Comparison between Fluid Attacks and Fortify | Fluid Attacks

Fortify

How does Fluid Attacks' solution compare to Fortify's? The following comparison table enables you to discern the performance of both providers across various attributes essential for meeting your company’s cybersecurity needs. To better understand each attribute, read their descriptions in the dedicated page.

Criteria
Fluid Attacks Essential
Fluid Attacks Advanced
Fortify
Accuracy
Our SAST tool achieved the best possible result against the OWASP Benchmark: a TPR (True Positive Rate) of 100% and an FPR (False Positive Rate) of 0%.
We identify 90% of the evaluated systems' risk exposure. (Accuracy is calculated with the F1 score. Risk exposure is calculated with the formula CVSSF=4^(CVSS-4)).
They achieved a TPR of 100% with their SAST method against the OWASP Benchmark (they do not provide information on their FPR).
Binary SAST
Yes. We support all ZIP files containing class files that comply with the latest version of the Java Virtual Machine Specification. Therefore, we support JAR, WAR, EAR, APK, ZIP, and class files generated from the following compilers: Java, Scala, Kotlin, Groovy, Clojure, JRuby, and Jython.
Yes. Its capability is equal to that of the Essential plan.
Yes. No information available about the types of binary files they support.
Source SAST
Yes. We support the following languages: Bash, C#, Dart, Go, HTML, Java, Javascript, Kotlin, PHP, Python, Swift and Typescript.
Yes. We support all languages supported in the Essential plan, as well as the following: ABAP, ActionScript, Apex, Assembler, ASP.NET, ATS, Awk, C, C++, Clean, ClojureScript, Colm, cScript, Dale, Dart, Elvish, F#, Falcon, Fish, Fortran, Guile, Hana SQL Script, Haskell, Haxe, Idris, Informix, Ion, Janet, JCL, Joker, JScript, JSP, Lisp, Lobster, Natural, Nim, Objective C, OracleForms, Pascal, Perl, PHP, PL-SQL, PL1, PowerScript, PowerShell, Prolog, R, RC, RPG4, Rust, Scala, SQL, Standard ML, Swift, TAL, tcsh, Transact-SQL, VB.NET, VBA, VisualBasic 6 and XML.
Yes. They support the following languages: ABAP/BSP, ActionScript, Apex, C, C#, C++, COBOL, Dart, Go, HCL, HTLM, Java, JavaScript, Kotlin, Objective-C/C++, PHP, PL/SQL, Python, Ruby, Scala, Solidity, Swift, T-SQL, TypeScript, VBScript, Visual Basic and VB.NET.
DAST
Yes. We scan unauthenticated HTTP endpoints, including headers, DNS records, HTML content, and SSL connections for encryption suites, protocols, and X509 certificates.
Yes. Its capability is equal to that of the Essential plan.
Yes. They scan authenticated and unauthenticated HTTP endpoints, including headers, DNS records, HTML content, and SSL connections for encryption suites, protocols, and X509 certificatesThey also cover REST API, GraphQL API, gRPC API, SOAP API, Swagger API, OpenAPI and Postman API.
IAST
No
No
Yes. They support the following languages: .NET and Java.
SCA
Yes. We support the following package managers: Cargo, Composer, Conan, Docker Images, GitHub Actions, Go, Gradle, Hex, Maven, NPM, NuGet, pNPM, pip, Poetry, Pub, RubyGems, SBT, SwiftPM and Yarn.
Yes. Its capability is equal to that of the Essential plan.
Yes. They support the following package managers: Bazel, Bower, Cargo, CocoaPods, Composer, Go, Gradle, Maven, NPM, Nuget, Packet, pip, Pipenv, RubyGems and Yarn.
Reverse engineering
No
Yes
No
Secure code review
No
Yes
No
 PTaaS
No
Yes
No
CSPM
Yes
Yes
No
ASPM
Yes
Yes
Yes
SCM integrations
Azure DevOps, Bitbucket, GitHub and GitLab
It offers the same integrations as the Essential plan.
Azure DevOpsBitbucket, GitHub and GitLab
Ticketing integrations
Azure DevOps work items, GitLab issues and Jira
It offers the same integrations as the Essential plan.
ALM Octane, BugzillaJira, RSA Archer and ServiceNow
ChatOps integrations
No
No
Slack
IDE integrations
VS Code
It offers the same integration as the Essential plan.
EclipseJetBrains, VS code and Visual Studio
CI/CD integrations
AWS CodePipeline, Bamboo, CircleCI, GitHub Actions, GitLab CI, Jenkins, TeamCity, Travis CI, and any other CI/CD system that supports Docker
It offers the same integrations as the Essential plan.
Azure DevOps, Bamboo, Bitbucket, GitHub, GitLab, Jenkins and Universal Fortify CI Tool
Cloud Integrations
AWS, Azure and GCP
It offers the same integrations as the Essential plan.
AWS, AzureGCP and Oracle
Compliance integrations
No
No
No
SCA integrations
Native scanner (included, no integration needed)
Its capability is equal to that of the Essential plan.
Native scannerBlackDuck, Dependency Track, Mend, Sonatype and Snyk
SAST integrations
Native scanner (included, no integration needed)
Its capability is equal to that of the Essential plan.
