Software Risk Manager ASPM vs Veracode comparison

Black Duck and Veracode are both solutions in the Static Application Security Testing (SAST) category. Black Duck is ranked #28, while Veracode is ranked #3 with an average rating of 7.5. Additionally, 89% of Veracode users are willing to recommend the solution.

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Mar 22, 2026

Veracode and Software Risk Manager ASPM compete in the application security and risk management category. Software Risk Manager ASPM is generally seen as the superior choice due to its comprehensive features.

Features: Veracode offers seamless integration with development pipelines, efficient code scanning, and strong security support. Software Risk Manager ASPM provides comprehensive analytics, advanced risk assessment tools, and a complete application security solution.

Ease of Deployment and Customer Service: Veracode is straightforward to deploy with responsive customer support. Software Risk Manager ASPM has more complex implementation requirements but benefits from efficient customer service guidance.

Pricing and ROI: Veracode is known for reasonable setup costs and good ROI. Software Risk Manager ASPM may be more expensive initially but delivers high ROI through its extensive features and risk management benefits.

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: May 2026).

Buyer's Guide

Static Application Security Testing (SAST)

May 2026

Download the complete report

Helped 900,644 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Cortex Cloud by Palo Alto N...

Featured Reviews

Sonali Jha

Technical Solutions Architect at IBM

Cloud security has improved as AI-driven runtime protection detects threats and reduces incidents

In my opinion, Cortex Cloud by Palo Alto Networks could be improved or enhanced in various ways. I don't have an idea about that yet because for that you actually need to use two or three different other tools to make a basic comparison. If you ask me how good the tool is, I would fairly rate it quite high. The tool is very popular, and customers can already see that it is one of the cloud leaders in the security space. The platform had a very good feature which provides documentation links about how to use a specific feature on the UI. It takes you to the proper documentation page where it suggests what to do and tells you about the steps that need to be done for a resource deployment. My thoughts about improving the product which I believe could greatly aid vendors is that it used to be a very user-friendly tool, but now they have incorporated everything under one umbrella. It has XDR, XSOAR, and Cortex Cloud by Palo Alto Networks. Before, we used to have separate modules and separate environments for each of these capabilities or features. Right now, it is a little complex and users would take their own time to know the tool better. This is something that would have been way better, but I would say there would be different opinions on this. Talking about user-friendliness, it has decreased now.

Read full review

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

Facilitates continuous assessment of applications, covering both static and dynamic security aspects

Code Dx lacks one aspect, the dynamic security part, known as DAST. It's not an on-premise solution; it's in the cloud now. There are compliance standards and data standards where the customer might need to have the data on-premises for dynamic security testing. So that is one shortfall. An area of improvement could be developing an on-premise DAST solution. The current one is a complete cloud-based solution, and that can be one of the areas of improvement.

Read full review

reviewer2753535

DevSecOps Engineer at a tech services company with 1,001-5,000 employees

Integrates security into the development process and improves team collaboration

Veracode helps organizations develop software by reducing the risk of security vulnerabilities through developer enablement and applications focused on governance. You can utilize different levels of processes to achieve better performance or a more scalable service. Since I started working with it in 2022, I’ve found it to be cost-effective as well. Overall, Veracode is a user-friendly security tool. It includes features such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). During the development phase, we can identify vulnerabilities in the application. This process occurs in the staging environment during development. When we're ready to go to production, we conduct a final check. Essentially, this tool helps identify vulnerabilities during the code development stage, including both high-level vulnerabilities and those related to open-source software composition. We utilize specific methodologies for this purpose. Additionally, it offers a feature that allows us to set up policies based on client requirements. This means we can customize the tool to meet the specific needs of our clients, ensuring that they receive the appropriate level of security in their applications. Veracode is user-friendly as well. Compared to other tools, their scans take 15 minutes or under. If you have a large scale of libraries or data, it might take longer, but based on my personal experience, the scan usually runs within fifteen minutes. For my case study using the Veracode tool, I worked on an internal project following industry standards. We used Veracode to improve our security posture and speed up the time to market by streamlining the development process. This enhanced collaboration between developers, operations, and security teams. The automated scanning process helped identify and fix vulnerabilities earlier in the development process. We maintained compliance with regulatory requirements, avoided fines, and built customer trust by integrating security into the development process. When we conduct this scan, we receive data on a list of vulnerabilities. This information improved our communication and increased transparency, which leads to better reports about the efforts being put in. This results in a more effective and efficient collaboration process, making it user-friendly for all involved. When considering costs, if we resort to manual processes, it can be time-consuming. Therefore, we utilize automated scans to identify and fix security issues. This allows us to address vulnerabilities early in the development process, as we discussed previously. This applies both to our in-house code and third-party libraries, using Software Composition Analysis (SCA) agent-based scans. In the future, we will also implement SCA agent-based scans as a separate feature within Veracode, which can help organizations avoid the expensive and time-consuming consequences of security issues. Furthermore, we have seen an increase in compliance, helping to maintain adherence to regulatory requirements and industry standards, thereby avoiding fines and reputational damage associated with noncompliance. Additionally, by integrating security into the development process, we enhance customer trust in our organization and its products.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"From a technical standpoint or pricing, Cortex Cloud by Palo Alto Networks is a stronger solution in the market at the moment compared to other products from ConnectWise or Symantec."

