How much does Veracode cost?

Veracode pricing is opaque; tiers require contact with sales for a quote. Verified pricing intelligence is crowdsourced from buyer disclosures.

What rank does Veracode hold in the Code Quality and Static Analysis category?

Veracode ranks #5 of 10 code quality and static analysis platforms in the Zendikt editorial ranking, last updated 2026-05-10.

Veracode review, pricing, and verified intelligence

Best for

Regulated enterprises (financial services, federal government, defense, healthcare) where compliance reporting and one-vendor bundling of SAST plus DAST plus SCA are non-negotiable. Particularly strong for buyers needing FedRAMP-authorized platforms.

Worst for

Modern engineering-led teams (SonarQube, Codacy, Snyk Code better), buyers wanting fast PR-time feedback (scan times are wrong fit), or budget-conscious mid-market (Codacy or DeepSource better value).

Vendor Trust Score

Is Veracode a trustworthy vendor?

6.3/10

Mixed

Pricing transparency

Published rates; no hidden fees

5.0

Contract fairness

Reasonable terms; no auto-renew traps

6.0

Incident response

How they handle outages and breaches

7.0

Post-acquisition behavior

Customer treatment after M&A or PE

6.0

Executive stability

Leadership churn over 24 months

7.0

Roadmap honesty

Public commitments held

6.5

Trust signal log

2017-03-06

CA Technologies acquires Veracode for $614M

First major change in ownership; integration into CA portfolio drew customer concerns.
2018-11-05

Broadcom inherits Veracode via CA acquisition

Broadcom-CA deal closed; Veracode operated under Broadcom Software Group.
2022-05-04

Thoma Bravo $1B+ majority investment in Veracode

Take-private style transaction; Thoma Bravo control raised post-PE product-investment questions consistent with broader Thoma Bravo dev-tools playbook.
2024-09-22

Customer reports of slower feature velocity post-Thoma-Bravo

Multiple buyer disclosures of slower roadmap delivery through 2023-2024; consolidation focus over feature innovation.

Vendor Trust is scored independently of product quality. A great product from an unfair vendor still earns a low trust score.

Review Intelligence

What 480 reviews actually say

Synthesized from G2, Capterra, Reddit, Trustpilot. Patterns >15% prevalence shown.

Last synthesized

2026-04-29

Praise patterns

Deepest compliance reporting in the category
87% →
Strong federal-government footprint with FedRAMP
71% →
One platform: SAST plus DAST plus SCA plus penetration testing
64% →
Strong legacy-language coverage (COBOL, VB, PL/SQL)
47% →

Complaint patterns

Long scan times at enterprise scale
51% →
High false-positive rates (25 to 35 percent)
47% →
Opaque quote-only pricing
41% →
Slower feature velocity post-Thoma-Bravo
38% ↑

Sentiment trend (6 months)

68/100 0 pts

Patterns are extracted from review corpus and human-verified. We surface trends, not anecdotes.

Verified Pricing

What buyers actually pay

187 anonymized deal disclosures · last updated 2026-05-01

Contribute your deal price

Company size	Median annual	Sample	vs. listed floor
Mid-market (10 to 50 apps)	$84,000	78	-
Enterprise (50 to 500 apps)	$360,000	78	-
Federal / large enterprise (500+ apps)	$1,200,000	31	-

Verified pricing is crowdsourced from buyers under anonymity guarantees. Vendor-listed prices are validated against actual deals quarterly.

Compliance & Security

Auto-verified certifications

Verified 2026-05-01

SOC 2 Type II

ISO 27001

HIPAA

GDPR

CCPA

PCI DSS

FedRAMP Authorized

Editorial: Strengths

Deepest compliance reporting (PCI, FedRAMP, OWASP, CWE) in the category
Strong federal-government footprint; FedRAMP authorized
One platform: SAST, DAST, SCA, IAST, manual penetration testing
Mature 19-year track record; defensible to security-led procurement
Manual penetration-testing service (Veracode Verified) for compliance buyers
Strong language coverage on legacy languages (COBOL, Visual Basic, PL/SQL)

Editorial: Weaknesses

Scan times remain long (multi-hour scans common at enterprise scale)
False-positive rates 25 to 35 percent in buyer reports
Pricing opaque and quote-only; no published rate card
Post-Thoma-Bravo product investment skewed toward consolidation, not feature velocity
Developer-experience layer lags every modern competitor
IDE plugins functional but dated relative to Snyk Code or SonarQube

Key features & integrations

+SAST across 25+ languages including legacy (COBOL, VB, PL/SQL)
+DAST for running applications
+SCA for open-source composition
+IAST for runtime analysis
+Manual penetration testing (Veracode Verified)
+OWASP Top 10, CWE Top 25, PCI, FedRAMP compliance reporting
+IDE plugins for Eclipse, IntelliJ, Visual Studio
+SAML SSO, SCIM, audit logging
+REST API plus CLI
+Veracode eLearning developer training

150+ integrations

GitHubGitLabBitbucketAzure DevOpsJenkinsJiraServiceNowSplunkAWSAzure

Geography supported

Global; strongest in US, UK, EU; federal-government US

Best fit

500 to 100,000+ employees · Regulated enterprises and federal-government buyers

Editorial deep-dive

Read our full ranking of Code Quality and Static Analysis

Veracode ranks #5 in our editorial review of 10 code quality and static analysis platforms. The deep-dive covers methodology, comparison tables, decision matrix, migration scoring, and FAQs.

Read the full ranking

Closest alternatives in Code Quality and Static Analysis

DeepSource

Modern zero-config code-quality automation.

★ 4.5 public

Checkmarx

Legacy enterprise SAST plus SCA plus IaC under PE control.

★ 4.2 opaque

Snyk Code

Developer-first SAST inside the Snyk DevSecOps platform.

★ 4.5 partial

Help the next buyer

Contribute your verified deal price

Pricing in B2B software is opaque because vendors want it that way. Verified buyer prices fix that, anonymously. Share what you actually paid for Veracode; we’ll add it to the verified pricing dataset on this page (with company size band only, no identifying details).

Submit anonymously