We use it primarily for our application security concerns. We use the dynamic, static, and SCA scanning tools. We run our static scans after the code is compiled, and that gets uploaded automatically through our DevOps tool. We have installed an agent in one of our cloud servers that is behind a firewall to run the dynamic scan against the runtime. We run our SCA scans when we do the static scans, which is after compilation.
Release Manager/Scrum Master at Amtech Software
Is easy to install, has low false-positive rates, and saves time with continuous integration
Pros and Cons
- "Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention."
- "I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
What is our primary use case?
How has it helped my organization?
Prior to using Veracode, we hadn't really looked into security features or thought about security in the same way that we have since we started using Veracode. We were focused on what you hear about in the news, such as making sure that it is HTTPS secured. We hadn't really dug into the nitty gritty of application security and scanning our source code, running it against a runtime environment, and looking at the actual third-party solutions that we integrate or use in our code. Veracode has helped with our mindset as an organization to start thinking about things more securely by design rather than as a reactive measure. We're being more proactive with security.
What is most valuable?
Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.
We feel very confident about Veracode's ability to prevent vulnerable code from going into production. Having the stamp of approval helps not only from a marketability standpoint but also from an overall good feeling within the organization that we're doing our part to help keep our code free from vulnerabilities.
This solution provides visibility into application status at every phase of development. It goes from compiling the code all the way to running it in production. It covers all major aspects of the SDLC. We run static scans and SCA scans early on in the process to make sure that we catch any code that is insecure by design. If we are able to catch it earlier on, before it's actually out in the production environment, it reduces costs. The dynamic scans are run further along in our QA process. That is, once we've deployed the code and have it in a runtime environment, we run weekly scans in a dynamic environment against the code runtime to make sure that there aren't any new vulnerabilities that got introduced. We are looking at doing manual penetration testing in 2023, where we would be using a spinoff of the code that was released to the customers to make sure that there aren't any holes through which a nefarious actor could get in and exploit what was built.
Veracode's false-positive rate is low. The few instances when it looked like there were false positives, the issues were found to be either true vulnerabilities or things that were that way by design. If a developer thought that there would be a ton of false positives when using the tool, it would then diminish the value of actually using the tool. Veracode touts itself as being a tool with the lowest false-positive rate in the market. It gives inherent confidence in the tool itself, and developers are more inclined to think that if it found something, it's pretty likely that it is not a false positive. They would then work to prove it wrong rather than discounting it without even looking into it.
We haven't really found many false positives with static analysis, and there hasn't been a significant impact on our time and cost related to tuning, leveraging data, and machine learning.
Continuous integration linking definitely saves a lot of time because it takes away the step where a developer needs to manually upload the code every time to do a scan. It can run in the background, and having the Visual Studio plugin includes it directly in the development environment. If developers do get assigned a bug that they need to fix, they can pull it right up in their development environment and not have to log in to the portal. It will all be right there.
I'm primarily the one who has been involved in DevSecOps, and Veracode has definitely reduced my time. If we had gone with a conglomeration of open-source tools, it would've taken me a ton more time. Whereas with Veracode, all the documentation is out there, and I'm able to integrate everything that I need from a usability standpoint. I don't have to learn a new tool every time I need to integrate a new security scanning option. It has helped me tremendously and has saved me a lot of time.
What needs improvement?
I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning.
If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously.
Buyer's Guide
Veracode
June 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,490 professionals have used our research since 2012.
For how long have I used the solution?
I've been using Veracode for a little over a year now.
What do I think about the stability of the solution?
I haven't had any stability issues, bugs, or glitches.
What do I think about the scalability of the solution?
The scalability is really good. I recently added to the solution some new applications that I learned about late in the game. There were probably 10 that I had to add in rapid succession and scan as well. It was very quick and painless.
How are customer service and support?
Veracode's technical support is very responsive, and I've heard back within 24 hours regarding a couple of issues I've entered. We have actual consulting calls, which are a scheduled event, and I like the way they handle those as well. I have nothing but good things to say about them and give them a rating of ten out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
I was involved with the initial setup of Veracode, and it was straightforward. We had a third-party vendor who was evaluating it, so a little bit of the setup was done. However, adding a new application to the tool is easy and self-explanatory. It doesn't take much time at all, and the documentation is out there if we need to look up anything.