"The capabilities of Cortex Cloud by Palo Alto Networks are valuable because it is the best product in the market."

"The AI and automation features in detecting and responding to high-risk threats are impressive; it's one of the best tools regarding AI technology and unifies security in one platform in real-time, improving vulnerability analysis, incident response, and compliance reporting."

"Previously with Cortex Cloud by Palo Alto Networks, I deployed this product for one of my customers, and after three to four months, they said that previously they had around four hours of MTTR, and now it has reduced to just 15 to 20 minutes."

"The most beneficial aspect of Cortex Cloud by Palo Alto Networks and Palo Alto in general is that there is a single platform for all cloud providers for securitization."

"Overall, Cortex Cloud by Palo Alto Networks is a technically strong product, and I rate it ten out of ten."

"I have absolutely seen improvements in our incident close rates, with mean time to detect and respond reduced significantly, sometimes by at least forty to fifty percent."

"Cortex Cloud by Palo Alto Networks' cloud runtime security in terms of stopping attacks in real time is impressive."

More Cortex Cloud by Palo Alto Networks pros

"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."

"Overall, we've never had any problem with vulnerable code going into production."

"The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with."

"The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development."

"The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."

"Reduced dependency on the security team to run scans."

"What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it."

"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."

"Because it is a SaaS offering, I do not have to support the infrastructure."

More Veracode pros

Cons

"Overall, I rate Cortex Cloud by Palo Alto Networks as an eight out of ten. I think that it could improve on price, as I know that the Google solution has the best price, and this is one of the conditions."

"Some aspects of the GUI can be confusing and make it difficult for me to find certain options or navigate where needed."

"As per my experience with Cortex Cloud by Palo Alto Networks, the UI could be simpler."

"My thoughts about improving the product which I believe could greatly aid vendors is that it used to be a very user-friendly tool, but now they have incorporated everything under one umbrella."

"Cortex Cloud by Palo Alto Networks is creating some confusion in terms of names because this is recent."

"The pricing is high, making ROI challenging to justify, especially during transitions between solutions."

"From the commercial perspective, we have some limitations because Palo Alto has a minimum number of users of endpoints set at 200, which is quite high for the Italian market."

"In my opinion, Cortex Cloud by Palo Alto Networks can be improved by addressing forensic information collection and storage, although I cannot suggest specific things right now, based on what customers might need."

More Cortex Cloud by Palo Alto Networks cons

"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."

"The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way."

"Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode."

"There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws."

"I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that."

"In my opinion, Veracode lacks significantly in most parts, including its UI, its reporting, ease of use, and the features that it provides."

"I would like Veracode to add more language support."

"The scanning process for records could be faster and there is room for improvement in Veracode's performance."

"When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."

More Veracode cons

Pricing and Cost Advice

Information not available

"It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody."

"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."

"It is expensive. It depends on the use case, but it is very hard to find a pricing page on their website. Instead, they need to analyze your use case, but without knowing the entire project and how you're going to be using Veracode, how many scans you're going to do, if yours is a small business, it is very expensive and it affects ROI."

"It is pricey. There is a lot of value in the product, but it is a costly tool."

"The pricing is reasonable compared to other tools."

"Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it."

"The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements."

"I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms."

"Veracode is a very expensive product."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

900,644 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Manufacturing Company

17%

Construction Company

11%

Financial Services Firm

Outsourcing Company

Financial Services Firm

16%

Manufacturing Company

14%

University

10%

Construction Company

Financial Services Firm

16%

Manufacturing Company

12%

Computer Software Company

Construction Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	7
Midsize Enterprise	1
Large Enterprise	4

No data available

By reviewers
Company Size	Count
Small Business	69
Midsize Enterprise	46
Large Enterprise	114

Questions from the Community

What is your experience regarding pricing and costs for Cortex Cloud by Palo Alto Networks?

I am not fully aware of the pricing and licensing of Cortex Cloud by Palo Alto Networks. The pricing is also based on...

See all answers

What needs improvement with Cortex Cloud by Palo Alto Networks?

In my opinion, Cortex Cloud by Palo Alto Networks could be improved or enhanced in various ways. I don't have an idea...

See all answers

What is your primary use case for Cortex Cloud by Palo Alto Networks?

The usual use cases for Cortex Cloud by Palo Alto Networks that I have been working with mostly are as simple as dete...

