Comparison between Fluid Attacks and Checkmarx | Fluid Attacks

Checkmarx

How does Fluid Attacks' solution compare to Checkmarx's? The following comparison table enables you to discern the performance of both providers across various attributes essential for meeting your company’s cybersecurity needs. To better understand each attribute, read their descriptions in the dedicated page.

Organization
Attribute
Essential
Advanced
Checkmarx 
Focus
Native ASPM with in-house scanners
AI-powered PTaaS on top of native ASPM with in-house scanners
Native ASPM with in-house scanners
Extras
None
None
None
Headcount
136
Same

989

Headcount distribution
Same
Engineering 30%IT 19%, sales 17%, marketing 3%, operations 2% and others 29%
Headcount growth
Same
 +5%, +11%, +8%
Headquarters
86% CO
Same
29% IL
Countries
CO and US
Same
FR, IN, IL, PT, SG, UK and US
Reputation
9.79 from 161 reviews over 7 years on Gartner and Clutch
Same
8.55 from 172 reviews over 10 years on  G2GartnerPeerSpot, Software Advice and TrustRadius
Followers
20K based on the following: Facebook, Instagram, LinkedIn, X and YouTube
Same
147K based on the following: Facebook, LinkedIn, X and YouTube
Research firms
None
None
Forrester, Frost & Sullivan, GigaOM, IDCInfo-Tech Research Group and Nucleus Research
Founded
 2001
Same

2006

Funding
Bootstrapped
Same
$92M USD in 4 rounds from 6 investors
Acquisitions
None
None
Acquired 0 times and made 3 acquisitions
Revenue
5M to 10M
Same
100M to 500M
CVE
257 CVEs reported to MITRE, ranked among the top 10 CVE labs worldwide
Same
10 CVEs reported to MITRE
Compliance
SOC 2 Type II and SOC 3
Same

CSA STAR Level 1, FedRAMP Authorized, HIPAA, ISO/IEC 27001 and SOC 2 Type II

Bug bounty
Yes
Yes
No
Visits
19K per month. Top 3: 50% NL, 17% CO, 6% US. Others: 27%
Same
78K per month. Top 3: 18% US, 18% IN, 14% IL. Others: 50%
Authority
32 out of 100
Same
44 out of 100
Vulnerability database
Discovered and third-party
Same
Discovered and third-party
Content
Same
Analysis reportsblogcustomer testimonialsdocumentation, infographicsreportssolution briefsvideoswebinars and white papers
Knowledge base
13 KB sections, 7 in common and 6 additional
Same
 8 KB sections, 7 in common and 1 additional
Community
 Forum
Same
Forum
Sync training
1 workshop
Same
live security education courses (subscription-based)
Async training
3 product use courses, all free
Same
Security education platform (subscription-based)
Distribution
Direct or with any of its 14 partners
Same
Direct or with any of its 66 partners
Marketplaces
AWS
Same
AWS
Freemium
No
No
No
Free trial
21-day free trial
PoV
PoC
Demo
Yes
Yes
Yes
Open Demo
No
No
No
Pricing
Contact salesmarketplace and public web
Contact sales and public web
Contact sales and marketplace
Pricing tiers
1 plan
1 plan
plans (SAST, SSCS, essentials, professional, enterprise). None transparent
Minimum term
Monthly
Monthly
Annually
Minimum payment period
Monthly
Monthly
Annually
Minimum capabilities

Same plus: PTaaSRE and SCR

SAST
Minimum scope
1 group
1 author
1 license
Pricing drivers
Groups
Authors
Developers
Minimum monthly payment
1,529 USD
1,529 + 429 USD
87 USD

Service
Attribute
Essential
Advanced
Checkmarx
PTaaS
No
Yes
No
Reverse engineering
No
Yes
 No
Secure code review
No
Yes
No
Pivoting
No
Yes
No
Exploitation
No
Yes
No
Manual reattacks
Not applicable
Unlimited reattacks
Not applicable
Zero-day vulnerabilities
None
Continuous zero-day vulnerability research
Continuous zero-day vulnerability research
SLA
Availability
Accuracyavailability and response
 Availability and response
Min availability
>=99.95% per minute LTM
Same
>=99.5% per period
After-sale guarantees
No
Yes
 No
Accreditations
CNA and Penetration Testing by CREST
Same
Security ISV Competency, DevOps ISV Competency and CNA
Hacker certifications
Not applicable
202 from 59 different types
Not applicable
Type of contract
Employee
Same
Employee
Endpoint control
Not applicable
Total
Not applicable
Channel control
Not applicable
Total
Not applicable
Standards
Some requirements from 67 standards, 18 in common and 49 additional
All requirements from the same standards
20 standards, 18 in common and 2 additional
Detection method
Automated tools
Automated tools, AI and human intelligence
Automated tools and AI
False positives
3.87 times better
6.66 times better
12% F0.5 score per quantity
False negatives
5.6 times better
17.98 times better
4% F2.0 score per severity
Remediation
5, 3 in common and 2 additional
Same, plus 1
4, 3 in common and 1 additional
Outputs
5, 4 in common and 1 additional
Same, plus 2
6, 4 in common and 2 additional