What about the implementation team?
We implemented it with the help of a third-party vendor. They had two people on their team who were working on the deployment along with me. My responsibilities included adding all of our software to the tool to run scans against it, integrating it with our DevOps solution, discussing the tool itself with internal stakeholders as to how they can use it and showing programmers how to use the tool from an internal adoption standpoint.
What's my experience with pricing, setup cost, and licensing?
I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution.
Which other solutions did I evaluate?
We evaluated a couple of open-source tools such as Snyk and SonarQube against Veracode with the help of a third-party vendor. We didn't use any of those and landed on Veracode because of the Veracode Verified seal. This, along with Veracode being the market leader, gave Veracode an edge over the others.
The main difference between Veracode and the solutions we evaluated is that Veracode is an all-in-one solution. Though an open-source solution would've been more cost-effective, we would've had to use a bunch of different tools. It would have required more knowledge to do the integration piece and would've taken a lot more time and effort. There would have been invisible costs associated with it just by the virtue of time. In comparison, Veracode's dynamic scan, static scan, and software composition analysis are all in one place.
What other advice do I have?
My advice would be to look at the open source tools out there and see how far along you are in your security journey and what your needs are. If you're looking for the best in the market, Veracode is a great option, as far as paid solutions go, because it's a one-stop shop. If you have more time at your disposal and you don't mind integrating some solutions, then I'd recommend an open-source tool. However, if you have the resources, I would definitely recommend going for Veracode.
On a scale from one to ten, I would rate Veracode at nine.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.

Manager of Application Development and Integrations at a university with 1,001-5,000 employees
Prevented vulnerable code from going into production but their support is lacking
Pros and Cons
- "Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful."
- "Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."
What is our primary use case?
We use Veracode for dynamic, static, and software composition scanning. Veracode is a SaaS solution.
How has it helped my organization?
Veracode has exposed many flaws, and the Security Labs have helped train the team to understand security and fix flaws. You don't know what you don't know. They've shown us what we don't know so we can identify and fix our security issues.
Veracode effectively prevented vulnerable code from going into production. I have a hard time validating that assumption, but I think it's good at that. It seems like it does a lot in terms of compliance with industry standards and regulations.
We've requested some features for fine-tuning the ability to craft the policy and what can break a build. It was disappointing that they didn't add that. However, we've used the policy features and were able to report on it, so we were pleased with that. It can create custom dashboards and see which applications are breaking a policy. We get a lot of metrics on those scans.
We have Veracode built into our software delivery pipeline. Automation was our objective when we started evaluating Veracode. We have a high degree of automation in our regular scanning. Every day we do software composition scanning and static analysis, and we do weekly scans using aerodynamic analysis.
The automation features have saved us tons of time because we don't have to worry about whether it is getting done. Tackling security requires a massive time investment. The value we get from it is that our apps are more secure.
Veracode has raised our leadership's security awareness. This tool has generated more conversations around security and ways we can protect our software.
What is most valuable?
Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful.
Veracode's static and software composition scanning has been most beneficial for us. We already use a competing product for dynamic scanning.
What needs improvement?
Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in.
I've been harping on it for the last two years. They try to compensate for that by building a relationship with staff. We keep asking questions we wouldn't have to ask if they had a better user interface. They would save their staff time and save us a lot of hassle.
They claim to have the best false positive rate. It's hard to judge, but we've had several false positives, and the solution's inability to resolve them has been incredibly frustrating. The ability to schedule a consultation to talk through what's going on has been helpful. Still, I'd like to see the capability to act on false positives and resolve them in the application instead of us marking things as false positives. That's where they need to improve.
It has occupied my team's time because they're escalating the issue from support to engineering. They've been consulting my developers. They raise issues but don't spend time duplicating the issue. They close tickets saying it's not a problem or misunderstand what's being requested. They need to mature in that area a lot.
For how long have I used the solution?
I've been using Veracode for about two years now.
What do I think about the stability of the solution?
