As improvement cycles speed up and AI-generated code turns into extra widespread, safety leaders are dealing with a important problem: How are you going to sustain with out sacrificing safety? Safety leaders should depend on static software safety testing (SAST) options to seamlessly combine with developer workflows; determine, prioritize, and remediate flaws rapidly; and stop flaws from being built-in with the codebase over time.
In my not too long ago printed analysis, The Forrester Wave™: Static Utility Safety Testing Options, Q3 2025, we define probably the most vital suppliers within the SAST area. The Forrester Wave evaluated 10 distributors: Black Duck Software program, Checkmarx, GitHub, GitLab, HCLSoftware, Mend.io, OpenText, Snyk, Sonar, and Veracode. Every vendor was assessed primarily based on three key inputs: a vendor-completed questionnaire, government technique briefings and demonstrations, and interviews with reference prospects. The Wave consists of scores for 16 current-offering standards and 7 technique standards.
Forrester defines SAST as: options that analyze an software’s proprietary supply code, byte-code, or binary with out requiring this system to be executed. These merchandise consider the applying, together with APIs and infrastructure configuration information, towards safety requirements to determine safety weaknesses and supply steering on remediation throughout the software program improvement lifecycle.
This 12 months, SAST options transitioned from a longtime to a mature market as core applied sciences and use circumstances grew to become broadly understood and solidified, with merchandise providing well-developed functionalities. On this mature stage, competitors has intensified, differentiation is more difficult, and market consolidation is prevalent, pushing distributors to deal with effectivity, integration, and increasing their choices to take care of relevance and aggressive benefit.
A few of the market pattern highlights from the Wave are:
- The velocity of the answer. The elevated adoption of AI coding assistants/brokers will increase the quantity of code that must be safe earlier than deployment. Fashionable options are investigating the way to combine AI SAST brokers into the event environments to maintain up with the speed and velocity of AI-generated output. Just a few distributors have Mannequin Context Protocol (MCP) servers to work together with the big language fashions (LLMs) producing the code to determine insecure code. SAST distributors are planning to supply, or are already providing, adaptable safety scanning the place the scope, comprehensiveness, and velocity of the scan is ready by the client or decided by the software program improvement section and information of earlier scans.
- Prioritization of the remediation expertise. Figuring out safety flaws in code is only one piece of the puzzle; options should additionally present remediation methods that combine into the developer’s workflow. Fashionable SAST options use AI to triage and prioritize flaws in addition to supply remediation strategies. Essentially the most superior options are automating remediation by sending context to the LLM that features the flawed code snippet and safe code examples to finally present a number of repair choices to the software program developer. This enables the developer to evaluate and choose the best choice after which modify or straight settle for the repair.
- AI functions pushing SAST options to evolve. There’s a rising have to safe AI functions and AI brokers. Whereas a couple of distributors are beginning to use SAST to determine OWASP Prime 10 LLM flaws, most have it on their roadmaps to handle them utilizing a mix of SAST and dynamic software safety testing options. Distributors that concern themselves with software threat administration and have software safety posture administration (ASPM) capabilities are extra seemingly to have the ability to stock the AI fashions and even MCP servers being known as/utilized by the AI software or brokers.
The barrier to getting into the SAST options market has by no means been decrease. New distributors can leverage LLMs and free open-source SAST scanners (that are bettering in accuracy and depth) to develop an AI-powered SAST minimal viable product that was not doable two years in the past. Moreover, the SAST panorama is crowded with current gamers similar to DevOps platforms, cloud-native software safety platform options, ASPM options, and AI-powered startups. Whereas it’s thrilling for prospects and prospects to have many selections, it is usually tough to chop by the noise and separate the advertising fluff from the enterprise-grade product. Subsequently, as a part of the Forrester Wave course of, vendor buyer references had been interviewed to offer their suggestions on the product and the supplier. With this data, we compiled one other report, Purchaser’s Information: Static Utility Safety Testing Options, 2025.
A few of the purchaser pattern highlights from the information are:
- Relationships nonetheless matter. Patrons who felt that SAST answer distributors had been simply peddling merchandise or had a poor buyer expertise bought a foul impression that lasted for years. On the flip aspect, distributors that offered glorious buyer help, included buyer suggestions of their roadmaps, and targeted on partnering with prospects had been extra prone to see multiyear relationships and create evangelists who applied the product at a number of corporations.
- Clients are evaluating and staying loyal. Clients have demonstrated loyalty despite the fact that they’re additionally evaluating their choices. On common, they used their chosen SAST answer for 4.1 years, with most consumers assessing round 3.3 distributors earlier than making a choice. Many continued to revisit and reassess the answer yearly to make sure that it met their evolving wants.
- General satisfaction ranges had been notably excessive. Clients rated their probability of buying once more from the seller at 4.7 out of 5 on a scale the place 5 indicated “I’d purchase once more.” Glad prospects had been extra inclined to buy a number of merchandise from the identical vendor, discover new options, and take part in beta applications to offer worthwhile suggestions to the seller.
Forrester shoppers can learn The Forrester Wave™: Static Utility Safety Testing Options, Q3 2025, for a deeper dive into the 10 distributors evaluated, the particular standards that set distributors aside, and the explanations behind these distinctions together with market traits. As well as, have a look on the accompanying Purchaser’s Information: Static Utility Safety Testing Options, 2025, for benchmarking your vendor to grasp how buyer references rated product capabilities. In case you have any questions, e-book an inquiry or steering session with me.
