Criteria
|
Fluid Attacks Essential
|
Fluid Attacks Advanced
|
HCL AppScan
|
Accuracy
|
Our SAST tool achieved the best possible result against the OWASP Benchmark: a TPR (True Positive Rate) of 100% and an FPR (False Positive Rate) of 0%.
|
We identify 90% of the evaluated systems' risk exposure. (Accuracy is calculated with the F1 score. Risk exposure is calculated with the formula CVSSF=4^(CVSS-4)).
|
They claim that their SAST tool reduces false positives by 98%.
|
Binary SAST
|
Yes. We support all ZIP files containing class files that comply with the latest version of the Java Virtual Machine Specification. Therefore, we support JAR, WAR, EAR, APK, ZIP, and class files generated from the following compilers: Java, Scala, Kotlin, Groovy, Clojure, JRuby, and Jython.
|
Yes. Its capability is equal to that of the Essential plan.
|
Yes. No information available about the types of binary files they support.
|
Source SAST
|
Yes. We support the following languages: Bash, C#, Dart, Go, HTML, Java, Javascript, Kotlin, PHP, Python, Swift and Typescript
|
Yes. We support all languages supported in the Essential plan, as well as the following: ABAP, ActionScript, Apex, Assembler, ASP.NET, ATS, Awk, C, C++, Clean, ClojureScript, Colm, cScript, Dale, Dart, Elvish, F#, Falcon, Fish, Fortran, Guile, Hana SQL Script, Haskell, Haxe, Idris, Informix, Ion, Janet, JCL, Joker, JScript, JSP, Lisp, Lobster, Natural, Nim, Objective C, OracleForms, Pascal, Perl, PHP, PL-SQL, PL1, PowerScript, PowerShell, Prolog, R, RC, RPG4, Rust, Scala, SQL, Standard ML, Swift, TAL, tcsh, Transact-SQL, VB.NET, VBA, VisualBasic 6 and XML.
|
Yes. They support the following languages: ABAP, APEX, ASP.NET, C#, C/C++, COBOL, ColdFusion, Dart, Go, Groovy, Java, JavaScript, Kotlin, Objective-C, Objective-C++, Perl, PHP, Python, RPG, Ruby, Rust, Scala, Swift, TSQL, TypeScript, VB.NET, Visual Basic and .NET.
|
DAST
|
Yes. We scan unauthenticated HTTP endpoints, including headers, DNS records, HTML content, and SSL connections for encryption suites, protocols and, X509 certificates.
|
Yes. Its capability is equal to that of the Essential plan.
|
Yes. They scan authenticated and unauthenticated HTTP endpoints, including headers, DNS records, HTML content and X509 certificates. They also cover REST API and GraphQL API.
|
IAST
|
No
|
No
|
Yes. They support the following languages: .Net, Java and PHP.
|
SCA
|
Yes. We support the following package managers: Cargo, Composer, Conan, Docker Images, GitHub Actions, Go, Gradle, Hex, Maven, NPM, NuGet, pNPM, pip, Poetry, Pub, RubyGems, SBT, SwiftPM and Yarn.
|
Yes. Its capability is equal to that of the Essential plan.
|
|
PTaaS | No | No | |
Reverse engineering
|
No
|
No
|
|
Secure code review
|
No
|
No
|
|
CSPM
|
No
|
||
ASPM
|
|||
SCM integrations | Azure DevOps, Bitbucket, GitHub and GitLab | It offers the same integrations as the Essential plan. | No |
Ticketing integrations | It offers the same integrations as the Essential plan. | Azure DevOps, Jira and RTC | |
ChatOps integrations | No | No | No |
IDE integrations | It offers the same integration as the Essential plan. | ||
CI/CD integrations | AWS CodePipeline, Bamboo, CircleCI, GitHub Actions, GitLab CI, Jenkins, TeamCity, Travis CI, and any other CI/CD system that supports Docker | It offers the same integrations as the Essential plan. | |
Cloud Integrations | It offers the same integrations as the Essential plan. | No | |
Compliance integration | No | No | No |
SCA integrations | Native scanner (included, no integration needed) | Its capability is equal to that of the Essential plan. | Native scanner (included, no integration needed) |
SAST integrations | Native scanner (included, no integration needed) | Its capability is equal to that of the Essential plan. | Native scanner (included, no integration needed) |
DAST integrations | Native scanner (included, no integration needed) | Its capability is equal to that of the Essential plan. | Native scanner (included, no integration needed) |
IAST integrations | No | No | Native scanner (included, no integration needed) |
Secrets integrations | Native scanner (included, no integration needed) | Its capability is equal to that of the Essential plan. | Native scanner (included, no integration needed) |
Container integrations | Native scanner (included, no integration needed) | Its capability is equal to that of the Essential plan. | Native scanner (included, no integration needed) |
CSPM integrations | Native scanner (included, non integration needed) | Its capability is equal to that of the Essential plan. | No |
Compliance
|
We validate some requirements based on these standards and guidelines: Agile Alliance, BSIMM, BIZEC-APP, BSAFSS, CAPEC™, CASA, C2M2, CCPA, CERT-C, CERT-J, CIS, CMMC, CPRA, CWE™, CWE TOP 25, ePrivacy Directive, FACTA, FCRA, FedRAMP, FERPA, FISMA, GDPR, GLBA, HIPAA, HITRUST CSF, ISA/IEC 62443, ISO/IEC 27001, ISO/IEC 27002, ISSAF, LGPD, MITRE ATT&CK®, MISRA-C, MVSP, NERC CIP, NIST 800-53, NIST 800-63B, NIST 800-115, NIST 800-171, NIST CSF, NIST SSDF, NYDFS, NY SHIELD Act, OSSTMM3, OWASP API Security Top 10, OWASP ASVS, OWASP MASVS, OWASP-M TOP 10, OWASP SAMM, OWASP SCP, OWASP Top 10 Privacy Risks, OWASP TOP 10, PA-DSS, PCI DSS, PDPA, PDPO, POPIA, PTES, Resolution SB 2021 2126, SANS 25, SIG Core, SIG Lite, SOC2®, SWIFT CSCF, WASC and WASSEC.