I have some concerns about the leadership. This is only speculation, but I believe some leadership decisions have created a ton of turnover at Veracode. The solution was sold to another company, impacting us because we constantly get new contacts to work with, so we always have to ramp them up to speed. They're not necessarily as skilled as the prior contacts we've had.
Is Veracode taking care of their staff? Are they keeping the people they need to support their customers? There have been months when I just had turnover fatigue from Veracode because we're constantly getting new contacts to work with. One thing that sets them apart is that we have a direct contact we can go to when we need an issue escalated or we need help understanding how something works.
What do I think about the scalability of the solution?
I don't have any concerns about scalability.
How are customer service and support?
I rate Veracode support two out of 10. When I raise issues, I expect support to bend over backward and be grateful that we're pointing out problems in their system. They should work to understand what we're talking about and reach out to us.
I expect to meet with them, and I've never had a meeting with them to talk through issues. That's not how they work. Also, I feel like their staff isn't very skilled. They don't understand things and insult my developers. The support is terrible, but other Veracode staff has been exceptional. We always have to lean on our customer support contacts to determine why a ticket was closed. What's going on here? Can you escalate this? We're not getting any traction on that.
How would you rate customer service and support?
Negative
Which solution did I use previously and why did I switch?
I previously used Qualys. It had terrible support and wasn't supported well enough at the university. Also, Qualys is not a full-app security solution. It only did dynamic scanning and lacked the flexibility we needed.
How was the initial setup?
Setting up Veracode takes some effort. Their web interface isn't too intuitive. It's also slow, which poses a challenge when setting it up. Veracode provided some help getting it running.
We did it ourselves with help from Veracode. If I had to do it again, I would do it all ourselves, too, because we got the support we needed from Veracode and didn't require a consultant's extra expertise. Veracode was that expertise.
After deployment, Veracode requires routine maintenance. Their platform is down sometimes. Our nightly builds occasionally get stuck, and we must reach out to them. There is scheduled maintenance and dealing with issues as they come. I don't know if you necessarily call that maintenance, but it's time-consuming.
What was our ROI?
It's hard to quantify ROI on security. It makes us feel better. We have all this scanning, and we're identifying where we are vulnerable. If it prevents exposure, it saves us millions of dollars. There's potentially a considerable ROI, but it's speculative at this point.
What's my experience with pricing, setup cost, and licensing?
The cost has been a barrier to broader use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. For the level of interaction we get with Veracode staff, it's been pretty good.
Right now, we've had a little more interaction with Veracode staff because they want to sell to the rest of the university. So they've been willing to meet with us frequently, answer questions, and get on support for issues that get closed when they shouldn't be closed.
What other advice do I have?
I rate Veracode seven out of 10 because I have a beef about their support. Their turnover is impacting us, and we have concerns about how they treat their staff. We love Security Labs. We like the dashboards and reporting. I feel like Veracode wants to see us succeed on their platform, which goes a long way. They want to help us meet the goals set when we started using this product. That's a value add they provide. They do a great job finding security flaws.
At the same time, we have issues with support, platform usability, and performance. If I met a prospective Veracode user, I would point out those issues but also mention our positive experience with the solution engineer and sales staff. They've been accommodating and always willing to work with us.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Veracode
June 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,490 professionals have used our research since 2012.
Drastically reduced post-deployment issues for us
Pros and Cons
- "Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced."
- "One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced."
What is our primary use case?
We use it to scan third-party libraries to check for vulnerabilities.
How has it helped my organization?
Our company relies on Veracode to prevent vulnerable code from going into production.
And it reduces post-deployment bug fixes. Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced. In a month we do 10 releases and we used to get five or six post-deployment issues. Now, we barely get one or two.
Veracode has also significantly saved us time, around 30 to 40 percent, and we can concentrate on new features instead of fixing the old ones.
What is most valuable?
We use the full code analysis and the recommendations from the Veracode report.
What needs improvement?
One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced.
For how long have I used the solution?
I have been using Veracode for the last three months.
What do I think about the stability of the solution?
It's very stable. I've never seen any downtime with Veracode.
