Recommends and allows for the adjustment of remediation priorities based on publicly available and proprietary information related to scanned artifacts, scan findings and risk considerations
SBOM Life Cycle Management
This supports the ingestion, creation and sharing of software bills of materials for the purposes of identifying and communicating an inventory of third-party components — commercial or open-source contained within an application and the risks therein.
Developer Education
Developer education Includes just-in-time training and/or remediation guidance for individual scan findings, as well as on-demand training materials for secure software development.
Dynamic AST
DAST analyzes applications in their running state during testing or operational phases. DAST simulates attacks against an application or API, analyzes the application’s reactions, and determines whether it is vulnerable.
DAST can identify whether an application contains vulnerabilities that may be detected only when the application operates in a runtime environment. Because DAST dynamically carries out tests against running code, including underlying application frameworks and servers, its findings are typically more likely to be actual vulnerabilities. DAST technology usually cannot point to the line of code where a vulnerability originates, because it is a “black box” testing technology that does not have access to the source code.
Interactive AST
IAST instruments a running application and examines its operation to identify vulnerabilities. Most implementations are considered passive, in that they rely on other application testing to create activity. IAST tools then evaluate.
Because they are agent-based, IAST tools can only evaluate behaviors they observe — code paths that are not executed are not tested. Thus, IAST tools often work either in concert with a DAST tool (which causes the code being examined to be executed in response to attacks or tests) or alongside traditional functional or unit tests, which achieve the same end. As code executes, the IAST agent monitors the program for unsafe or unsecured behavior.
API Security
These specialized testing capabilities include support for protocols used by APIs, payload analysis and checks for vulnerabilities unique to APIs. Also, the ability to discover APIs in both development and production environments, as well as the ability to ingest recorded traffic or API definitions to support the testing of an API, are common features.
Secrets Detection
Secrets detection involves specialized testing capabilities for the identification of exposed secrets (such as credentials, tokens, API keys, etc.) within code, configuration files or other artifacts.
Container Security
Container security refers to the examination of container images, or a fully instantiated container prior to deployment, for the presence of security issues.
These tools typically address configuration hardening and vulnerability assessment tasks. They may also scan for the presence of secrets, such as hard-coded credentials or authentication keys.
Infrastructure as Code Scanning
This involves the review of IaC directives supporting the dynamic creation, provisioning and configuration of software-defined compute, network and storage infrastructure.
Pipeline Security
Pipeline security inventories and assesses security controls within development pipelines as well as the infrastructure and systems they pull from, and that run them.
Secure Coding Assistant
Secure coding assistants provide resources that help developers, often through the use of AI, avoid the creation of insecure code, or offer suggestions for the automated remediation and/or mitigation of security bugs within existing code.

Use Cases

Enterprise
Considers the needs of (usually) large-scale organizations with a mix of application types and development approaches, requiring a complete approach to application security.
Customer
Focuses on end user and customer security, privacy, reliability, and safety. It also focuses on security needs of customers of businesses of all sizes, SMB to enterprise.
DevSecOps
Emphasizes the requirements of organizations with significant adoption of DevOps and other fast-moving, iterative development methodologies.
Cloud-Native
Addresses security testing for more modern application architecture and deployment styles, including containers, APIs, microservices and serverless computing.
ASPM
Emphasizes the correlation of results from various AST tools with the goal of correlating results, eliminating false positives and generating a risk-based security posture.
SSCS
Emphasizes a mix of supply chain security functions in combination with core AST capabilities.
It is particularly relevant to organizations seeking to ensure the integrity of software received, used and distributed in conjunction with a foundational application security program.

