SAN FRANCISCO — Three years ago, a mid-sized engineering organization shopping for application security tooling might reasonably have ended up with five separate vendor relationships: one for software composition analysis (SCA) to track open-source dependencies, one for static analysis (SAST) to catch insecure code patterns, one for container and image scanning, one for secrets detection, and one for dashboards to make sense of the other four. Today, that same buyer is increasingly being sold a single platform — and the five logos on the old contract have a good chance of having merged, been acquired, or been folded into a cloud security suite that didn't exist when the original deals were signed.
The application security testing (AST) market — the analyst-speak umbrella for SCA, SAST, DAST, and container/IaC scanning — has spent the last several years quietly consolidating. It hasn't been a single dramatic event but a steady accumulation of private equity buyouts, strategic acquisitions by cloud and endpoint security giants, and platform vendors absorbing scanning capability natively. The result is a market with fewer independent point-solution vendors and a much higher concentration of AppSec spend inside a handful of platforms.
The deals that mapped the shift
The clearest marker came in 2024, when Clearlake Capital Group and Francisco Partners completed their roughly $2.1 billion acquisition of Synopsys' Software Integrity Group — the business housing Coverity (SAST), Black Duck (SCA), and Seeker (DAST) — spinning it out as the standalone Black Duck Software, Inc. on October 1, 2024. It was one of the largest AppSec transactions on record and turned a business unit inside a semiconductor-design giant into a private equity-backed pure-play competing directly with the products it used to be bundled alongside.
Black Duck's carve-out echoed a pattern already visible elsewhere in the sector. Veracode, one of the oldest SAST/SCA vendors, was sold by Broadcom (which had inherited it through the 2018 CA Technologies acquisition) to Thoma Bravo for $950 million in 2022, before being valued at roughly $2.5 billion when TA Associates and Crosspoint Capital took a majority stake later that year. Checkmarx, another long-standing SAST vendor, had already gone through a similar cycle in 2020, when Hellman & Friedman acquired it from Insight Partners at a $1.15 billion valuation — at the time reported as the largest acquisition of an application security company to date.
Meanwhile, the platform players kept buying their way into code-to-cloud coverage. Palo Alto Networks built out its Prisma Cloud business by acquiring container-security pioneers Twistlock and PureSec in 2019, then added software supply chain and CI/CD security with its 2022 purchase of Cider Security for roughly $195 million in cash, and layered in data security posture management with the 2023 acquisition of Dig Security for a reported $400 million — part of a broader M&A run that also included the $625 million purchase of enterprise-browser startup Talon Cyber Security. CrowdStrike moved to close its own code-to-runtime gap in September 2023 by agreeing to acquire Bionic, one of the earliest vendors marketing itself under the "Application Security Posture Management" (ASPM) label, in a deal reported at roughly $350 million. And on the DevOps-platform side, JFrog spent about $300 million in 2021 to acquire Vdoo, an AI-based vulnerability detection company, to extend its Artifactory and Xray scanning stack from source code to IoT and connected devices.
Each of these deals looks different in isolation — a PE roll-up here, a strategic tuck-in there — but together they trace the same arc: independent scanning vendors have been getting absorbed into larger platforms faster than new independent leaders have emerged to replace them.
Platforms are swallowing the perimeter
The consolidation isn't only happening through M&A; it's also happening through bundling. GitHub's 2019 acquisition of Semmle brought CodeQL into the platform as the engine behind GitHub Advanced Security, which now ships SAST, Dependabot-based SCA, and secret scanning as native, code-adjacent features rather than a separate procurement decision. GitLab followed a similar path, building SAST, dependency scanning, and container scanning directly into its Ultimate tier — tracing back in part to its 2018 acquisition of Gemnasium, a dependency-vulnerability scanning company. For a large share of engineering organizations, the "default" SCA and SAST tool is now whatever ships inside the source control platform they already pay for, not a specialized vendor they had to separately evaluate.
