| Criteria |
Fluid Attacks Essential |
Fluid Attacks Advanced |
Astra |
| Accuracy |
Our SAST tool achieved the best possible result against the OWASP Benchmark: a TPR (True Positive Rate) of 100% and an FPR (False Positive Rate) of 0%. |
We identify 90% of the evaluated systems' risk exposure. (Accuracy is calculated with the F1 score. Risk exposure is calculated with the formula CVSSF=4^(CVSS-4).) |
They guarantee zero false positives when resorting to their pentesting services but do not provide information regarding false negative rates. |
| Binary SAST |
No |
Yes. We support Java Bytecode, x86 ASM and ARM ASM. |
No |
| Source SAST |
Yes. We support the following languages: Bash, C#, Dart, Go, HTML, Java, Javascript, Kotlin, PHP, Python, Swift and Typescript
|
Yes. Its capability is equal to that of the Essential plan. |
Yes, but they do not specify the languages they support. |
| DAST |
Yes. We can scan single-page apps (SPA), multi-page apps (MPA), REST API, GraphQL API and gRPC API. |
Yes. Its capability is equal to that of the Essential plan. |
Yes. They can scan single-page apps (SPA), REST API, GraphQL API. |
| IAST |
No |
No |
Yes |
| SCA |
Yes. We support the following package managers: Cargo, Composer, Conan, Docker Images, GitHub Actions, Go, Gradle, Hex, Maven, NPM, NuGet, pNPM, pip, Poetry, Pub, RubyGems, SBT, SwiftPM and Yarn. |
Yes. Its capability is equal to that of the Essential plan. |
No |
| Reverse engineering |
No |
Yes |
No |
| Secure code review |
No |
Yes |
No |
| Manual penetration testing |
No |
Yes |
Yes |
| CSPM |
Yes |
Yes |
Yes |
| ASPM (previously, ASOC) |
Yes |
Yes |
No |
| Compliance |
We validate some requirements based on these standards and guidelines: Agile Alliance, BIZEC-APP, BSAFSS, BSIMM, CAPEC™, CASA, CCPA, CERT-C, CERT-J, C2M2, CMMC, CIS, CPRA, CWE™, CWE Top 25, ePrivacy Directive, FACTA, FedRAMP, FERPA, FISMA, GDPR, GLBA, HIPAA, HITRUST CSF, ISA/IEC 62443, ISSAF, ISO/IEC 27001, ISO/IEC 27002, LGPD, MISRA-C, MITRE ATT&CK®, MVSP, NERC CIP, NIST 800-53, NIST 800-63B, NIST 800-171, NIST 800-115, NIST CSF, NIST SSDF, NYDFS, NY SHIELD Act, OSSTMM3, OWASP ASVS, OWASP API Security Top 10, OWASP MASVS, OWASP-M TOP 10, OWASP SAMM, OWASP SCP, OWASP Top 10, OWASP Top 10 Privacy Risks, PCI DSS, PDPA, PDPO, POPIA, PTES, Resolution SB 2021 2126, SANS Top 25, SIG Core, SIG Lite, SOC 2, SWIFT CSCF, WASSEC and WASC. |
We validate requirements based on these standards and guidelines: Agile Alliance, BIZEC-APP, BSAFSS, BSIMM, CASA, CCPA, CERT-C, CERT-J, CMMC, C2M2, CAPEC™, CIS, CWE™, CWE Top 25, ePrivacy Directive, FACTA, FCRA, FedRAMP, FERPA, FISMA, GDPR, GLBA, HIPAA, HITRUST CSF, ISA/IEC 62443, ISSAF, ISO/IEC 27001, ISO/IEC 27002, LGPD, MISRA-C, MITRE ATT&CK®, MVSP, NERC CIP, NIST 800-53, NIST 800-63B, NIST 800-115, NIST 800-171, NIST CSF, NIST SSDF, NYDFS, NY SHIELD Act, OWASP API Security Top 10, OWASP ASVS, OWASP MASVS, OWASP SCP, OWASP SAMM, OWASP Top 10, OWASP-M Top 10, OWASP Top 10 Privacy Risks, OSSTMM3, PA-DSS, PCI DSS, PDPA, PDPO, POPIA, PTES, Resolution SB 2021 2126, SANS Top 25, SIG Core, SIG Lite, SOC 2, SWIFT CSCF and WASSEC. |
They validate the following standards: CWE, GDPR, GLDA, HIPAA, ISO/IEC 27001, NIST 800-53, NIST 800-171, NIST CSF, OWASP ASVS, OWASP MASVS, OWASP Top 10, PCI DSS, SANS Top 25, SOC 2, among others. |
Certifications or attestations | | | No |
Integrations | We offer the following integrations: (a) CI/CD: Azure DevOps, GitHub Actions, and GitLab CI; (b) IDE: VS Code; (c) runtime cloud: AWS, Azure, and GCP; (d) SCM: GitLab; and (e) ticketing: Jira. | | They offer the following integrations: (a) CI/CD: GitHub, GitLab, Jenkins, Bitbucket, Azure and CircleCI; (b) ticketing: Slack and Jira. |
| Fast and automatic |
Yes |
Yes |
Yes |
| Remediation |
We offer extensive vulnerability remediation documentation. In addition, our IDE extension leverages gen AI to provide step-by-step remediation guidance and automated fixes. |
In addition to the Essential plan features, we offer the option of "Talk to a hacker" in which our experts help clients understand how to remediate the most challenging vulnerabilities. |
Their security researchers upload the discovered vulnerability along with information on how to remediate it to the Astra Security platform. |
| CI/CD security |
We can integrate with CI/CD systems and trigger a build pipeline failure to prevent from deploying a noncompliant software version into production (break the build). |
Offers the same capability as that of the Essential plan. |
They can integrate with CI/CD systems and trigger a build pipeline failure to prevent from deploying a noncompliant software version into production (break the build). |
| Vulnerability detection method |
Automated tools |
Hybrid (automated tools + AI + human intelligence) |
Hybrid (automated tools + human intelligence). |
| Vulnerability chaining |
No |
By combining vulnerabilities A and B, we discover a new, higher impact vulnerability C. |
Yes |
| Delivery of evidence |
Our evidence is delivered in (a) PDF executive reports, (b) XLS/PDF technical reports, (c) code pieces and (d) graphs and metrics of the system's security status. |
We deliver all the types of evidence mentioned in the Essential plan, and additionally, (a) video recordings of the attack and (b) screenshots with explanatory annotations. |
Their evidence is delivered in (a) PDF summary report, (b) PDF full report and (c) CSV report. |
| Exploitation |
No |
We can do exploitation as long as the client provides an available environment. |
Yes |
| Zero-day vulnerabilities |
No |
Our security researchers search for zero-day vulnerabilities in open-source software. |
No |
| AI/ML triage |
No |
Using artificial intelligence (AI), we prioritize potentially vulnerable files for their assessment. Our AI is specially trained by machine learning (ML) with thousands of snippets of vulnerable code. |
No |
Status page | | | |
| Demo |
Yes |
Yes |
Yes |
| Free trial |
Yes |
No |
Yes |
