Sonatype
How does Fluid Attacks' solution compare to Sonatype's? The following comparison table enables you to
discern the performance of both providers across various attributes essential for meeting your company's
cybersecurity needs. To better understand each attribute, read their descriptions in the dedicated page.
Organization
|
Attribute
|
Essential
|
Advanced
|
Sonatype
|
|
Focus
|
Repository manager
|
||
|
Extras
|
None
|
None
|
Repository firewall, SBOM manager and
SCA
|
| Headcount | 534 | ||
| Headcount distribution |
Engineering 42%, IT 13%, sales 13%,
marketing 2%, operations 4% and others 26%
|
Engineering 30%, IT 15%, sales 15%,
marketing 4%, operations 8% and others 28%
|
|
| Headcount growth |
+8%, +10%, -8%
|
+3%, 0%, -9%
|
|
|
Headquarters
|
CO and US
|
IN, SG, UK and US
|
|
|
Countries
|
AR, BO, CA, CL, CO, DO, MX, PA, PE and
US
|
CO, IN, UK and US
|
|
|
Reputation
|
Same
|
8.89 from 71 reviews over 8 years on:
Capterra, G2, Gartner, PeerSpot and TrustRadius
|
|
|
Followers
|
Same
|
64K based on the following: Facebook,
Instagram, LinkedIn, X and YouTube
|
|
| Research firms |
None
|
None
|
451 Research, Forrester, Frost &
Sullivan, Gartner, IDC, Omdia and Info-Tech Research Group
|
|
Founded
|
2001 |
2008
|
|
|
Funding
|
Bootstrapped
|
Same
|
$154.7M USD in 6 rounds from 8
investors (2 acquisitions)
|
|
Acquisitions
|
None
|
None
|
Acquired 1 time and made 2 acquisition
|
|
Revenue
|
10M to 15M
|
1M to 115M
|
|
| CVEs as CNA Researcher |
14 CVEs reported to MITRE
|
||
|
Compliance
|
SOC 2 Type II and SOC 3
|
ISO/IEC 27001 and SOC 2 Type II
|
|
| Bug bounty |
Yes
|
||
|
Visits
|
22K per month. Top 3: 23% IN, 22% CO,
15% UK. Others 40%
|
425K per month. Top 3: 23% CN, 16% US,
14% IN. Others 47%
|
|
|
Authority
|
47 out of 100
|
||
|
Public vulnerability DB
|
Discovered and third-party
|
Discovered and third-party
|
|
|
Content
|
Same
|
Analysis reports, articles, blog,
customer stories, documentation, product tours, research, videos, webinars and white
papers
|
|
|
Comprehensive documentation
|
13 documentation sections, 6 in common
and 7 additional
|
6 documentation sections, all in common
|
|
|
Community
|
Forum
|
||
|
Sync training
|
1 workshop
|
No
|
|
|
Async training
|
3 product use courses, all free
|
Security education platform
(subscription based)
|
|
|
Distribution
|
Same
|
Direct or with any of its 90 partners
|
|
| Marketplaces | AWS | ||
|
Freemium
|
No
|
No
|
No
|
|
Free trial
|
14-day free trial
|
||
|
Demo
|
Yes
|
||
| Open demo |
No
|
No
|
No
|
|
Pricing
|
Contact sales, marketplace and public
web
|
||
|
Pricing tiers
|
1 plan
|
1 plan
|
2 plans (pro, premium). First
transparent
|
|
Minimum term
|
Annually
|
||
|
Minimum payment period
|
Monthly
|
||
|
Minimum capabilities
|
ASPM, binary SAST, containers, CSPM, DAST, IaC, SAST, SCA and
secrets
|
Same plus: AI
SAST, API security testing, PTaaS, RE and SCR
|
Repository management
|
|
Minimum scope
|
1 author
|
1 user
|
|
|
Pricing drivers
|
Users
|
||
|
Free implementation
|
No
|
||
|
Free support
|
No
|
Service
|
Attribute
|
Essential
|
Advanced
|
Sonatype
|
|
PTaaS
|
No
|
No
|
|
|
Reverse engineering
|
No
|
No | |
|
Secure code review
|
No
|
No
|
|
|
Pivoting
|
No
|
No
|
|
|
Exploitation
|
No
|
No
|
|
|
Manual reattacks
|
Not applicable
|
Not applicable
|
|
|
Zero-day
vulnerabilities
|
None
|
Continuous zero-day vulnerability research
|
Continuous zero-day vulnerability
research
|
|
SLA
|
Response | ||
|
Minimum availability
|
99.95% per minute LTM
|
None
|
|
|
After-sale guarantees
|
No
|
Yes
|
No
|
|
Accreditations
|
DevOps ISV Competency, Security ISV
Competency and CNA
|
||
|
Hacker certifications
|
Not applicable
|
Not applicable
|
|
|
Type of contract
|
Employee
|
Same
|
Employee
|
|
Endpoint control
|
