Checkmarx - Experts & Thought Leaders

Checkmarx, the global pioneer in agentic-AI powered application security testing, announced record-breaking growth for its flagship platform, Checkmarx One, underscoring a wave of customer adoption fuelled by innovation and strategic pioneering. The news comes alongside groundbreaking research from Checkmarx Zero that highlights the urgent need for secure software in an AI-driven development landscape. Record-breaking growth & adoption Checkmarx One has rapidly become the platform of choice for securing modern applications Checkmarx One has rapidly become the platform of choice for securing modern applications, now protecting more than 860 of the world’s largest enterprises. This wave of customer adoption has propelled the platform beyond $150 million in ARR in three years, cementing Checkmarx One as one of the fastest-growing platforms in application security. Momentum accelerated for Checkmarx in 2023 when Sandeep Johri took the helm as CEO, guiding the company through a period of unprecedented growth and positioning it for sustained expansion. Today, as companies face data breaches that, according to an IBM report this year, cost an average of $4.4 million dollars each, Checkmarx One offers the most comprehensive enterprise business protection for existing, new, and AI-generated code. Checkmarx One Each month, Checkmarx analyzes over 800 billion lines of code, performs four million scans, secures more than three million open-source packages, and inspects nearly a million container images, all while identifying approximately half a million malicious packages before they can impact organisations. Checkmarx One has continued this growth trajectory in 2025, with more than 20% customer growth and more than 30% ARR growth year-to-date (as of Sept. 30, 2025), as organisations increasingly turn to Checkmarx One to secure the code driving their businesses. Measurable business impact With a proven track record of innovation and measurable business impact, Checkmarx One reduces customers’ vulnerabilities per project by more than 50% on average within a year of implementation and cuts the average cost per fix by more than 60%. Customer success stories illustrate its transformative effect: Construction giant PCL went from onboarding Checkmarx One in a matter of hours to scanning more than four million lines of code a week for rapid detection, remediation and reduced supply chain risk. Cebu Pacific, the largest airline in the Philippines, reduced its vulnerability density by 50% with Checkmarx One. Recognition & regulatory milestones Checkmarx was named a Leader in the 2025 Gartner Magic Quadrant for Application Security Testing Checkmarx was named a Leader in the 2025 Gartner Magic Quadrant for Application Security Testing (AST). In addition, Checkmarx was named a leader in the 2025 Forrester Wave for Static Application Security Testing (SAST), and the IDC MarketScape: Worldwide Application Security Posture Management (ASPM) 2025 Vendor Assessment. The company also announced that it has achieved FedRAMP Ready at the High Impact Level for its Checkmarx One for Government platform, the most stringent baseline for FedRAMP cloud systems. Checkmarx is the first AppSec platform to reach Ready status at this level with full coverage across the software development lifecycle (SDLC). Checkmarx Zero Research: Intelligence powering AppSec At the heart of Checkmarx One’s capabilities lies the ongoing work of Checkmarx Zero Research. This specialised research group continuously breaks and protects the building blocks of modern software development, from traditional AppSec to open-source supply chain threats and emerging LLM security risks. In addition to publishing groundbreaking threat research, Checkmarx Zero fuels the intelligence layer of Checkmarx One and contributes actively to the security ecosystem through information sharing, community events, and supporting widely adopted open-source tools for infrastructure-as-code (IaC), secret protection, and application scanning, KICS, 2MS and ZAP respectively. This continuous loop of threat discovery, research, and intelligence infusion ensures that Checkmarx One customers are always equipped against the most advanced and fast-evolving risks. AI & the future of secure development Checkmarx’s Future of Application Security in the Era of AI and Keeping Bad Vibes Out: AppSec in the Age of AI-Assisted Coding reports, based on a survey of 1,500+ security pioneers and developers, reveal the stark risks of AI-driven coding: 34% of organisations report that over 60% of their code is machine generated. Nearly one in 10 organisations say 80–100% of their codebase is AI-written. Despite this surge, only 18% have AI governance policies, and more than 80% knowingly ship vulnerable code often or sometimes, up from 66% in 2024. 98% experienced a breach stemming from vulnerable code in the past year. Shadow AI is on the rise: 20% officially ban AI tools, yet developers use them anyway. AI-assisted development “The velocity of AI-assisted development makes a holistic security approach that is rooted in prevention, like Checkmarx One, even more critical,” said Sandeep Johri, CEO of Checkmarx. “Application security cannot be an afterthought. Organisations pursuing transformative gains in productivity through AI coding must put equal investment in security or pay the price of dramatically increased risk. Modern enterprises need AI-powered security tools to keep pace with developers and start securing code from the moment of creation preventing vulnerabilities in real time.” Pioneering AI Code Security Assistants In response, Checkmarx introduced Developer Assist to general availability in August. The first in a new category of AI Code Security Assistants, Developer Assist provides developers with real-time, context-aware guidance as they code—reducing remediation time from one to two days to just 10–15 minutes. Integrated with major AI-native development environments such as Windsurf by Cognition, Cursor, and GitHub Copilot, Developer Assist empowers teams to prevent vulnerabilities before they reach production, combining the productivity of AI with the security rigour of Checkmarx.