|
We validate all the requirements according to the same standards and guidelines as the Essential plan.
|
They validate requirements based on these standards and guidelines: APRA PPG 234, CWE, CWE TOP 25, DCID 6/3, DISA STIG, DoD Instruction 8500.1, DoD Instruction 8550.1, European Directive 1995/46/EC, European Directive 2002/58/EC, FedRAMP, FERPA, FISMA, FFIEC, FIPPA, GDPR, GLBA, HIPAA, ISO/IEC 27001, ISO/IEC 27002, Japan's Personal Information Protection Act, Massachusetts 201 CMR 17.00, MITS, NERC CIP, NIST 800-53, OWASP API Security Top 10, OWASP Top 10, PCI DSS, POPIA, PA-DSS, PCI, PIPED Act, Privacy Act of 1974, SANS 25, Safe Harbor, Safe Harbor, SOX, 21 CFR, WASC, among others.
|
Certifications or attestations | SOC 2 Type II and SOC 3 | It is covered by the same certifications and attestations as the Essential plan. | HIPAA (health), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 26262 (automobile), ISO/ICE 20243, ISO/IEC 22301 (business continuity), ISO/ICE 31000 (Risk management), PCI-DSS, SOC 2 Type II and TISAX (automobile) |
Marketplaces | It is available in the same marketplace as the Essential plan. | ||
Fast and automatic
|
|||
Remediation
|
We provide detailed documentation on fixes and features both on our platform and in our IDE extension, which uses generative AI to offer custom step-by-step correction guidance. Additionally, our IDE extension leverages gen AI to offer automated fixes capabilities.
|
In addition to the Essential plan features, we offer the option of "Talk to a hacker" in which our experts help clients understand how to remediate the most challenging vulnerabilities.
|
They provide documentation that offers information on remediation, and their IDE extensions include features for accessing this information directly from the development environment.
|
CI/CD security
|
We can integrate with CI/CD systems and trigger a build pipeline failure to prevent from deploying a noncompliant software version into production (break the build).
|
Its capability is equal to that of the Essential plan.
|
They can integrate with CI/CD systems and trigger a build pipeline failure to prevent from deploying a noncompliant software version into production (break the build).
|
Vulnerability detection method
|
Hybrid (automated tools + AI + human intelligence)
|
||
Vulnerability chaining
|
No
|
By combining vulnerabilities A and B, we discover a new, higher impact vulnerability C.
|
No
|
Delivery of evidence
|
Our evidence is delivered in (a) PDF executive reports, (b) XLSX technical reports, (c) code pieces and (d) graphs and metrics of the system's security status.
|
We deliver all the types of evidence mentioned in the Essential plan, and additionally, (a) video recordings of the attack and (b) screenshots with explanatory annotations.
|
Their evidence is delivered in (a) PDF executive reports, (b) HTML reports, (c) CSV format, (d) XML format, (e) SARIF format, (f) JSON format and (g) graphs and metrics.
|
Exploitation
|
No
|
We can do exploitation as long as the client provides an available environment.
|
No
|
Zero-day vulnerabilities
|
No
|
Our security researchers search for zero-day vulnerabilities in open-source software.
|
No
|
AI/ML triage
|
No
|
Using artificial intelligence (AI), we prioritize potentially vulnerable files for their assessment. Our AI is specially trained by machine learning (ML) with thousands of snippets of vulnerable code.
|
No |
Status page | |||
Demo
|
|||
Free trial
|
No
|