Cycode SAST Leaves Competitors Behind with 94% Fewer False Positives in OWASP Benchmark

SAN FRANCISCO--(BUSINESS WIRE)--Cycode, the leader in Application Security Posture Management (ASPM), today launched its proprietary next-generation SAST engine, achieving a breakthrough 94% reduction in false positives in OWASP benchmark tests compared to leading open-source and commercial alternatives. Critically, Cycode achieves this while remaining one of the fastest scans on the market. By empowering developers with rapid and accurate security feedback, Cycode enables enterprises to deliver more secure software, faster, with less effort and cost.

While essential for identifying security weaknesses early in the Software Development Lifecycle (SDLC), SAST tools often force a difficult tradeoff: speed or accuracy. Comprehensive analysis of an application improves accuracy - however, it is typically time-consuming and creates bottlenecks in fast-paced DevOps environments. Conversely, limited analysis of individual files provides faster feedback but cannot analyze data flows across files and functions. This results in high false positives that waste time and erode developers’ trust in the security process.

Cycode SAST overcomes these limitations to deliver fast and accurate security feedback for first-party code. Built on modern software architecture, the new engine combines real-time scanning with cross-function and cross-file analysis to quickly pinpoint true positives and provide developers with deep context for more efficient remediation. Specifically, by offering industry-leading SAST as part of Cycode’s Complete ASPM platform, customers can:

• Reduce risk: Unparalleled visibility into data flows and the evidence path of weaknesses paired with risk-based prioritization and AI-generated fix suggestions empower developers to remediate faster and shorten the lifecycle of high-risk code weaknesses.
• Increase developer productivity: Enterprises can save weeks of developer hours by eliminating time wasted investigating and documenting false positives. In an industry-standard OWASP benchmark, Cycode achieved a 2.1% false-positive rate representing a >94% improvement over leading open source and commercial alternatives while also detecting true positives with high accuracy.
• Lower cost of ownership: Combining third-party extensibility with proprietary scanners empowers enterprises to evolve and optimize their security ecosystems to achieve the best security outcomes with the lowest total cost of ownership.

“Early adopters of Cycode’s next-generation SAST engine saw significant improvements,” said Guillaume Montard, Head of Product at Cycode. “In one organization, over a third of the findings from the incumbent SAST tool were false positives. Cycode reduced false positives to 2%. For context, in an organization with 100,000 SAST findings, Cycode SAST eliminates over 30,000 false positives. Cycode achieves this while retaining a 75% recall rate for true positives. Furthermore, the evidence path gives developers confidence violations are real and context to fix them faster. With risk-based prioritization and automated remediation workflows, Cycode empowers you to prevent flaw introduction and burn down high-risk security debt.”

Reduce risk with Cycode’s next-generation SAST and Complete ASPM platform

Application security teams must secure expanding attack surfaces against intensifying threats while controlling costs. Noisy scans and disjointed point solutions cannot keep pace with the speed and scale of modern development. ASPM has emerged to create clarity out of complex security data and shorten the lifecycle of high-risk vulnerabilities and weaknesses. However, effective ASPM starts with high-quality data and accurate scans.

"Application security teams face increasing pressure to secure complex software environments without slowing development or driving up costs," said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. "This challenge has contributed to the rise of Application Security Posture Management (ASPM) as a strategic investment to reduce risk and improve operational efficiency. With new enhancements to its proprietary, accuracy-focused SAST engine as part of its ASPM platform, Cycode aims to help customers enhance visibility, refine risk prioritization, and accelerate remediation, while also supporting broader efforts to streamline security investments."

As organizations adopt ASPM to enhance their security posture, the ability to deliver high-quality security data becomes a key differentiator. Traditional SAST solutions often introduce friction due to high false-positive rates and slow scans, limiting their effectiveness in modern DevSecOps workflows. By embedding a next-generation SAST engine into its Complete ASPM platform, Cycode ensures security teams and developers have access to precise, actionable insights—enabling them to focus on real risks and accelerate remediation.

“Three mandatory elements make software risk reduction possible in the age of AI: high-quality detection, risk-based prioritization, and automated remediation supported by AI,” said Lior Levy, CEO and Co-Founder of Cycode. “High-quality SAST remains a persistent gap. When a third to half of the findings are false positives and slow scans delay progress, it is impossible to maintain developer trust and build an efficient and effective program. Cycode’s breakthrough SAST engine delivers fast and accurate scanning as part of our Complete ASPM solution empowering security teams and developers to reduce software risk and fix what matters faster.”

Cycode’s next-generation SAST engine is available now. To learn more and view a demo of Cycode SAST in action read the blog post.

About Cycode

Cycode is a Complete ASPM providing Enterprises with the highest fidelity context to identify, prioritize, and fix the software risk that matters. Its high-fidelity context comes through its own native scanners, complemented by its open platform integrating third party tools for a holistic view of your security posture. It’s the only ASPM solution that can go from ‘instant on’ risk detection, to contextualizing risk through Change Impact Analysis (CIA), and streamlining remediation — so you can eliminate visibility gaps, fix faster, and reduce costs from the start.

Backed by tier–one investors Insight Partners and YL Ventures, the series–B company has raised $80 million and boasts a number of the top global Fortune 100 customers in the world that are gaining immediate value.