Checkmarx, the pioneer in agentic AI-powered application security, released the results of its annual survey titled “Future of Application Security in the Era of AI,” offering a candid assessment of how AI‑accelerated development is reshaping the risk landscape and how to prepare for the year ahead. The study surveyed more than 1,500 CISOs, AppSec managers and developers across North America, Europe and Asia‑Pacific to understand how organisations are adapting to a world where software is increasingly written by machines. AI‑generated code Half of respondents already use AI security code assistants and 34% admit that more than 60% The findings paint a stark picture: AI‑generated code is becoming mainstream, but governance is lagging. Half of respondents already use AI security code assistants and 34% admit that more than 60% of their code is AI‑generated.  Yet only 18% have policies governing this use. The growing adoption of AI coding assistants is eroding developer ownership and expanding the attack surface. Expect API breaches The research also shows that business pressure is normalising risky practices. Eighty‑one percent of organisations knowingly ship vulnerable code, and 98% experienced a breach stemming from vulnerable code in the past year, that’s a sharp rise from 91% in 2024. Within the next 12 to 18 months, nearly a third (32%) of respondents expect Application Programming Interface (API) breaches via shadow APIs or business logic attacks. Application security tools Despite these realities, fewer than half of the respondents report deploying foundational security tools Despite these realities, fewer than half of the respondents report deploying foundational security tools, such as using mature application security tools, such as dynamic application security testing (DAST) or infrastructure‑as‑code scanning.  While DevSecOps is widely discussed industry-wide, only half of organisations surveyed actively use core tools and just 51% of North American organisations report adopting DevSecOps. Velocity of AI‑assisted development “The velocity of AI‑assisted development means security can no longer be a bolt‑on practice. It has to be embedded from code to cloud,” said Eran Kinsbruner, vice president of portfolio marketing. “Our research shows that developers are already letting AI write much of their code, yet most organisations lack governance around these tools. Combine that with the fact that 81% knowingly ship vulnerable code and you have a perfect storm. It’s only a matter of time before a crisis is at hand.” Six strategic imperatives The report outlines six strategic imperatives for closing the application security readiness gap The report outlines six strategic imperatives for closing the application security readiness gap: move from awareness to action, embed “code‑to‑cloud” security, govern AI use in development, operationalise security tools, prepare for agentic AI in AppSec, and cultivate a culture of developer empowerment. Kinsbruner added: “To stay ahead, organisations must operationalise security tooling that is focused on prevention. They need to establish policies for AI usage and invest in agentic AI that can automatically analyse and fix issues in real-time. AI-generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years.” Embedding security into development Chris Ledingham, Director Northern Europe, comments: “Our research found that nearly one third, 32%, of European respondents say their organisation often deploys code with known vulnerabilities, compared with 24% of those in North America. This suggests the need for a stronger focus across our region on embedding security into development." "With AI now writing much of the code base, security pioneers face heightened accountability. Boards and regulators will rightly expect CISOs to implement robust governance for AI generated code and to ensure vulnerable software isn’t being pushed to production.” Checkmarx’s announcement of general availability The release of this report follows Checkmarx’s announcement of general availability of its Developer Assist agent, with extensions to top AI-native Integrated Development Environments (IDEs), including Windsurf by Cognition, Cursor, and GitHub Copilot.  This new agent—the first in a family of agentic-AI tools to enhance security for developers, AppSec pioneers, and CISO’s alike—delivers real-time, context-aware issue identification and guidance to developers as they code for autonomous prevention.    Download the full “Future of Application Security in the Era of AI” report at Checkmarx website to learn how organisations can navigate the AI‑accelerated risk landscape and build secure‑by‑default development practices.

Checkmarx, the industry pioneer in cloud-native application security for the enterprise, announced today that its security research team, Checkmarx Zero, has launched a collaborative application security (AppSec) research hub. Checkmarx VP of Security Research Erez Yalon said, “The Checkmarx Zero team has always shared our findings with others in the research community within our blog and at more than 100 conference sessions. We invite other AppSec and software supply chain security researchers to explore our vulnerability research and to contribute their findings as we work together to keep our organisations safe.” Checkmarx Zero hub The Checkmarx Zero hub includes detailed findings based on years of dedicated research, including: 200+ vulnerabilities curated monthly. More than 130 zero-days. In-depth research reports including malicious package names and indicators of compromise (IOCs). Addressing vulnerabilities Checkmarx Zero has become well-known for the discovery of some significant vulnerabilities and threat campaigns in recent years, including: An Amazon Ring vulnerability that could have allowed access to users’ camera recordings. An ongoing campaign by a group nicknamed RED-LILI launched hundreds of malicious packages as part of node package manager (NPM) attacks on Azure and other developers. The first known software supply chain attacks targeted at the banking industry.