Abstract

Tolly evaluated the application-security efficacy of Checkmarx One against a leading competitor by scanning two open-source projects with Static Application Security Testing (SAST) and four projects with Software Composition Analysis (SCA). Findings were classified as true positives (TP), false positives (FP) and false negatives (FN), with additional precision/recall calculations and spot-verification by Tolly experts.

SAST results: Checkmarx flagged 101 potential vulnerabilities, correctly identifying 93 TPs and only 8 FPs, leaving just two FNs. The competitor surfaced 23 issues but produced nearly equal numbers of TPs (12) and FPs (11) and missed 89 vulnerabilities. Checkmarx’s recall reached 0.98—more than eight-times higher than the competitor’s 0.12—and precision hit 0.92 versus 0.52.

SCA results: Checkmarx detected 204 vulnerabilities with zero FPs, versus 101 for the competitor (also zero FPs), yielding 9 versus 96 FNs respectively. Checkmarx identified over twice as many known CVEs and 366 additional packages, thanks to deeper dependency enumeration, and it mapped significantly more “exploitable paths” (reachable vulnerabilities) — a feature the rival solution lacks.

Bottom line: Across both SAST and SCA, Checkmarx One delivered markedly higher vulnerability coverage with far fewer misses and almost no noise, giving security teams better precision, deeper insight into exploitable risk, and clearer remediation priorities than the competing platform.