As of May 2026, there are 19 SaaS companies in Static Application Security Testing (SAST) Software. They have combined revenues of $135.4M and employ 1.1K people. They have raised $40.3M and serve - customers combined.
Static Application Security Testing (SAST) software refers to tools and methodologies that analyze source code, bytecode, or binary code to identify security vulnerabilities within applications prior to deployment. This approach, often described as white-box testing, enables developers to detect and resolve potential security flaws early in the development lifecycle, thereby reducing the risk of vulnerabilities in production environments. The primary use cases of SAST software include scanning the source code for issues such as input validation errors, insecure coding practices, and dependencies that may pose security risks. Typical features of SAST tools encompass automated scanning, detailed reporting on vulnerabilities, integration with continuous integration/continuous deployment (CI/CD) pipelines, and support for various programming languages. The common buyer personas for SAST solutions typically include software developers, security teams, and DevOps engineers who seek to enhance application security while maintaining development efficiency.
Sorting: Highest -> Lowest
Showing 10 of 19 companies ranked by annual revenue.
San Francisco, California, United States
Semgrep is an application security platform that scans code for bugs and security vulnerabilities, helping developers to write secure code.
Sydney, New South Wales, Australia
Secure Code Warrior is a secure coding platform that sets the standards that keep our digital world safe. We do this by providing the world’s leading agile learning platform that delivers the most effective secure coding solution for developers to learn, apply, and retain software security principles. More than 600 enterprises trust Secure Code Warrior to implement agile learning security programs and ensure the applications they release are free of vulnerabilities.
San Rafael, California, United States
Bright Security is an AI -powered application security platform that integrates application security into SDLC.
Leuven, Belgium
Guardsquare offers the most complete approach to mobile application security on the market. Built on the open source ProGuard technology, Guardsquare’s software integrates seamlessly across the development cycle. From app security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication. More than 975 customers worldwide across all major industries rely on Guardsquare to help them identify security risks and protect their mobile applications against reverse engineering and tampering.
Palo Alto, California, United States
80% of code in modern applications is code your developers didn’t write, but “borrowed” from the internet. With over 3M Open Source Software (OSS) projects, 43M versions, and 3.1T downloads yearly, development teams can gain tremendous benefits from leveraging the OSS ecosystem, as long as organizations invest in the tooling to address the security, scalability and sustainability challenges that come with it. At Endor Labs, we've created the first open source dependency lifecycle management platform to help OSS consumers select, secure and maintain dependencies effectively.
Pittsburgh, Pennsylvania, United States
Security Journey offers robust application security education tools to help developers and the entire SDLC team recognize and understand vulnerabilities and threats and proactively mitigate these risks. The knowledge learners acquire in our programs goes beyond helping learners code more securely – it turns everyone in the SDLC into security champions. Our platform takes a unique level approach, transitioning learners from security basics to language-specific knowledge to the experiential learning required to become security champions. With lessons offered in multiple formats, including text, video, and hands-on sandbox environments, there is a modality that resonates with every learning style. Organizations with teams of security champions develop a security-first mindset that allows them to deliver safer, more secure applications.
San Francisco, California, United States
Operator of a platform intended to offer offensive and defensive application security services. The company's platform ensures applications are safe from dangerous hacking threats that can destroy intellectual property and expose sensitive user information, enabling developers to focus on building great products by providing comprehensive and easy-to-use security services.
San Jose, California, United States
DeepFactor enables developers to ship secure code without sacrificing productivity by observing application telemetry events.
Seoul, South Korea
Provider of a SaaS platform intended for auditing smart contract vulnerabilities and blockchain transactions in real-time. The company's platform will allow an automated/API-based smart contract audit and patching platform, which will enable continuous secure development of an anti-fraud and AML compliance module that analyzes suspicious transaction activity, enabling the users to identify flaws in a codebase earlier which can save money and time.
Ottawa, Ontario, Canada
Developer of network security technology intended to integrate security earlier into software development lifecycle. The company's platform helps to bridge the gap between development teams and security by integrating open source security tools into SDLC, enabling organization's software development teams to identify vulnerabilities faster in their code, which reduces the cost of finding and fixing bugs.
- Must offer automated scanning of source code, bytecode, or binaries for security vulnerabilities - Should provide detailed reporting on identified vulnerabilities and remediation guidance - Must integrate with CI/CD workflows to facilitate continuous security testing - Should support multiple programming languages and development frameworks - Not just focused on dynamic analysis; must also include static code analysis capabilities - Should offer features for prioritizing vulnerabilities based on severity
Each Tuesday, we reverse-engineer a real SaaS company's revenue, profit, CAC, funnels, and its top growth tactic.
Sign up to access all features
Sign up with GoogleSign up with LinkedInAlready have an account? Log in
GetLatka is trusted by 200k+ founders, researchers, and marketers.
No contracts, cancel at any time