About Checkmarx Next Generation SAST
Checkmarx Next Generation SAST is a static application security testing engine that runs inside the Checkmarx One platform. It layers a rules-based analysis, an LLM tuned for code vulnerabilities, and a Finding Analysis Engine that filters output to confirmed true positives. The tool is language-agnostic and handles AI-generated code alongside traditional codebases.
Review
This engine updates the SAST capabilities within the existing Checkmarx One suite. The three-layer design means scans move from deterministic rule checks to a purpose-tuned LLM, then on to an automated triage step that discards findings unlikely to be real issues. That last stage sets it apart: developers see a reduced set of results that the engine classifies as high-confidence true positives.
Key Features
- A rules-based foundation draws on years of known vulnerability patterns for broad coverage.
- A purpose-tuned LLM extends detection to any programming language, including code generated by AI assistants.
- The Finding Analysis Engine (FAE) automatically removes findings it cannot confirm as true positives, suppressing noise without manual filtering.
- The engine uses a hybrid approach that the vendor describes with an F1 score, a metric combining precision and recall for detection accuracy.
- Scanning runs as part of the Checkmarx One subscription, with no separate deployment or licensing step required for existing customers.
Pricing and Value
Checkmarx Next Generation SAST is not sold as a standalone product. It is included in active Checkmarx One subscriptions at no additional line-item cost. The product listing carries a "Payment Required" tag because access to the platform itself requires a paid subscription. Public pricing details for Checkmarx One are not available on the launch page; organizations negotiate subscription costs directly with Checkmarx.
Pros
- Three distinct scanning layers increase the likelihood of catching both known patterns and novel vulnerability classes.
- The FAE filters results to true positives, cutting the time developers spend triaging false alarms.
- Language-agnostic analysis means a single engine works across polyglot projects and AI-generated snippets.
- Existing Checkmarx One users get the upgrade without changing tools or paying extra.
- The vendor publishes an F1 score for the engine, giving a testable signal of detection fidelity.
Cons
- The tool is only available inside Checkmarx One, so it does not suit teams outside that ecosystem.
- No standalone pricing or free trial is mentioned, making cost evaluation opaque for new buyers.
- The FAE's internal decision logic is not detailed in the product materials, so teams cannot inspect why a finding was suppressed.
Organizations already committed to Checkmarx One can activate this engine immediately and may see fewer false positives in their SAST results. It fits teams that need to scan diverse codebases-including AI-assisted development-without juggling multiple analysis tools. Small teams or those without an existing Checkmarx subscription will need to look elsewhere, as the tool is not offered outside the platform.
Open 'Checkmarx Next Generation SAST' Website
Your membership also unlocks:








