No more typing reviews! Try our Samantha, our new voice AI agent.

HCL AppScan vs OpenText Dynamic Application Security Testing comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Jun 3, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

HCL AppScan
Ranking in Dynamic Application Security Testing (DAST)
6th
Average Rating
7.6
Reviews Sentiment
5.9
Number of Reviews
44
Ranking in other categories
Application Security Tools (21st), Static Application Security Testing (SAST) (16th)
OpenText Dynamic Applicatio...
Ranking in Dynamic Application Security Testing (DAST)
3rd
Average Rating
7.2
Reviews Sentiment
6.1
Number of Reviews
22
Ranking in other categories
DevSecOps (8th)
 

Mindshare comparison

As of June 2026, in the Dynamic Application Security Testing (DAST) category, the mindshare of HCL AppScan is 9.1%, down from 11.3% compared to the previous year. The mindshare of OpenText Dynamic Application Security Testing is 11.6%, up from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Dynamic Application Security Testing (DAST) Mindshare Distribution
ProductMindshare (%)
OpenText Dynamic Application Security Testing11.6%
HCL AppScan9.1%
Other79.3%
Dynamic Application Security Testing (DAST)
 

Featured Reviews

Ravi Khanchandani - PeerSpot reviewer
Founder Director at Techsa Services
Has improved identification of encryption and authentication issues across cloud and on-prem applications
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interface. However, there is one feature called SCA, which stands for Software Composition Analysis, that could be improved. When I'm doing an application scan, HCL AppScan has the ability to generate information about what components are in use. For example, if I'm scanning a web application, it shows me the various components being used. It tells me whether I have Java libraries, .NET frameworks, or other log management libraries such as Log4j, and what versions of those specific components are present. I would like to see more detailed reports from the tool. Currently, you can find out the components belonging to a specific software, but if detailed reporting became available, you would be in a better position to identify vulnerabilities. For instance, I could identify that I had the Log4j vulnerability and know that I need to fix my application accordingly. If they add the features I'm describing, I would consider giving them a higher rating. However, I've only been experienced with the product for three months.
AP
Cyber Security Consultant at a tech vendor with 10,001+ employees
Enhancements in manual testing align with reporting and integration features
WebInspect works efficiently with Java-based or .NET based applications. However, it struggles with Salesforce applications, where it requires approximately 20-24 hours to crawl and audit but produces minimal findings, necessitating manual verification. The solution offers customization features for crawling and vulnerability detection. It includes various security frameworks and allows selection of specific vulnerability types to audit, such as OWASP Top 10 or JavaScript-based vulnerabilities. When working with APIs, we can select OWASP API Top 10. The tool also supports custom audit features by combining different security frameworks. For on-premises deployment, the setup is complex, particularly regarding SQL server configuration. Unlike Burp Suite or OpenText Dynamic Application Security Testing, which have simpler setup processes, WebInspect requires SQL server setup to function.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The HCL AppScan turnaround time for Burp Suite or any new feature request is pretty good, and that is why we are sticking with the HCL."
"It's honestly one of the best products in the application security portfolio."
"The solution is easy to install. I would rate the product's setup between six to seven out of ten. The deployment time depends on the applications that need to be scanned. We have a development and operations team to take care of the product's maintenance."
"The solution offers services in a few specific development languages."
"This is a stable solution."
"HCL AppScan has helped us improve our security posture, as we've been able to identify quite a few issues."
"Compared to other tools only AppScan supports special language."
"It was easy to set up."
"Fortify WebInspect is a scalable solution, it is good for a lot of applications."
"The most valuable feature is the static analysis."
"The FPA and Audit Workbench are very helpful for me, and when we are integrating it with SSC, we're able to scan and trace and see all of the vulnerabilities, with very detailed examples for each vulnerability, so it is very good for users and beginners and doesn't take a lot of time to understand the tool."
"The feature that has been most influential in identifying vulnerabilities is its ability to crawl the website, understand the structure, and analyze the network packets sent and received."
"The solution's technical support was very helpful."
"The transaction recorder within WebInspect is easy to use, which is valuable for our team."
"It is easy to use, and its reporting is fairly simple."
"The solution is easy to use."
 

Cons

"Improvement can be done as per customer requirements."
"In future releases, I would like to see more aggressive reports. I would also like to see less false positives."
"Visibility is an issue for us. Our partners were not even aware that we had an integration with AppSense."
"They should have a better UI for dashboards."
"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed."
"The databases for HCL are small and have room for improvement."
"The scanner could be better."
"The solution is on the expensive side. It's something that clients comment on."
"My advice to others using Fortify WebInspect is not to use it, there are better solutions in the market."
"The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."
"We have had a problem with authentification."
"Our biggest complaint about this product is that it freezes up, and literally doesn't work for us."
"Fortify WebInspect's shortcoming stems from the fact that it is a very expensive product in Korea, which makes it difficult for its potential customers to introduce the product in their IT environment."
"I'm not sure licensing, but on the pricing, it's a bit costly. It's a bit overpriced. Though it is an enterprise tool, there are other tools also with similar functionalities."
 

Pricing and Cost Advice

"Pricing was the main reason that we went ahead with this solution as they were the lowest in the market."
"The solution is cheap."
"The product has premium pricing and could be more competitive."
"The price is very expensive."
"HCL AppScan is expensive."
"The tool was expensive."
"The price of HCL AppScan is okay, in my opinion. You just buy HCL AppScan and don't pay anything anymore, meaning it is just a one-time purchase."
"The solution is moderately priced."
"Fortify WebInspect is a very expensive product."
"The price is okay."
"Our licensing is such that you can only run one scan at a time, which is inconvenient."
"This solution is very expensive."
"It’s a fair price for the solution."
"The pricing is not clear and while it is not high, it is difficult to understand."
"Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
report
Use our free recommendation engine to learn which Dynamic Application Security Testing (DAST) solutions are best for your needs.
900,644 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
11%
Manufacturing Company
9%
Government
9%
Computer Software Company
8%
Financial Services Firm
12%
Government
12%
Manufacturing Company
7%
Computer Software Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business14
Midsize Enterprise6
Large Enterprise31
By reviewers
Company SizeCount
Small Business7
Midsize Enterprise1
Large Enterprise15
 

Questions from the Community

What needs improvement with HCL AppScan?
During the learning curve of onboarding HCL AppScan, we learned that HCL has altered the portfolio and now offers HCL AppScan 360, which has a much better look and feel with an improved user interf...
What is your primary use case for HCL AppScan?
I'm currently working with BigFix and HCL AppScan. At least three people in my company are using HCL AppScan. Since we are a reseller, we run it in both lab environments and live production applica...
What is your experience regarding pricing and costs for HCL AppScan?
AppScan is considered more cost-effective than Veracode, although I have not updated the exact pricing details. Companies often choose based on budget constraints, with Veracode being on the higher...
What is your experience regarding pricing and costs for Fortify WebInspect?
While I am not directly involved with licensing, I can share that our project's license for 1-9 applications costs between $15,000 to $19,000. In comparison, Burp Suite costs approximately $500 to ...
What needs improvement with Fortify WebInspect?
WebInspect works efficiently with Java-based or .NET based applications. However, it struggles with Salesforce applications, where it requires approximately 20-24 hours to crawl and audit but produ...
What is your primary use case for Fortify WebInspect?
I am currently working with several tools. For Fortify, I use SCA and WebInspect. Apart from that, I use Burp Suite from PortSwigger. For API testing, I use Postman with Burp Suite or WebInspect fo...
 

Also Known As

IBM Security AppScan, Rational AppScan, AppScan
Micro Focus WebInspect, WebInspect
 

Overview

 

Sample Customers

Essex Technology Group Inc., Cisco, West Virginia University, APIS IT
Aaron's
Find out what your peers are saying about HCL AppScan vs. OpenText Dynamic Application Security Testing and other solutions. Updated: April 2026.
900,644 professionals have used our research since 2012.