See all answers

Ask a question

Earn 20 points

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

See all answers

What is the biggest difference between Veracode and Checkmarx?

According to my experience of using both the tools in different organizations Veracode is a Cloud-native, managed Ap...

See all answers

What is your experience regarding pricing and costs for Veracode Static Analysis?

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

See all answers

Comparisons

Wiz vs Cortex Cloud by Palo Alto Networks

Compared 11% of the time

Prisma Cloud by Palo Alto Networks vs Cortex Cloud by Palo Alto Networks

Compared 11% of the time

SentinelOne Singularity Cloud Security vs Cortex Cloud by Palo Alto Networks

Compared 8% of the time

WithSecure Elements Exposure Management (XM) vs Cortex Cloud by Palo Alto Networks

Compared 7% of the time

Microsoft Defender for Cloud vs Cortex Cloud by Palo Alto Networks

Compared 5% of the time

More Cortex Cloud by Palo Alto Networks Competitors

PortSwigger Burp Suite Professional vs Software Risk Manager ASPM

Compared 23% of the time

Polaris Platform vs Software Risk Manager ASPM

Compared 8% of the time

Checkmarx One vs Software Risk Manager ASPM

Compared 6% of the time

Ivanti Neurons for ASPM vs Software Risk Manager ASPM

Compared 5% of the time

DeepFactor vs Software Risk Manager ASPM

Compared 4% of the time

More Software Risk Manager ASPM Competitors

SonarQube vs Veracode

Compared 6% of the time

Checkmarx One vs Veracode

Compared 5% of the time

HCL AppScan vs Veracode

Compared 3% of the time

Coverity Static vs Veracode

Compared 3% of the time

More Veracode Competitors

Product Reports

Buyer's Guide

Cortex Cloud by Palo Alto Networks

June 2026

Cortex Cloud by Palo Alto Networks report

Download Cortex Cloud by Palo Alto Networks product report

Buyer's Guide

Application Security Posture Management (ASPM)

May 2026

Download Software Risk Manager ASPM product report

Buyer's Guide

Veracode

May 2026

Download Veracode product report

Also Known As

No data available

Code Dx

Crashtest Security , Veracode Detect

Overview

Cortex Cloud by Palo Alto Networks enhances cloud security with features like AI/ML threat detection and automated remediation, ensuring real-time protection and efficient management across cloud environments.

Cortex Cloud by Palo Alto Networks offers comprehensive cloud security posture management and runtime protection. It reduces manual tasks and accelerates incident investigation through advanced threat detection and AI-driven anomaly detection. With integration to the MITRE ATT&CK framework, it boosts threat response while reducing incident resolution time. Although users find the UI complex and pricing high, its capabilities in securing AWS, Azure, and other environments, as well as its potential integration with CyberArk, emphasize its enterprise-ready design for cloud transformation across diverse industry sectors.

What are the key features of Cortex Cloud by Palo Alto Networks?

Runtime Protection: Ensures real-time security for workloads.
AI/ML-powered Threat Detection: Identifies threats using AI/ML technology.
Automated Remediation: Streamlines threat response through automation.
Comprehensive Detection Coverage: Offers extensive detection capabilities with unified data.
Integration with MITRE ATT&CK: Enhances threat response efficiency.

What benefits or ROI should users consider?

Enhanced Security Visibility: Provides dashboards for better security insights.
Reduced Manual Tasks: Automates processes for efficiency gains.
Improved Threat Response: Accelerates incident resolution with AI-driven anomaly detection.
Seamless Cloud Integration: Supports APIs and multi-cloud environments.

Cortex Cloud by Palo Alto Networks is deployed across industries like telecom, BFSI, and manufacturing for robust cloud security. It's leveraged for detecting misconfigurations and vulnerabilities, aiding cloud transformation and compliance with standards such as GDPR and NIST. The integration across cloud infrastructures, including AWS and Azure, supports policy creation and threat management strategies for diverse enterprises.

Palo Alto Networks

Software Risk Manager is an application security posture management (ASPM) solution that enables security and development teams to manage their application security programs at enterprise scale. By unifying policy, test orchestration, correlation, prioritization, and built-in static application security testing (SAST) and software composition analysis (SCA) engines, organizations can streamline their security activities across the enterprise.

Black Duck

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode

Sample Customers

Information Not Available

Discover why companies like: CGI said, "Synopsys and Software Risk Manager have provided the results we’re looking for".

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Buyer's Guide

Static Application Security Testing (SAST)

May 2026

Download Free Report

Find out what your peers are saying about SonarSource Sàrl, Checkmarx, Veracode and others in Static Application Security Testing (SAST). Updated: May 2026.

DOWNLOAD NOW

900,644 professionals have used our research since 2012.

See our list of best Static Application Security Testing (SAST) vendors, best Software Composition Analysis (SCA) vendors, and best Application Security Posture Management (ASPM) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.