Checkmarx - Experts & Thought Leaders

Checkmarx, the pioneer in agentic application security, announces its acquisition of Tromzo, a pioneer in AI-native autonomous security agents. The deal marks a major leap forward in autonomous AppSec, accelerating the delivery of AI agents that understand real enterprise risk, reason across complex software ecosystems, and remediate continuously with precision. Tromzo’s technology and world-class engineering team will enhance the Checkmarx One platform and expand the Checkmarx Assist family of AI agents. Governance policies for AI usage Tromzo founders Harshil Parikh and Harshit Chitalia, along with their entire AI engineering team, will join Checkmarx’s product and engineering organization. Tromzo’s capabilities are designed to reduce risk while dramatically increasing productivity by helping developers fix security issues with automated remediation and giving engineering managers and AppSec pioneers full visibility without slowing down delivery. AI has fundamentally reshaped software development. According to Checkmarx research, 60% of code is now AI-generated, and 98% of organizations have experienced breaches tied to vulnerable code, even though only 18% report having formal governance policies for AI usage. Manual gating processes cannot keep pace, creating bottlenecks that slow prioritization and remediation and leaving a growing volume of issues to identify and resolve. AI-powered virtual security “This acquisition propels Checkmarx forward on our path to redefine AppSec through agentic AI that transforms how enterprises secure all of their code, whether it is existing, human-created, or produced through AI-driven development,” said Sandeep Johri, CEO of Checkmarx.  “By acquiring Tromzo, we are integrating the only platform built on a true cognitive architecture capable of enterprise-grade reasoning. We’re offering an AI-powered virtual security assistant to every developer that understands real risk and automates remediation, moving us closer to a world where code is continuously protected and AI becomes an intelligent partner in security.” Checkmarx released the first of these agents Built on a cognitive architecture, Tromzo’s agents analyze code, deployment artifacts, and business context to drive high-confidence triage and remediation aligned to enterprise risk models. These capabilities will become a core intelligence layer across Checkmarx One and the Checkmarx Assist family of agents. Earlier this year, Checkmarx released the first of these agents, Developer Assist, which provides developers with real-time, context-aware guidance as developers code in pioneering IDEs such as Windsurf by Cognition, Cursor, and GitHub Copilot. Key acquisition highlights Autonomous AppSec: The combined capabilities of Checkmarx’s market-pioneering platform and Tromzo’s reasoning-based agents accelerate the shift toward autonomous application security. Talent & Leadership: Tromzo founders and AppSec AI pioneers Harshil Parikh and Harshit Chitalia, along with their engineering team, join Checkmarx to drive the future of agentic AI in AppSec. Expanded Checkmarx Assist: Tromzo’s reasoning engine will power new Assist agents beginning in early 2026, advancing enterprise-grade AI-powered security. Agentic AI security solutions “We built Tromzo with a singular mission: accelerate remediation of the risks that truly matter,” said Harshil Parikh, co-founder of Tromzo. “Joining Checkmarx, the undisputed pioneer in enterprise AppSec, is the perfect acceleration of that mission. By combining our deep reasoning agents with Checkmarx’s reach, scale, and market leadership, we’re delivering the only solution that lets enterprise security teams move fast with enterprise-grade control.” Together, Checkmarx and Tromzo will empower enterprises to adopt AI coding tools with confidence, backed by agentic AI security solutions that safeguard every line of code from creation through deployment. Visit the Checkmarx blog to learn more.