Vendors Added and Dropped

Added

  • JFrog
  • Semgrep
  • Data Theorem
  • Cycode
  • Apiiro

Dropped

  • Onapsis

Inclusion and Exclusion Criteria

This Critical Capabilities research uses the same evaluation criteria as its companion Magic Quadrant for Application Security Testing.
To qualify for inclusion, providers need to satisfy criteria as defined below.
Market Participation
Providers must satisfy all of the criteria below for inclusion in this research.
  • Provide a dedicated AST solution that is generally available (GA) as of 1 January 2025.
  • Satisfy each of the technical capabilities relevant to Gartner clients, listed below.
  • Provide support for all mandatory features identified in the Market Definition.
Note: Products considered to be GA must be available on a price sheet/card for purchase by clients.
Market Performance
Providers must satisfy one of the criteria listed below for inclusion, in generally accepted accounting principles (GAAP):
  • Have generated at least $100 million in annual revenue in calendar year 2024.
OR
  • Have generated at least $55 million in annual revenue in calendar year 2024, with at least 20% coming from more than one geographic region.

    OR
  • Have earned at least $10 million in annual revenue in calendar year 2024 and 100% year-over-year growth when compared to calendar year 2023.
Technical Capabilities Relevant to Gartner Clients
Provider solutions must satisfy all technical capabilities relevant to Gartner clients:
  • Must support the ability to automate vulnerability identification tests from within developer workflows (e.g., pull/merge requests, CI/CD pipelines, etc.).
  • SAST offerings must include the capability to identify security flaws within code written in common development languages (e.g., Java, Python, C#, PHP, JavaScript).
  • SCA offerings must include the capability to identify OSS libraries that present risk in the form of vulnerabilities, undesirable licenses and malicious packages, and that are out-of-date.
  • Must be able to ingest and generate SBOMs in commonly accepted formats (e.g., SPDX, CycloneDx, SWID).

Weighting for Critical Capabilities in Use Cases

Critical CapabilitiesEnterpriseCustomerDevSecOpsCloud-NativeASPMSSCS
Static AST
10%
5%
0%
5%
0%
5%
Software Composition Analysis
10%
5%
0%
5%
0%
25%
Policy Evaluation
5%
0%
10%
5%
20%
15%
Prioritization & Triage
5%
15%
10%
0%
20%
5%
Posture & Performance Reporting
5%
5%
5%
5%
20%
0%
SBOM Life Cycle Management
5%
20%
5%
0%
10%
20%
Developer Education
5%
10%
0%
0%
0%
0%
Dynamic AST
10%
10%
0%
0%
0%
0%
Interactive AST
10%
0%
0%
0%
0%
0%
API Security
5%
15%
10%
15%
0%
0%
Secrets Detection
5%
0%
10%
10%
5%
5%
Container Security
5%
0%
10%
20%
5%
5%
Infrastructure as Code Scanning
5%
0%
10%
15%
0%
0%
Pipeline Security
5%
0%
10%
10%
20%
20%
Secure Coding Assistant
10%
15%
20%
10%
0%
0%
As of 9 September 2025
Source: Gartner (October 2025)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Product/Service Rating on Critical Capabilities

