As development cycles accelerate and AI-generated code becomes more widespread, security leaders are facing a critical challenge: How can you keep up without sacrificing security? Security leaders must rely on static application security testing (SAST) solutions to seamlessly integrate with developer workflows; identify, prioritize, and remediate flaws quickly; and prevent flaws from being integrated with the codebase over time.
In my recently published research, The Forrester Wave™: Static Application Security Testing Solutions, Q3 2025, we outline the most significant providers in the SAST space. The Forrester Wave evaluated 10 vendors: Black Duck Software, Checkmarx, GitHub, GitLab, HCLSoftware, Mend.io, OpenText, Snyk, Sonar, and Veracode. Each vendor was assessed based on three key inputs: a vendor-completed questionnaire, executive strategy briefings and demonstrations, and interviews with reference customers. The Wave includes scores for 16 current-offering criteria and seven strategy criteria.
Forrester defines SAST as: solutions that analyze an application’s proprietary source code, byte-code, or binary without requiring the program to be executed. These products evaluate the application, including APIs and infrastructure configuration files, against security standards to identify security weaknesses and provide guidance on remediation during the software development lifecycle.
This year, SAST solutions transitioned from an established to a mature market as core technologies and use cases became widely understood and solidified, with products offering well-developed functionalities. In this mature stage, competition has intensified, differentiation is more challenging, and market consolidation is prevalent, pushing vendors to focus on efficiency, integration, and expanding their offerings to maintain relevance and competitive advantage.
A couple of the market trend highlights from the Wave are:
The speed of the solution. The increased adoption of AI coding assistants/agents increases the amount of code that needs to be secure before deployment. Modern solutions are investigating how to integrate AI SAST agents into the development environments to keep up with the velocity and speed of AI-generated output. A few vendors have Model Context Protocol (MCP) servers to interact with the large language models (LLMs) generating the code to identify insecure code. SAST vendors are planning to offer, or are already offering, adaptable security scanning where the scope, comprehensiveness, and speed of the scan is set by the customer or determined by the software development phase and knowledge of previous scans.
Prioritization of the remediation experience. Identifying security flaws in code is just one piece of the puzzle; solutions must also provide remediation strategies that integrate into the developer’s workflow. Modern SAST solutions use AI to triage and prioritize flaws as well as offer remediation suggestions. The most advanced solutions are automating remediation by sending context to the LLM that includes the flawed code snippet and secure code examples to ultimately provide multiple fix options to the software developer. This allows the developer to review and select the best option and then modify or directly accept the fix.
AI applications pushing SAST solutions to evolve. There is a growing need to secure AI applications and AI agents. While a few vendors are starting to use SAST to identify OWASP Top 10 LLM flaws, most have it on their roadmaps to address them using a combination of SAST and dynamic application security testing solutions. Vendors that concern themselves with application risk management and have application security posture management (ASPM) capabilities are more likely to be able to inventory the AI models or even MCP servers being called/utilized by the AI application or agents.
The barrier to entering the SAST solutions market has never been lower. New vendors can leverage LLMs and free open-source SAST scanners (which are improving in accuracy and depth) to develop an AI-powered SAST minimum viable product that was not possible two years ago. Additionally, the SAST landscape is crowded with existing players such as DevOps platforms, cloud-native application protection platform solutions, ASPM solutions, and AI-powered startups. While it is exciting for prospects and customers to have many choices, it is also difficult to cut through the noise and separate the marketing fluff from the enterprise-grade product. Therefore, as part of the Forrester Wave process, vendor customer references were interviewed to provide their feedback on the product and the provider. With this information, we compiled another report, Buyer’s Guide: Static Application Security Testing Solutions, 2025.
A couple of the buyer trend highlights from the guide are:
Relationships still matter. Buyers who felt that SAST solution vendors were just peddling products or had a poor customer experience got a bad impression that lasted for years. On the flip side, vendors that provided excellent customer support, included customer feedback in their roadmaps, and focused on partnering with customers were more likely to see multiyear relationships and create evangelists who implemented the product at multiple companies.
Customers are evaluating and staying loyal. Customers have demonstrated loyalty even though they are also evaluating their options. On average, they used their chosen SAST solution for 4.1 years, with most buyers assessing around 3.3 vendors before making a decision. Many continued to revisit and reassess the solution annually to ensure that it met their evolving needs.
Overall satisfaction levels were notably high. Customers rated their likelihood of purchasing again from the vendor at 4.7 out of 5 on a scale where 5 indicated “I would buy again.” Satisfied customers were more inclined to purchase multiple products from the same vendor, explore new features, and participate in beta programs to provide valuable feedback to the vendor.
Read The Forrester Wave™: Static Application Security Testing Solutions, Q3 2025, for a deeper dive into the 10 vendors evaluated, the specific criteria that set vendors apart, and the reasons behind those distinctions along with market trends. In addition, take a look at the accompanying Buyer’s Guide: Static Application Security Testing Solutions, 2025, for benchmarking your vendor to understand how customer references rated product capabilities. If you have any questions, book an inquiry or guidance session with me.