Not applicable
|
Total
|
Not applicable
|
|
Channel control
|
Not applicable
|
Total
|
Not applicable
|
|
Standards
|
Some requirements from 65 standards, 12 in common and 53
additional
|
All requirements from the same standards
|
20 standards, 12 in common and 8
additional
|
|
Detection
|
Automated tools, AI and human intelligence
|
Automated tools
|
|
|
Remediation
|
5, 2 in common and 3 additional
|
Same, plus 1
|
2, all in common
|
|
Outputs
|
5, 3 in common and 2
additional
|
Same, plus 2
|
4, 3 in common and 1 additional
|
Product
|
Attribute
|
Essential |
Advanced
|
Sonatype
|
|
ASPM
|
No
|
||
|
API
|
REST with JSON
|
||
|
IDE
|
5 functionalities, 4 additional and 1 in
common
|
Same, plus 1 functionality
|
1 functionality in common
|
|
CLI
|
Yes
|
||
|
CI/CD
|
Breaks the build
|
||
|
Vulnerability sources
|
4 sources, 3 in common and 1 additional
|
12 sources, 3 in common and 9
additional
|
|
|
Threat model alignment
|
No
|
||
|
Priority criteria
|
CVSS 2.0, CVSS v3.0, CVSS v.4.0, EPSS
and KEV
|
||
|
Custom prioritization
|
Risk score
|
||
|
Scanner origin
|
In-house
|
||
|
SCA
|
23 package
managers, 14 in common and 9 additional
|
15 package managers, 14 in common and 4
additional
|
|
|
AI security
|
No
|
No
|
|
|
Reachability
|
12 languages, 2
in common and 10 additional
|
2 languages, all in common
|
|
|
Reachability type
|
Deterministic
|
||
|
SBOM
|
22 package
managers, 8 in common and 14 additional
|
15 package managers, 8 in common and 7 additional | |
|
Malware detection
|
Yes
|
Yes
|
Yes
|
|
Autofix on components
|
No
|
No
|
No
|
|
Containers
|
4 distributions, 2 in common and 2 additional
|
5 distributions, 2 in common and 3 additional
|
|
|
Source SAST (languages)
|
No
|
||
|
Source SAST (frameworks)
|
No
|
||
|
Custom rules
|
No
|
No
|
No
|
|
IaC
|
6, 1 in common and 5 additional
|
1
|
|
|
Binary SAST
|
1 type of binary, none
in common
|
Same, plus 2 types of binaries
|
17 types of binaries, none in common
|
|
DAST
|
No
|
||
|
API security testing
|
No
|
No
|
|
|
IAST
|
No
|
No
|
No
|
|
CSPM
|
Yes |
No
|
|
|
ASM
|
No
|
No
|
No
|
|
Secrets
|
Same, plus verify other attack vectors
and secrets exploitability
|
No
|
|
|
AI
|
3 functions, 1 in common and 2
additional
|
2 functions, 1 in common and 1 additional | |
|
MCP
|
Yes
|
||
| Open-source |
Not applicable
|
No
|
|
|
Provisioning as Code
|
No
|
||
|
Deployment
|
SaaS (multi-tenant) +
on-premises (single-tenant)
|
||
| Regions |
No information available
|
||
|
Status
|
Yes
|
||
|
Incidents
|
0.2 per year
|
Integrations
|
Attribute
|
Essential
|
Advanced
|
Sonatype
|
|
SCM
|
4, all in common
|
||
|
Binary repositories
|
None
|
None
|
1
|
|
Ticketing
|
3, 1 in common
and 2 additional
|
1 in common
|
|
|
ChatOps
|
None |
None
|
None |
|
IDE
|
2, all in
common
|
6, 2 in common and 4 additional
|
|
|
CI/CD
|
20, 6 in common and 14 additional
|
6, all in common
|
|
|
SCA
|
Native and 1 integration
|
||
|
Container
|
Native and 2 integrations | ||
|
SAST
|
1
|
||
|
DAST
|
None
|
||
|
IAST
|
None |
None
|
None
|
|
Cloud
|
3, 1 in common
and 2 additional
|
1 in common
|
|
|
CSPM
|
None | ||
|
Secrets
|
None
|
||
|
Remediation
|
None
|
None
|
None
|
| Bug bounty |
None
|
None
|
None
|
|
Vulnerability management
|
None
|
None
|
None
|
|
Compliance
|
None
|
None
|
None
|
The latest update to this comparison was on Dec 29, 2025. The primary sources of information were sonatype.com and help.sonatype.com, which were supplemented by specialized information-gathering sites, social media, and other sources.
More like Sonatype
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start
your 21-day free trial and discover the
benefits of the Continuous
Hacking Essential plan. If you prefer the
Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.