Software Risk Manager ASPM vs Veracode comparison

Black Duck and Veracode are both solutions in the Static Application Security Testing (SAST) category. Black Duck is ranked #29, while Veracode is ranked #2 with an average rating of 8.0. Additionally, 89% of Veracode users are willing to recommend the solution.

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Dec 21, 2025

Veracode and Software Risk Manager ASPM are competing in the application security domain. Software Risk Manager ASPM holds an edge due to its advanced capabilities.

Features: Veracode includes static analysis, dynamic scanning, and software composition analysis, offering comprehensive protection. Software Risk Manager ASPM integrates vulnerability management with predictive risk scoring and focuses on actionable insights.

Ease of Deployment and Customer Service: Veracode features a streamlined SaaS deployment with effective customer support for smooth onboarding. Software Risk Manager ASPM provides flexible cloud and on-premise deployment options with responsive support for diverse infrastructure needs.

Pricing and ROI: Veracode's competitive pricing and high ROI offer cost-effective security solutions. Software Risk Manager ASPM may have higher setup costs but provides significant ROI through advanced features and risk management capabilities, appealing to companies prioritizing comprehensive security over initial cost savings.

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: February 2026).

Buyer's Guide

Static Application Security Testing (SAST)

February 2026

Download the complete report

Helped 881,707 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Cortex Cloud by Palo Alto N...

Featured Reviews

reviewer1980216

Business Development Manager For Palo Alto Networks at a tech services company with 1,001-5,000 employees

Unified security platform has simplified multi-cloud protection and improved threat response

From the commercial perspective, we have some limitations because Palo Alto has a minimum number of users of endpoints set at 200, which is quite high for the Italian market. Additionally, there is not a clear MSP model compared to other vendors such as CrowdStrike. These are significant limitations, especially today when managed services are becoming increasingly important for end users. Palo Alto decided to limit some functionalities because they want to stress more on Cortex XSIAM. I do not agree with this strategy because Cortex XSIAM is a completely different market compared to Cortex XDR. This is the main issue of Cortex—the commercial model Palo Alto is implementing. The product is very good; the problem is the commercial model. There are probably some areas for improvement because Palo Alto is growing too much. Today the challenge is to have skilled people, which I believe is the same issue everywhere. I do not agree with this decision.

Read full review

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

Facilitates continuous assessment of applications, covering both static and dynamic security aspects

Code Dx lacks one aspect, the dynamic security part, known as DAST. It's not an on-premise solution; it's in the cloud now. There are compliance standards and data standards where the customer might need to have the data on-premises for dynamic security testing. So that is one shortfall. An area of improvement could be developing an on-premise DAST solution. The current one is a complete cloud-based solution, and that can be one of the areas of improvement.

Read full review

reviewer2703864

Head of Security Architecture at a healthcare company with 5,001-10,000 employees

Onboarding developers successfully while improving code security through IDE integration

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"I have absolutely seen improvements in our incident close rates, with mean time to detect and respond reduced significantly, sometimes by at least forty to fifty percent."

"I have seen several benefits from using Cortex Cloud by Palo Alto Networks: It was easy to use and easy to migrate from the IBM platform."

"From a technical standpoint or pricing, Cortex Cloud by Palo Alto Networks is a stronger solution in the market at the moment compared to other products from ConnectWise or Symantec."

"The most beneficial aspect of Cortex Cloud by Palo Alto Networks and Palo Alto in general is that there is a single platform for all cloud providers for securitization."

"Cortex Cloud by Palo Alto Networks has impacted our organization positively by keeping our machines secure and our team using the dashboard to find issues quickly."

"Overall, Cortex Cloud by Palo Alto Networks is a technically strong product, and I rate it ten out of ten."

"The AI and automation features in detecting and responding to high-risk threats are impressive; it's one of the best tools regarding AI technology and unifies security in one platform in real-time, improving vulnerability analysis, incident response, and compliance reporting."

"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."

"The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code."

"Veracode allows us to easily summarize issues and provide quick, actionable insights."

"This is a great tool for learning about potential vulnerabilities in code."

"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."

"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."

"I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that."

"The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development."

"The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."

More Veracode pros

Cons

"From the commercial perspective, we have some limitations because Palo Alto has a minimum number of users of endpoints set at 200, which is quite high for the Italian market."

"Overall, I rate Cortex Cloud by Palo Alto Networks as an eight out of ten. I think that it could improve on price, as I know that the Google solution has the best price, and this is one of the conditions."

"Some aspects of the GUI can be confusing and make it difficult for me to find certain options or navigate where needed."

"The negative aspects or areas for improvement in the product include the fact that the cost might be a bit high, which challenges commercials, but not technically."

"The pricing is high, making ROI challenging to justify, especially during transitions between solutions."

"Cortex Cloud by Palo Alto Networks is creating some confusion in terms of names because this is recent."

"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."

"When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."

"Veracode should include the feature to run multiple scales at a time."

"There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking."

"To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources."

"There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives."

"I've found that Veracode is not particularly suitable for Dynamic Application Security Testing."

"The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred megabyte size."

"We have approximately 900 people using the solution. The solution is scalable, but there is a high cost attached to it."

More Veracode cons

Pricing and Cost Advice

Information not available

"It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody."

"The pricing is fair. You get a lot out of the product."

"Veracode provides value for the cost, with no additional charges apart from the standard licensing fee."

"The pricing is really fair compared to a lot of other tools on the market."

"The pricing depends on the functionality each client desires."

"To my knowledge, licensing for Veracode Static Analysis is paid yearly by my company."

