Skip to content

Browse by Category

215 active tools across 12 security categories

View all tools →

35 tools · Find vulnerabilities in source code …

31 tools · Detect risks across your dependency …

31 tools · Test running applications for security …

8 tools · Detect vulnerabilities during …

6 tools · Block attacks in real time from inside …

AI Security HOT

35 tools · Secure LLM apps against prompt …

8 tools · Discover, test, and protect your APIs

17 tools · Catch misconfigurations in Terraform, …

17 tools · Centralize and prioritize findings …

Mobile Security

21 tools · Scan mobile apps for vulnerabilities …

Container Security

18 tools · Scan images, secure K8s clusters & …

8 tools · Detect API keys, passwords, and tokens …

Popular Slices

56 launches I've tracked

Open Source Tools

64 free & OSS picks

Real costs & vendors

Enterprise head-to-heads

Commercial SAST, SCA, CNAPP matchups

Snyk vs SonarQube

SAST · Dev-first security

Checkmarx vs Veracode

SAST · Enterprise giants

Wiz vs Orca Security

CNAPP · Cloud security leaders

Endor Labs vs Snyk

SCA · Reachability-first

Contrast Assess vs Seeker

IAST · Runtime instrumentation

Salt Security vs 42Crunch

API security · Runtime vs design

All 58 vs pages →

Open-source showdowns

Free and OSS tool comparisons

SCA · OSS vuln scanners

Gitleaks vs TruffleHog

Secret scanning · Verified findings

OpenGrep vs Semgrep

SAST · Free fork vs upstream

Checkov vs KICS

IaC · Terraform security

Dependabot vs Renovate

Dependency updates · GitHub vs multi-platform

Burp Suite vs ZAP

DAST · Pentesting proxies

All 64 open-source tools →

Alternatives to

34 round-ups

Learn AppSec

Fundamentals, guides & deep-dives · 70 articles

📖

Start with Fundamentals

New to AppSec?

What is SAST? What is SCA? What is DAST? What is AI Security? HOT What is API Security? What is IaC Security?

View all 12 explainers

📚

Popular Guides

Long-form deep-dives

OWASP Top 10 Guide

2026 edition · 12 min read

Supply Chain Attacks Guide

Typosquatting, protestware, SBOM

AppSec Pricing Guide

Real costs & vendors

Prompt Injection Guide

Attacks & defenses for LLMs

View all 10 guides

Editor's Pick

Printed memo with hidden pink prompt-injection instructions revealed under an ultraviolet beam, stamped LLM01 PROMPT INJECTION, with a small LLM chat-bubble silhouette reading the document

Prompt Injection: Attacks and Defenses

OWASP LLM01. Direct, indirect, and jailbreak injection patterns, plus the guardrails that block them.

Explore Topics

LLM Red Teaming Shift-Left Secure SDLC SBOM CNAPP False Positives Terraform Sec

Research & Data

First-party studies with raw data · 13 reports

🔬

Featured Studies

Original deep-dive research

AI-Generated Code Security

Scanned LLM output with 5 SAST tools

Rise of AI Pentesting Agents

39+ open-source pentesting agents

MCP Server Security Audit NEW

Audited 33 MCP servers for vulns

State of OSS AppSec Tools

Benchmarked 64 open-source tools

Security Headers Adoption

CSP, HSTS across 10k top sites

View all research

📊

Statistics & Benchmarks

Industry data, updated yearly

AppSec Statistics

50+ data points · breach costs, trends

AI Security Statistics

LLM attacks, poisoning, adoption

Supply Chain Attack Stats

npm, PyPI, typosquatting trends

DevSecOps Statistics

Pipeline security, shift-left adoption

CandyShop Benchmark OSS

Open-source SAST benchmark suite

View all research

Featured Study

Research desk scene with 6 LLM-branded folders (GPT, Claude, Gemini, DeepSeek, Llama, Grok), an open code notebook stamped 25.1% VULNERABLE, and a magnifying glass lit by a warm desk lamp

AI-Generated Code Security Study 2026

25.1% of AI-generated code had confirmed vulnerabilities. 6 LLMs tested with 5 SAST tools.

Methodology

All studies include raw data, scripts, and reproducible methodology. No vendor funding.

Tools

SAST 35 SCA 31 DAST 31 IAST 8 RASP 6 AI Security 35 API Security 8 IaC Security 17 ASPM 17 Mobile Security 21 Container Security 18 Secrets 8

🆕 Latest in 2026 56 🌱 Open Source Tools 64 💰 Pricing Guide

Compare

Enterprise head-to-heads

Snyk vs SonarQube Checkmarx vs Veracode Snyk vs GHAS Wiz vs Orca

Open-source showdowns

Trivy vs Grype Gitleaks vs TruffleHog OpenGrep vs Semgrep Checkov vs KICS

Alternatives to

Snyk Checkmarx Burp Suite SonarQube

View all 58 comparisons

Learn

Fundamentals

What is SAST What is SCA What is DAST What is AI Security

Popular Guides

📚 OWASP Top 10 Guide 📚 Supply Chain Attacks Guide 📚 Prompt Injection Guide

Browse all 70 articles

Research

AI-Generated Code Security Study DAST Benchmark Project CandyShop: Open-Source Security Tool … State of Open Source AppSec Tools Security Headers Adoption Study

View all 13 reports

Contact Us

Santas working at computers

Hard at work

Location: Helsinki, Finland

Send a Message

I typically respond within 24-48 hours.

Name

Email

Topic

Message

Your guide to finding the right application security tools. Honest comparisons across 12 categories to help you secure your software.

Learn

Tool Reviews
Guides
Pricing Guide
Free Tools

Categories

SAST Tools
SCA Tools
IaC Security Tools
ASPM Tools
API Security Tools
Mobile Security Tools

Company

About
Methodology
Contact

Connect

Twitter / X
LinkedIn
YouTube

Independent editorial reviews · Read the methodology

© 2026 AppSec Santa is a Trademark of CNT Friends Oy

Terms of Use Privacy Policy