Native scanner (included, no integration needed)
DAST integrations
Native scanner (included, no integration needed)
Its capability is equal to that of the Essential plan.
Native scanner and Burp Suite
IAST integrations
No
No
Native scanner (included, no integration needed)
Secrets integrations
Native scanner (included, no integration needed)
Its capability is equal to that of the Essential plan.
Native scanner (included, no integration needed)
Container integrations
Native scanner (included, no integration needed)
Its capability is equal to that of the Essential plan.
Native Scanner and Clair
CSPM integrations
Native scanner (included, no integration needed)
Its capability is equal to that of the Essential plan.
No
Compliance
We validate some requirements based on these standards and guidelinesAgile Alliance, BSIMM, BIZEC-APP, BSAFSS, CAPEC™, CASA, C2M2, CCPA, CERT-C, CERT-J, CIS, CMMC, CPRA, CWE™, CWE TOP 25, ePrivacy Directive, FACTA, FCRA, FedRAMP, FERPA, FISMA, GDPR, GLBA, HIPAA, HITRUST CSF, ISA/IEC 62443, ISO/IEC 27001, ISO/IEC 27002, ISSAF, LGPD, MITRE ATT&CK®, MISRA-C, MVSP, NERC CIP, NIST 800-53, NIST 800-63B, NIST 800-115, NIST 800-171, NIST CSF, NIST SSDF, NYDFS, NY SHIELD Act, OSSTMM3, OWASP API Security Top 10, OWASP ASVS, OWASP MASVS, OWASP-M TOP 10, OWASP SAMM, OWASP SCP, OWASP Top 10 Privacy Risks, OWASP TOP 10, PA-DSS, PCI DSS, PDPA, PDPO, POPIA, PTES, Resolution SB 2021 2126, SANS 25, SIG Core, SIG Lite, SOC2®, SWIFT CSCF, WASC and WASSEC.
We validate all the requirements according to the same standards and guidelines as the Essential plan.
They validate requirements based on these standards and guidelines: CWECWE TOP 25DISA STIGFedRAMPFISMAGDPRHIPAAISO/IEC 27001MITRE ATT&CK®MISRA-CNIST 800-53OWASP API Security Top 10OWASP ASVSOWASP MASVSOWASP-M TOP 10OWASP TOP 10PCI DSSSANS 25WASCamong others. 
Certifications or attestations
SOC 2 Type II and SOC 3
It is covered by the same certifications and attestations as the Essential plan.CSA STAR, CMMC, FedRamp, FIPS 140-2, ISO/IEC 15408, ISO/IEC 27001, ISO/IEC 27034, ISO/IEC 9001 (quality management), SOC 2 Type II, TAA (Trade compliance) and TISAX (automobile)
Marketplaces
It is available in the same marketplace as the Essential plan.
AWS, Azure, GitHub
Fast and automatic
Yes
Yes
Yes
Remediation
We provide detailed documentation on fixes and features both on our platform and in our IDE extension, which uses generative AI to offer custom step-by-step correction guidance. Additionally, our IDE extension leverages gen AI to offer automated fixes capabilities.
In addition to the Essential plan features, we offer the option of "Talk to a hacker" in which our experts help clients understand how to remediate the most challenging vulnerabilities.
They provide documentation on fixes and functions in their IDE extensions that leverage remediation guidance.
CI/CD security 
We can integrate with CI/CD systems and trigger a build pipeline failure to prevent from deploying a noncompliant software version into production (break the build).
Its capability is equal to that of the Essential plan.
They can integrate with CI/CD systems and trigger a build pipeline failure to prevent from deploying a noncompliant software version into production (break the build).
Vulnerability detection method
Automated tools
Hybrid (automated tools + AI + human intelligence)
Automated tools
Vulnerability chaining
No
By combining vulnerabilities A and B, we discover a new, higher impact vulnerability C.
No
Delivery of evidence
Our evidence is delivered in (a) PDF executive reports, (b) XLSX technical reports, (c) code pieces and (d) graphs and metrics of the system's security status.
We deliver all the types of evidence mentioned in the Essential plan, and additionally, (a) video recordings of the attack and (b) screenshots with explanatory annotations.
Their evidence is delivered in (a) PDF report, (b) HTML report, (c) CSV format, (d) JSON format and (d) graphs and metrics of the system's security status.
Exploitation
No
We can do exploitation as long as the client provides an available environment.
No
Zero-day vulnerabilities
No
Our security researchers search for zero-day vulnerabilities in open-source software.
No
AI/ML triage
No
Using artificial intelligence (AI), we prioritize potentially vulnerable files for their assessment. Our AI is specially trained by machine learning (ML) with thousands of snippets of vulnerable code.
 No
Status page
Yes
Yes
Yes
Demo
Yes
Yes
Yes
Free trial
Yes
No
Yes

Note on reference review date
References were last checked on Aug 28, 2024.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.