At the same time, the rise of the Cloud-Native Application Protection Platform (CNAPP) category has pulled container and image scanning into the same commercial conversation as runtime cloud posture management, identity, and workload protection. Vendors that once competed purely on the depth of their container vulnerability databases now compete on how well that scanning data correlates with runtime telemetry, cloud misconfiguration findings, and identity risk — a much broader (and much more expensive) platform pitch that favors incumbents with capital to acquire their way into completeness.
Private equity's second act in AppSec
A notable thread running through the Black Duck, Veracode, and Checkmarx deals is how much of the independent AppSec market is now owned by private equity rather than public markets or strategic acquirers. That ownership structure changes vendor behavior in predictable ways: portfolio companies get pushed toward cross-sell and pricing discipline, overlapping products acquired along the way get "rationalized" into a single brand, and roadmap decisions increasingly answer to a return-on-investment timeline rather than a pure product vision. Black Duck's own history as an independently PE-owned SCA vendor before its 2017 acquisition by Synopsys — followed by its 2024 re-emergence as an independent, PE-backed company again — is a small case study in how AppSec assets can cycle between being a platform's "SCA module" and a standalone business, depending on who owns them and what multiple they can fetch.
What hasn't consolidated — yet
Not everything is rolling up. A wave of newer entrants — including reachability-focused SCA vendors and ASPM correlation-layer startups — has continued to raise independent venture funding on the thesis that the next differentiator isn't scanning coverage (which is increasingly commoditized and bundled for free into dev platforms) but noise reduction: figuring out which of the thousands of findings produced by SAST, SCA, and container scanners actually matter, by tracing reachability, exploitability, and runtime context. That some of these companies (Bionic among them) are themselves getting acquired into larger platforms suggests this layer, too, is a consolidation target rather than a permanent independent category — but it hasn't happened uniformly, and specialized vendors focused on software supply chain attack detection, open-source malware, and dependency-confusion style threats remain a meaningfully separate market from the legacy AST vendors being rolled up.
What it means for security teams
For buyers, the practical effect of this consolidation cuts two ways. Fewer vendor relationships and tighter native integration between SCA, SAST, and container findings can genuinely reduce tool sprawl and the alert fatigue that comes with reconciling five different severity scoring systems. But it also concentrates risk: when Coverity, Black Duck, and Seeker sit under one PE-owned brand, or when Prisma Cloud absorbs Twistlock, Cider, and Dig into a single console, the pace and quality of product integration — not just feature checklists — becomes the thing worth diligence. Contracts negotiated with an independent point-solution vendor two years ago may now renew as part of a bundled platform suite with different pricing, different support structures, and roadmaps set by a new owner altogether.
How Safeguard Helps
Market consolidation changes who owns the scanner, but it doesn't change the underlying problem: software supply chains are still assembled from open-source dependencies, container base images, and CI/CD pipelines that need continuous, correlated visibility — not just more findings from a bigger vendor. Safeguard is built for that reality. Rather than asking teams to bet on which platform will absorb the next acquisition, Safeguard focuses on giving engineering and security teams direct, vendor-neutral visibility into their software supply chain: tracking dependencies and container images for known vulnerabilities and malicious packages, surfacing which findings are actually reachable and worth fixing, and keeping that signal available regardless of which SCA, SAST, or container-scanning vendor a team's contract happens to route through this year. As the AppSec vendor landscape keeps folding into fewer, larger platforms, that independence — and the ability to correlate supply chain risk across whatever tools an organization currently owns — is exactly the layer teams need to keep control of.
Sources:
- Clearlake and Francisco Partners Complete Acquisition of Black Duck Software
- Thoma Bravo to Acquire Veracode Software from Broadcom Inc.
- Insight Partners sells security firm Checkmarx to Hellman & Friedman for $1.15B
- Palo Alto Networks Signs Definitive Agreement to Acquire Cider Security
- Confirmed: Palo Alto Networks buys Dig Security, sources say for $400M
- Confirmed: Palo Alto has acquired Talon Cyber Security, sources say for $625M
- CrowdStrike to Acquire Bionic to Extend Cloud Security Leadership
- JFrog to Acquire Vdoo for $300M