"I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms."

"The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."

"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

881,707 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Performing Arts

10%

Financial Services Firm

10%

Manufacturing Company

Computer Software Company

Financial Services Firm

18%

Manufacturing Company

10%

Government

University

Financial Services Firm

17%

Computer Software Company

13%

Manufacturing Company

10%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	4
Midsize Enterprise	1
Large Enterprise	2

No data available

By reviewers
Company Size	Count
Small Business	69
Midsize Enterprise	44
Large Enterprise	115

Questions from the Community

What is your experience regarding pricing and costs for Cortex Cloud by Palo Alto Networks?

The solution is costly, with high-end capabilities suitable for enterprises. It is less affordable for startups or sm...

See all answers

What needs improvement with Cortex Cloud by Palo Alto Networks?

Regarding areas for improvement, the tool performs its functions well, but frequent name changes across Palo Alto Net...

See all answers

What is your primary use case for Cortex Cloud by Palo Alto Networks?

Cortex Cloud by Palo Alto Networks serves as our primary tool for understanding our assets and performing API integra...

See all answers

Ask a question

Earn 20 points

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

See all answers

What do you like most about Veracode Static Analysis?

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...

See all answers

What is your experience regarding pricing and costs for Veracode Static Analysis?

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

See all answers

Comparisons

Wiz vs Cortex Cloud by Palo Alto Networks

Compared 18% of the time

Prisma Cloud by Palo Alto Networks vs Cortex Cloud by Palo Alto Networks

Compared 17% of the time

SentinelOne Singularity Cloud Security vs Cortex Cloud by Palo Alto Networks

Compared 8% of the time

Microsoft Defender for Cloud vs Cortex Cloud by Palo Alto Networks

Compared 8% of the time

WithSecure Elements Exposure Management (XM) vs Cortex Cloud by Palo Alto Networks

Compared 7% of the time

More Cortex Cloud by Palo Alto Networks Competitors

PortSwigger Burp Suite Professional vs Software Risk Manager ASPM

Compared 16% of the time

Polaris Platform vs Software Risk Manager ASPM

Compared 10% of the time

Snyk vs Software Risk Manager ASPM

Compared 9% of the time

Checkmarx One vs Software Risk Manager ASPM

Compared 8% of the time

SonarQube vs Software Risk Manager ASPM

Compared 7% of the time

More Software Risk Manager ASPM Competitors

SonarQube vs Veracode

Compared 11% of the time

Checkmarx One vs Veracode

Compared 8% of the time

GitHub Advanced Security vs Veracode

Compared 5% of the time

OWASP Zap vs Veracode

Compared 3% of the time

Coverity Static vs Veracode

Compared 3% of the time

More Veracode Competitors

Product Reports

Buyer's Guide

Cortex Cloud by Palo Alto Networks

February 2026

Cortex Cloud by Palo Alto Networks report

Download Cortex Cloud by Palo Alto Networks product report

Buyer's Guide

Application Security Posture Management (ASPM)

February 2026

Download Software Risk Manager ASPM product report

Buyer's Guide

Veracode

January 2026

Download Veracode product report

Also Known As

No data available

Code Dx

Crashtest Security , Veracode Detect

Overview

Cortex Cloud by Palo Alto Networks provides comprehensive cybersecurity management, focusing on enhancing security operations with advanced automation and threat intelligence, addressing complex security challenges efficiently.

Cortex Cloud by Palo Alto Networks integrates cloud-scale data analytics and automation to streamline security operations, enabling faster threat detection and response. It leverages AI and machine learning to provide real-time threat intelligence and automate routine tasks, reducing the burden on security teams. Users benefit from improved visibility across networks and greater operational efficiency, making it crucial for enterprises aiming to secure their digital assets against evolving cyber threats.

What are the key features of Cortex Cloud by Palo Alto Networks?

Automated Threat Detection: Identifies and mitigates threats in real-time using AI algorithms.
Advanced Analytics: Provides in-depth data insights for proactive threat prevention.
Incident Management: Streamlines incident response with automated workflows.
Scalable Architecture: Offers flexibility to grow with organizational needs.

What benefits or ROI should you expect from Cortex Cloud by Palo Alto Networks reviews?

Increased Efficiency: Automation reduces manual efforts in threat management.
Enhanced Security Posture: Improved visibility leads to better threat preparedness.
Cost Savings: Minimizes expenses related to manual threat detection and response.
Scalability: Grows with the organization, reducing the need for constant upgrades.

Cortex Cloud by Palo Alto Networks is favored in sectors like finance, healthcare, and telecommunications, where data security is paramount. Its ability to integrate with existing infrastructure and provide real-time insights makes it a preferred choice for securing sensitive information and ensuring compliance within industry regulations.

Palo Alto Networks

Software Risk Manager is an application security posture management (ASPM) solution that enables security and development teams to manage their application security programs at enterprise scale. By unifying policy, test orchestration, correlation, prioritization, and built-in static application security testing (SAST) and software composition analysis (SCA) engines, organizations can streamline their security activities across the enterprise.

Black Duck

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode

Sample Customers

Information Not Available

Discover why companies like: CGI said, "Synopsys and Software Risk Manager have provided the results we’re looking for".

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Buyer's Guide

Static Application Security Testing (SAST)

February 2026

Download Free Report

Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: February 2026.

DOWNLOAD NOW

881,707 professionals have used our research since 2012.

See our list of best Static Application Security Testing (SAST) vendors, best Software Composition Analysis (SCA) vendors, and best Application Security Posture Management (ASPM) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.