What do I think about the scalability of the solution?
We use it on-prem, so I'm not sure whether it can be scaled. It's just one endpoint that multiple people access.
Which solution did I use previously and why did I switch?
We have two scanning stages. The first one uses SonarQube, which only does code analysis. It doesn't scan third-party libraries that we use in our code. Veracode is the second level of check. We work on a banking project. The bank trusts Veracode and they recommended Veracode to scan our products.
How was the initial setup?
The initial deployment was pretty straightforward. It's on-prem so there was no deployment strategy to follow. It took one to two days to deploy and check everything. A team of three to four people worked on the deployment. It depends on the project's complexity as well. As a DevOps engineer, I support a lot of projects within our organization, and the deployment varies from project to project.
In my department, we handle six to eight projects and each one needs a Veracode scan before deployment. As a company, we have multiple locations and departments but only the DevOps team of eight people has access.
The way we work with Veracode is that we have integrated it with Jenkins. We upload the artifacts to the server, trigger the Jenkins job, and the Veracode scan is generated. We have set everything from the Jenkins pipeline. The scan is automated using Jenkins, which means there is no need for maintenance. If there are new steps implemented in the pipeline, there might be some overhead, but it doesn't need any maintenance. We just set the port and everything works fine.
What other advice do I have?
Other than the scanning time, I would give it a solid eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Mar 18, 2025
Flag as inappropriateSecurity Project Leader at ATOSS AG
Quality of our code is much better, and we sleep well at night knowing we have closed a possible security leak
Pros and Cons
- "It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in."
- "False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
What is our primary use case?
We use Veracode to scan server applications, and we also use it for SCA functionality and to scan pipelines of our other projects.
How has it helped my organization?
The quality of our code is much better now with structured utils meant for improving various topics related to security. Those are being applied consistently to various modules of the application. It enforces a type of structure and code changes to support future transformation.
What needs improvement?
False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side. Once they are identified, you can mark them as false positives, and they can be accepted by the security project lead. After that, life goes on, and those will no longer be reported.
The problem is the time that you spend analyzing a flow to be sure that it is a false positive. Every problem that is reported as a security vulnerability has to be treated with maximum care by the developers. It is good, in the end, when it's a false positive instead of having a real vulnerability.
Because we are working on a huge application with lots of dependent sub-projects, there are 9 to 20 data paths. We have to check all of the vectors from all of these paths. If we decide that an attack vector might be susceptible to that attack, we start fixing it. But for the others, the attack vector is not relevant.
There is always room for improvement in any product; it's not something related specifically to Veracode. But in the case of Veracode, maybe they could improve the scanner to reduce the number of false positive events so that they remain only with the valid data paths that represent real attack vectors. We understand that this is quite hard to determine by just scanning the code.
Also, the UI of Veracode could be improved to permit better visualization of the issues and the grouping of the issues, with better filtering.
For how long have I used the solution?
We have been using Veracode for four years.
What do I think about the stability of the solution?
We have seen delays in results on the order of hours, but there haven't been any crashes of their scanner. The solution is quite reliable, and all of the results from the scanning can be easily tracked in terms of time frame. You can see how your scanning has evolved, and there are no deviations due to a bug in the scanner.
What do I think about the scalability of the solution?
For small and medium-sized projects, it's quite scalable. You can use the sandbox scanner they provide, and it is fine. But for large applications, it is not scalable. We do manual uploads, and this is not scalable.
How are customer service and support?
We haven't called their support because we know how to interpret the results provided by their platform and how to mitigate the vulnerabilities that they have reported.
However, we have exchanged several emails to discuss some technical details of the solution that we applied it to, and everything was straightforward. There are no complaints from my side regarding what they said. Everything went smoothly and quickly.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We have used certain plugins from Teamscale, which is also a static code analyzer, and it integrates with various plugins in Sonar. We have also used OWASP for static composition analysis, and we are still using the third-party application scanning from OWASP as a Maven plugin. We have also evaluated Black Duck.
Veracode was the first choice for doing static application security testing. It was ranked first a couple of times in the last few years, so it was a natural choice to go with the top product. Also, SAP has a partnership with Veracode for the application that they are selling. It was a win for us, SAP, and for Veracode.
How was the initial setup?
It took us one day to get ready to use the solution. We built the image and copied it during the night to several machines. The following day, we were ready to put it into the container registry in Azure, and then it could be used. We had a huge procedure and scripting. It was not simple.
The team that did it had about six engineers involved.
What's my experience with pricing, setup cost, and licensing?
It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average.
Regarding extra expenses, it depends on what you want to buy. They have certain bundles that provide support via a hotline system with customer service. They can provide you access to certain security laboratories. You can opt for several licenses to educate more developers to be responsible for the security of your applications. All of these change the initial cost.
Of course, if you add more things, you can benefit from a better price. It depends on your negotiation skills and the number of licenses you want to buy.
The price can vary from year to year, and prices usually go up. Maintenance for the servers that do the scanning takes money, as do CPU, power, and memory. And there are the reports that are kept in the history for checking and for ISO certification. Those costs build up during a year.
For example, we have to manually upload the application that we are scanning because it's quite big, and it takes one day to be scanned. That means their scanner runs for a day on this application, and then we get the results back. That means our application is heavily consuming resources of that cloud server. Those resources are no longer paid for directly by us. We delegate this job to Veracode to do it for us, and we pay for it. But we free up our servers locally and can do other jobs with them.
We aren't trying to reduce our costs. We are trying to improve the security and quality to be sure that we and our customers don't have security issues. At the end of the day, security is the most important part. With every new release and with every new year, we allocate more and more to these operations, to improve our overall security.
What other advice do I have?
Not every such application is able to prevent everything from going to production, but several issues can be spotted via the scanning of the code and resolved, and they are valid. There are many others that can be detected with additional tooling from OWASP, Sonar, et cetera.
We are not using the SBOM functionality from Veracode. We use another tool to create the software bill of materials. That solution is also able to scan Docker images, and it also provides details about what is inside the layers of the Docker image file.
In terms of visibility into application status at every phase of development, it depends on how able you are to scan your application. For large applications, you have to do manual uploads, which is the case for us. We don't do manual uploads on every build, but we trigger it at certain times when we want to create releases for customers. That helps with our accuracy, but it doesn't represent the exact moment when there is a problem in the application. We still have to analyze the commits and history, track things, and match them with the new flaws that have been found in the latest report.
Veracode doesn't save us time. We have to spend a lot of time fixing security issues, especially those that impact lots of dependencies, dependent code, and sub-projects. But in the end, we can sleep well at night knowing that we have closed a possible security leak within the code, which is better for everybody. Even if there is no real problem at that moment and you don't see any probability of that vulnerability appearing in production, it is better to take some time to fix it, and then you feel better.
It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Founder and Director at Bizcarta Technologies India Pvt Ltd
A broad and integrated platform that provides multiple test scenarios, but it is expensive and does not provide on-premise implementation
Pros and Cons
- "The product provides guidance to develop secure software."
- "On-premise implementation is not available."
What is our primary use case?
It is a broad and integrated platform. It provides multiple test scenarios and has the ability to do CI/CD pipeline integration. It is used for application security and vulnerability assessment.
What is most valuable?
Veracode provides guidance to develop secure software. It is one of the valuable features.
What needs improvement?
On-premise implementation is not available.
For how long have I used the solution?
I have been using the solution for ten years.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
The tool is scalable.
How are customer service and support?
The technical support is good.
How would you rate customer service and support?
Neutral
How was the initial setup?
The product is deployed on the cloud. We have a multi-cloud environment.
What's my experience with pricing, setup cost, and licensing?
The solution is expensive.
What other advice do I have?
Veracode’s policy reporting for ensuring compliance with industry standards and regulations is good. The product's false-positive rate is low. If the tool is used effectively, vulnerable codes do not go into protection.
The SBOM feature helps identify risks in all third-party software. It is quite easy to create a report using the SBOM feature. It is an important feature. The solution provides visibility into application status at every phase of development. We have not integrated it.