Checkmarx, the global pioneer in agentic-AI powered application security testing, announced record-breaking growth for its flagship platform, Checkmarx One, underscoring a wave of customer adoption fueled by innovation and strategic pioneering. The news comes alongside groundbreaking research from Checkmarx Zero that highlights the urgent need for secure software in an AI-driven development landscape. Record-breaking growth & adoption Checkmarx One has rapidly become the platform of choice for securing modern applications Checkmarx One has rapidly become the platform of choice for securing modern applications, now protecting more than 860 of the world’s largest enterprises. This wave of customer adoption has propelled the platform beyond $150 million in ARR in three years, cementing Checkmarx One as one of the fastest-growing platforms in application security. Momentum accelerated for Checkmarx in 2023 when Sandeep Johri took the helm as CEO, guiding the company through a period of unprecedented growth and positioning it for sustained expansion. Today, as companies face data breaches that, according to an IBM report this year, cost an average of $4.4 million dollars each, Checkmarx One offers the most comprehensive enterprise business protection for existing, new, and AI-generated code. Checkmarx One Each month, Checkmarx analyzes over 800 billion lines of code, performs four million scans, secures more than three million open-source packages, and inspects nearly a million container images, all while identifying approximately half a million malicious packages before they can impact organizations. Checkmarx One has continued this growth trajectory in 2025, with more than 20% customer growth and more than 30% ARR growth year-to-date (as of Sept. 30, 2025), as organizations increasingly turn to Checkmarx One to secure the code driving their businesses. Measurable business impact With a proven track record of innovation and measurable business impact, Checkmarx One reduces customers’ vulnerabilities per project by more than 50% on average within a year of implementation and cuts the average cost per fix by more than 60%. Customer success stories illustrate its transformative effect: Construction giant PCL went from onboarding Checkmarx One in a matter of hours to scanning more than four million lines of code a week for rapid detection, remediation and reduced supply chain risk. Cebu Pacific, the largest airline in the Philippines, reduced its vulnerability density by 50% with Checkmarx One. Recognition & regulatory milestones Checkmarx was named a Leader in the 2025 Gartner Magic Quadrant for Application Security Testing Checkmarx was named a Leader in the 2025 Gartner Magic Quadrant for Application Security Testing (AST). In addition, Checkmarx was named a leader in the 2025 Forrester Wave for Static Application Security Testing (SAST), and the IDC MarketScape: Worldwide Application Security Posture Management (ASPM) 2025 Vendor Assessment. The company also announced that it has achieved FedRAMP Ready at the High Impact Level for its Checkmarx One for Government platform, the most stringent baseline for FedRAMP cloud systems. Checkmarx is the first AppSec platform to reach Ready status at this level with full coverage across the software development lifecycle (SDLC). Checkmarx Zero Research: Intelligence powering AppSec At the heart of Checkmarx One’s capabilities lies the ongoing work of Checkmarx Zero Research. This specialized research group continuously breaks and protects the building blocks of modern software development, from traditional AppSec to open-source supply chain threats and emerging LLM security risks. In addition to publishing groundbreaking threat research, Checkmarx Zero fuels the intelligence layer of Checkmarx One and contributes actively to the security ecosystem through information sharing, community events, and supporting widely adopted open-source tools for infrastructure-as-code (IaC), secret protection, and application scanning, KICS, 2MS and ZAP respectively. This continuous loop of threat discovery, research, and intelligence infusion ensures that Checkmarx One customers are always equipped against the most advanced and fast-evolving risks. AI & The Future of Secure Development Checkmarx’s Future of Application Security in the Era of AI and Keeping Bad Vibes Out: AppSec in the Age of AI-Assisted Coding reports, based on a survey of 1,500+ security pioneers and developers, reveal the stark risks of AI-driven coding: 34% of organizations report that over 60% of their code is machine generated. Nearly one in 10 organizations say 80–100% of their codebase is AI-written. Despite this surge, only 18% have AI governance policies, and more than 80% knowingly ship vulnerable code often or sometimes, up from 66% in 2024. 98% experienced a breach stemming from vulnerable code in the past year. Shadow AI is on the rise: 20% officially ban AI tools, yet developers use them anyway. AI-assisted development “The velocity of AI-assisted development makes a holistic security approach that is rooted in prevention, like Checkmarx One, even more critical,” said Sandeep Johri, CEO of Checkmarx. “Application security cannot be an afterthought. Organizations pursuing transformative gains in productivity through AI coding must put equal investment in security or pay the price of dramatically increased risk. Modern enterprises need AI-powered security tools to keep pace with developers and start securing code from the moment of creation preventing vulnerabilities in real time.” Pioneering AI Code Security Assistants In response, Checkmarx introduced Developer Assist to general availability in August. The first in a new category of AI Code Security Assistants, Developer Assist provides developers with real-time, context-aware guidance as they code—reducing remediation time from one to two days to just 10–15 minutes. Integrated with major AI-native development environments such as Windsurf by Cognition, Cursor, and GitHub Copilot, Developer Assist empowers teams to prevent vulnerabilities before they reach production, combining the productivity of AI with the security rigor of Checkmarx.

