As growth cycles speed up and AI-generated code turns into extra widespread, safety leaders are dealing with a essential problem: How will you sustain with out sacrificing safety? Safety leaders should depend on static utility safety testing (SAST) options to seamlessly combine with developer workflows; establish, prioritize, and remediate flaws rapidly; and stop flaws from being built-in with the codebase over time.
In my just lately revealed analysis, The Forrester Wave™: Static Software Safety Testing Options, Q3 2025, we define probably the most important suppliers within the SAST area. The Forrester Wave evaluated 10 distributors: Black Duck Software program, Checkmarx, GitHub, GitLab, HCLSoftware, Mend.io, OpenText, Snyk, Sonar, and Veracode. Every vendor was assessed based mostly on three key inputs: a vendor-completed questionnaire, govt technique briefings and demonstrations, and interviews with reference prospects. The Wave consists of scores for 16 current-offering standards and 7 technique standards.
Forrester defines SAST as: options that analyze an utility’s proprietary supply code, byte-code, or binary with out requiring this system to be executed. These merchandise consider the applying, together with APIs and infrastructure configuration recordsdata, in opposition to safety requirements to establish safety weaknesses and supply steering on remediation through the software program growth lifecycle.
This yr, SAST options transitioned from a longtime to a mature market as core applied sciences and use instances turned broadly understood and solidified, with merchandise providing well-developed functionalities. On this mature stage, competitors has intensified, differentiation is more difficult, and market consolidation is prevalent, pushing distributors to give attention to effectivity, integration, and increasing their choices to take care of relevance and aggressive benefit.
A couple of the market development highlights from the Wave are:
- The velocity of the answer. The elevated adoption of AI coding assistants/brokers will increase the quantity of code that must be safe earlier than deployment. Trendy options are investigating how you can combine AI SAST brokers into the event environments to maintain up with the speed and velocity of AI-generated output. A number of distributors have Mannequin Context Protocol (MCP) servers to work together with the big language fashions (LLMs) producing the code to establish insecure code. SAST distributors are planning to supply, or are already providing, adaptable safety scanning the place the scope, comprehensiveness, and velocity of the scan is about by the client or decided by the software program growth section and information of earlier scans.
- Prioritization of the remediation expertise. Figuring out safety flaws in code is only one piece of the puzzle; options should additionally present remediation methods that combine into the developer’s workflow. Trendy SAST options use AI to triage and prioritize flaws in addition to provide remediation solutions. Probably the most superior options are automating remediation by sending context to the LLM that features the flawed code snippet and safe code examples to in the end present a number of repair choices to the software program developer. This permits the developer to assessment and choose the best choice after which modify or straight settle for the repair.
- AI functions pushing SAST options to evolve. There’s a rising have to safe AI functions and AI brokers. Whereas a number of distributors are beginning to use SAST to establish OWASP Prime 10 LLM flaws, most have it on their roadmaps to deal with them utilizing a mix of SAST and dynamic utility safety testing options. Distributors that concern themselves with utility threat administration and have utility safety posture administration (ASPM) capabilities are extra seemingly to have the ability to stock the AI fashions and even MCP servers being referred to as/utilized by the AI utility or brokers.
The barrier to coming into the SAST options market has by no means been decrease. New distributors can leverage LLMs and free open-source SAST scanners (that are enhancing in accuracy and depth) to develop an AI-powered SAST minimal viable product that was not potential two years in the past. Moreover, the SAST panorama is crowded with current gamers reminiscent of DevOps platforms, cloud-native utility safety platform options, ASPM options, and AI-powered startups. Whereas it’s thrilling for prospects and prospects to have many selections, additionally it is troublesome to chop by way of the noise and separate the advertising and marketing fluff from the enterprise-grade product. Subsequently, as a part of the Forrester Wave course of, vendor buyer references have been interviewed to supply their suggestions on the product and the supplier. With this info, we compiled one other report, Purchaser’s Information: Static Software Safety Testing Options, 2025.
A few the customer development highlights from the information are:
- Relationships nonetheless matter. Patrons who felt that SAST resolution distributors have been simply peddling merchandise or had a poor buyer expertise acquired a foul impression that lasted for years. On the flip facet, distributors that offered glorious buyer assist, included buyer suggestions of their roadmaps, and centered on partnering with prospects have been extra prone to see multiyear relationships and create evangelists who carried out the product at a number of corporations.
- Prospects are evaluating and staying loyal. Prospects have demonstrated loyalty despite the fact that they’re additionally evaluating their choices. On common, they used their chosen SAST resolution for 4.1 years, with most consumers assessing round 3.3 distributors earlier than making a choice. Many continued to revisit and reassess the answer yearly to make sure that it met their evolving wants.
- Total satisfaction ranges have been notably excessive. Prospects rated their probability of buying once more from the seller at 4.7 out of 5 on a scale the place 5 indicated “I might purchase once more.” Happy prospects have been extra inclined to buy a number of merchandise from the identical vendor, discover new options, and take part in beta applications to supply priceless suggestions to the seller.
Learn The Forrester Wave™: Static Software Safety Testing Options, Q3 2025, for a deeper dive into the 10 distributors evaluated, the particular standards that set distributors aside, and the explanations behind these distinctions together with market developments. As well as, have a look on the accompanying Purchaser’s Information: Static Software Safety Testing Options, 2025, for benchmarking your vendor to grasp how buyer references rated product capabilities. When you have any questions, e-book an inquiry or steering session with me.