Veracode has a good effect on our organization’s ability to fix flaws. Veracode has helped our developers save time. Veracode has a good impact on our organization’s overall security posture. The solution is probably not worth the money. The developers are more confident while fixing vulnerabilities due to the solution’s low false-positive rate.
Overall, I rate the tool a six out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Application Development Analyst at a consultancy with 10,001+ employees
Showed us where errors were and helped us track their status, but reporting could have been more detailed
Pros and Cons
- "I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them."
- "The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed."
What is our primary use case?
We used it for static and dynamic testing to check if there were any vulnerabilities in the code. If there were any vulnerabilities, we would check the report downloaded from the Veracode portal and try to fix the code before deploying it.
How has it helped my organization?
Veracode helped me remove errors, and it didn't take a long time to fix any issue because I had an answer regarding where the code needed to be fixed. That feature helped us test our cases and get them deployed. It helped me fix vulnerabilities and any other errors before deployment to the applications.
The SAST and DAST scans—we used it both before code was deployed and after it was deployed—helped us run through the issues and keep track of their status. It was deployed in the pipelines, through Jenkins, and checked the logs in Kubernetes.
The solution also saved us time. I really liked the automatic scanning because there was no way to know where an issue was. Human tendency is to make mistakes, but Veracode helped us find the exact spot where an error was and change it. The reporting helped us do that in a short amount of time.
For our team, it had a very good impact. My manager used to suggest that before taking code to the next level, it was a really good idea to scan it.
What is most valuable?
I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them.
What needs improvement?
The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.
Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.
For how long have I used the solution?
I used Veracode for 13 months.
What do I think about the stability of the solution?
I had a situation that was due to a slow network, and I couldn't get results within a specific time. Because of that, there was a lag in production; we couldn't deploy the code on time. There was a crash, and because of that, we couldn't meet our production deadline.
The downtime happened two or three times. I thought it was due to a network issue when it happened once, but then I came to understand that it was a maintenance issue.
What other advice do I have?
Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with.
It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Data Research Analyst & Business Development at DIS Research
Reduces manual processes for us, saving significant time
Pros and Cons
- "The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws."
- "The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced."
What is our primary use case?
The most important purpose of this platform is code security. We are able to scan our code and find security flaws.
How has it helped my organization?
Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.
What is most valuable?
The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.
The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.
The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.
It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.
For how long have I used the solution?
I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.
What do I think about the stability of the solution?
It's a stable product.
What do I think about the scalability of the solution?
It is also very scalable.
How are customer service and support?
The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
This is the first such tool we are using.
How was the initial setup?
The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.
We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.
What's my experience with pricing, setup cost, and licensing?
The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.
What other advice do I have?
We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.
Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.
I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Solution Architect at a tech vendor with 10,001+ employees
Includes valuable static and dynamic code scanning and detailed reports
Pros and Cons
- "The static scan and the detailed reports, which include issue information and permissions, are the most valuable features."
- "Veracode does not support scans for .NET Blazor server applications."
What is our primary use case?
We are developers who utilize Veracode for the static and dynamic scanning of our applications.
How has it helped my organization?
Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.
Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.
We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.
The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.
Veracode can help our developers save time, depending on the issue and the age of the application.
Veracode saves time by automating the basic tasks that were previously performed manually.
Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.
What is most valuable?
The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.
What needs improvement?
Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.
I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.
For how long have I used the solution?
I have been using Veracode for over one year.
What do I think about the stability of the solution?
Veracode is stable.
How are customer service and support?
The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.
How would you rate customer service and support?
Neutral
What other advice do I have?
I give Veracode an eight out of ten.
Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.
I highly recommend Veracode for assisting in identifying vulnerabilities in code.
I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer. MSP

Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Container Security Software Composition Analysis (SCA) Static Code Analysis Application Security Posture Management (ASPM)Popular Comparisons
SonarQube Server (formerly SonarQube)
Prisma Cloud by Palo Alto Networks
Microsoft Defender for Cloud
GitLab
Snyk
Checkmarx One
Coverity
Black Duck
Mend.io
CrowdStrike Falcon Cloud Security
OWASP Zap
OpenText Core Application Security
Orca Security
GitHub Advanced Security
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What do I scan when changing code in Veracode?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?