Checkmarx, the pioneer in agentic AI-powered application security, released the results of its annual survey titled “Future of Application Security in the Era of AI,” offering a candid assessment of how AI‑accelerated development is reshaping the risk landscape and how to prepare for the year ahead. The study surveyed more than 1,500 CISOs, AppSec managers and developers across North America, Europe and Asia‑Pacific to understand how organizations are adapting to a world where software is increasingly written by machines. AI‑generated code Half of respondents already use AI security code assistants and 34% admit that more than 60% The findings paint a stark picture: AI‑generated code is becoming mainstream, but governance is lagging. Half of respondents already use AI security code assistants and 34% admit that more than 60% of their code is AI‑generated.  Yet only 18% have policies governing this use. The growing adoption of AI coding assistants is eroding developer ownership and expanding the attack surface. Expect API breaches The research also shows that business pressure is normalizing risky practices. Eighty‑one percent of organizations knowingly ship vulnerable code, and 98% experienced a breach stemming from vulnerable code in the past year, that’s a sharp rise from 91% in 2024. Within the next 12 to 18 months, nearly a third (32%) of respondents expect Application Programming Interface (API) breaches via shadow APIs or business logic attacks. Application security tools Despite these realities, fewer than half of the respondents report deploying foundational security tools Despite these realities, fewer than half of the respondents report deploying foundational security tools, such as using mature application security tools, such as dynamic application security testing (DAST) or infrastructure‑as‑code scanning.  While DevSecOps is widely discussed industry-wide, only half of organizations surveyed actively use core tools and just 51% of North American organizations report adopting DevSecOps. Velocity of AI‑assisted development “The velocity of AI‑assisted development means security can no longer be a bolt‑on practice. It has to be embedded from code to cloud,” said Eran Kinsbruner, vice president of portfolio marketing. “Our research shows that developers are already letting AI write much of their code, yet most organizations lack governance around these tools. Combine that with the fact that 81% knowingly ship vulnerable code and you have a perfect storm. It’s only a matter of time before a crisis is at hand.” Six strategic imperatives The report outlines six strategic imperatives for closing the application security readiness gap The report outlines six strategic imperatives for closing the application security readiness gap: move from awareness to action, embed “code‑to‑cloud” security, govern AI use in development, operationalize security tools, prepare for agentic AI in AppSec, and cultivate a culture of developer empowerment. Kinsbruner added: “To stay ahead, organizations must operationalize security tooling that is focused on prevention. They need to establish policies for AI usage and invest in agentic AI that can automatically analyze and fix issues in real-time. AI-generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years.” Embedding security into development Chris Ledingham, Director Northern Europe, comments: “Our research found that nearly one third, 32%, of European respondents say their organization often deploys code with known vulnerabilities, compared with 24% of those in North America. This suggests the need for a stronger focus across our region on embedding security into development." "With AI now writing much of the code base, security pioneers face heightened accountability. Boards and regulators will rightly expect CISOs to implement robust governance for AI generated code and to ensure vulnerable software isn’t being pushed to production.” Checkmarx’s announcement of general availability The release of this report follows Checkmarx’s announcement of general availability of its Developer Assist agent, with extensions to top AI-native Integrated Development Environments (IDEs), including Windsurf by Cognition, Cursor, and GitHub Copilot.  This new agent—the first in a family of agentic-AI tools to enhance security for developers, AppSec pioneers, and CISO’s alike—delivers real-time, context-aware issue identification and guidance to developers as they code for autonomous prevention.    Download the full “Future of Application Security in the Era of AI” report at Checkmarx website to learn how organizations can navigate the AI‑accelerated risk landscape and build secure‑by‑default development practices.