Critical CapabilitiesApiiroBlack DuckCheckmarxContrast SecurityCycodeData TheoremGitHubGitLabHCLSoftwareJFrogMend.ioOpenTextSemgrepSnykSonatypeVeracode
Static AST
2.4
3.8
3.8
2.2
3.0
2.7
3.6
2.5
3.4
3.0
3.0
3.3
3.3
3.2
1.8
3.3
Software Composition Analysis
3.4
3.4
3.4
3.3
3.5
3.3
3.7
3.4
3.3
3.4
3.6
2.6
3.5
3.3
4.0
3.4
Policy Evaluation
3.9
3.3
3.6
2.8
3.0
3.0
2.6
2.9
3.1
2.6
3.0
3.1
2.5
3.8
3.6
2.7
Prioritization & Triage
4.3
3.3
3.5
3.5
3.6
3.4
3.2
3.2
3.4
3.1
3.3
3.5
2.7
3.4
3.3
3.5
Posture & Performance Reporting
3.8
3.5
3.5
2.6
3.3
3.5
2.9
3.2
2.9
2.6
3.1
2.8
1.7
3.0
3.0
3.2
SBOM Life Cycle Management
3.6
3.5
3.3
2.7
2.9
3.4
2.6
2.8
2.6
3.1
3.4
2.5
3.1
2.9
3.2
2.9
Developer Education
1.3
1.9
3.8
1.2
2.3
3.3
2.9
1.2
3.1
1.9
1.2
1.6
3.1
3.6
3.0
3.7
Dynamic AST
1.0
2.9
2.8
1.0
1.0
3.9
1.0
2.5
4.1
1.0
1.8
4.2
1.0
3.6
1.0
3.2
Interactive AST
1.0
4.3
1.0
4.7
1.0
1.5
1.0
1.0
4.2
1.0
1.3
2.4
1.0
1.0
1.0
1.0
API Security
2.3
2.1
2.5
2.8
1.0
3.9
1.1
1.6
3.0
1.4
1.5
2.6
1.3
2.7
1.0
3.0
Secrets Detection
2.9
3.2
3.1
1.0
3.0
3.2
3.1
3.0
3.3
3.1
2.3
2.4
2.6
3.0
1.0
2.9
Container Security
1.9
2.8
3.1
1.0
2.3
3.8
1.0
1.9
2.3
2.8
3.0
1.0
1.0
3.1
3.8
2.5
Infrastructure as Code Scanning
2.9
2.7
2.9
1.0
3.1
3.2
2.1
2.1
2.5
2.0
1.6
2.9
2.9
3.2
1.0
2.0
Pipeline Security
2.4
1.0
1.8
1.0
4.0
1.0
4.1
3.6
1.7
1.8
1.0
1.0
1.0
1.0
1.6
1.9
Secure Coding Assistant
1.8
3.9
4.2
2.3
2.9
2.5
4.1
3.5
4.2
2.8
3.2
2.9
3.3
4.0
2.8
2.9
As of 9 September 2025
Source: Gartner (October 2025)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product Score in Use Cases

Use CasesApiiroBlack DuckCheckmarxContrast SecurityCycodeData TheoremGitHubGitLabHCLSoftwareJFrogMend.ioOpenTextSemgrepSnykSonatypeVeracode
Enterprise
2.42
3.20
3.08
2.33
2.56
2.97
2.62
2.57
3.31
2.33
2.45
2.70
2.31
3.00
2.29
2.79
Customer
2.68
3.12
3.40
2.46
2.52
3.32
2.68
2.63
3.29
2.45
2.65
2.85
2.55
3.31
2.54
3.17
DevSecOps
2.78
2.98
3.25
2.04
2.88
2.99
2.82
2.83
3.05
2.51
2.52
2.48
2.30
3.13
2.39
2.74
Cloud-Native
2.54
2.80
3.06
1.75
2.70
3.12
2.46
2.54
2.85
2.41
2.34
2.23
2.07
2.97
2.22
2.65
ASPM
3.48
2.88
3.14
2.34
3.33
2.86
3.04
3.11
2.76
2.63
2.67
2.49
2.08
2.84
2.87
2.81
SSCS
3.21
2.91
3.10
2.37
3.29
2.80
3.21
3.10
2.78
2.83
2.80
2.33
2.55
2.81
3.02
2.82
As of 9 September 2025
Source: Gartner (October 2025)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Acronym Key and Glossary Terms

ACSA
AI code security assistant
ASOC
application security orchestration and correlation
ASPM
application security posture management
AST
application security testing
DAST
dynamic application security testing
IaC
infrastructure as code
IAST
interactive application security testing
IDE
integrated development environment
MAST
mobile application security testing
OSS
open-source software
RASP
runtime application self-protection
SAST
static application security testing
SBOM
software bill of materials
SCA
software composition analysis
SCM
source code management
SLSA framework
Supply Chain Levels for Software Artifacts
SSH
Secure Shell

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.