Product
Attribute
 Essential
Advanced
Checkmarx
ASPM
Yes
Yes
Yes
API
GraphQL with JSON
 Same
REST with JSON
IDE
5 functionalities, 4 in common and 1 additional
Same, plus 1 functionality
6 functionalities, 4 in common and 2 additional
CLI
Yes
Yes
Yes
CI/CD
Breaks the build
Same
Breaks the build
Vulnerability sources
4 sources, 1 in common and 3 additional
 Same
sources, 1 in common and 5 additional
Threat model alignment
Yes
Yes
Yes
Priority criteria
CVSS v4.0, CVSSF, EPSS and KEV
Same
CVSS v4.0, EPSS and KEV
Custom prioritization
Priority score
Same
Scanner origin
In-house
In-house
In-house and external (ZAP for DAST and KICS for IaC)
SCA
23 package managers, 14 in common and 9 additional
Same
19 package managers, 14 in common and 5 additional
AI security
No
Yes
No
Reachability
12 languages
Same
Yes. No information available
Reachability type
Deterministic
Same
Deterministic
SBOM
22 package managers, 11 in common and 11 additional
Same
19 package managers, 11 in common and 8 additional
Malware detection
Yes
Yes
Yes
Autofix on components
No
No
Yes
Containers
4 distributions, 3 in common and 1 additional
Same
3 distributions, all in common
Source SAST
(languages)
12, 11 in common and 1 additional
Same
36, 11 in common and 25 additional
Source SAST
(frameworks)
22, 10 in common and 12 additional
Same

52, 10 in common and 42 additional

Custom rules
No
No
Policies
IaC
6, 5 in common and 1 additional
4, all in common
 12, 9 in common and 3 additional
Binary SAST
1 type of binary
Same
No
DAST
7 attack surface types, 2 in common and 5 additional
Same

3 attack surface types, 2 in common and 5 additional

API security testing
No
types of APIs, 3 in common and 1 additional
 3 types of APIs, all in common
IAST
No
No
No
CSPM
Yes
 Yes
No
ASM
No
No
No
Secrets
15 secrets types, 5 in common and 10 additional
Same, plus verify other attack vectors and secrets exploitability
5 secrets types, all in common
AI
3 functions, 2 in common and 1 additional
Same
functions, 2 in common and 1 additional
MCP
Yes
Yes
Yes
Open-source
MPL-2 license, totally equivalent to the paid version
Not applicable
Apache License version 2, partially equivalent to the paid version
Provisioning as Code
Yes
Yes
Yes
Deployment
SaaS
Same
SaaS and on-premises
Regions
US
Same
ANZ, EU, IN, IL, SG, AE and US
Status
Yes
Yes
Yes
Incidents
4 per year
Same
7.6 per year

Integrations
Attribute
Essential
Advanced
Checkmarx
SCM
6, 3 in common and 3 additional
Same
4, 3 in common and 1 additional
Binary repositories
None
None
5
Ticketing
3, all in common
Same

5, 3 in common and 2 additional

ChatOps
None
None

2

IDE
3, 2 in common and 1 additional
Same

4, 2 in common and 2 additional

CI/CD
21, 10 in common and 11 additional
Same
17, 10 in common and 7 additional
SCA
Native
Same

Native

Container
Native
Same

Native

SAST
Native
Same

Native

DAST
Native
Same

Native powered by ZAP

IAST
None
None
None
Cloud
3, all in common
Same
3, all in common
CSPM
Native
Same
 None
Secrets
Native
Same

Native

Remediation
None
None
3
Bug bounty
None
None
 None
Vulnerability management
None
None
4
Compliance
None
None
None

Notes
 References were last checked on Oct 31, 2025.

More like Checkmarx
  1. Aikido
  2. GitLab Ultimate
  3. Jit
  4. Snyk

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.