About AppSec Santa

Hey, I'm Suphi Cankurt

My background is on the vendor side of application security — I worked at Netsparker and then Invicti (DAST), and later at Kondukto (ASPM).

From inside those teams I saw how hard it is for buyers to tell one security tool from another. The marketing pages all say the same things, and the real trade-offs only show up once you are using the product.

So I built AppSec Santa to organize what I learned. In April 2026 I left Invicti to work on it full-time. Rankings and assessments are made editorially — the methodology page explains exactly how tools are evaluated.

Twitter LinkedIn YouTube

210+

Tools Reviewed

Why I Built This

Anyone shopping for application security tools faces the same problem: there are hundreds of options, and the vendor marketing pages all sound the same.

I lived that problem from the vendor side. At Netsparker and Invicti I worked on DAST, and at Kondukto I worked on ASPM. Every week I heard from buyers trying to compare us against Checkmarx, Veracode, Snyk and the rest — and the answers they needed weren't in anyone's datasheet.

AppSec Santa started as my personal notes. A spreadsheet of tools I came across, with honest observations. Friends asked to see it. Then strangers on Twitter. So I turned it into a proper resource.

I use large language models to speed up research — summarizing vendor pages, drafting first passes, pulling data from primary sources. Every fact and number is then checked against the vendor's own documentation. Editorial decisions are made independently, regardless of any commercial relationships the site may have.

What This Site Offers

•Organized information — Tools categorized and compared in a clear format
•Honest descriptions — Straightforward information about what each tool does
•Regularly updated — The AppSec market moves fast. I try to keep things current
•Free forever — This resource will always be free to use