On March 19, 2018, Gartner released its periodic update to the Gartner Magic Quadrant for Application Security Testing, which analyzes vendors’ DevSecOps capabilities. We’re pleased to announce that IBM sustained its position in the “Leaders” Quadrant for Application Security Testing in a report that spanned 12 total vendors.

Gartner performs extensive research to determine which vendors will be positioned in the Leaders, Challengers, Visionaries and Niche Players quadrants in its reports.

Download the Gartner Magic Quadrant Report Now


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from IBM.

Ultimately, vendors are evaluated on their Ability to Execute and Completeness of Vision.

‘Ability to Execute’ Evaluation Criteria in Magic Quadrant Report

When evaluating application security testing vendors on their Ability to Execute, Gartner analyzed the following criteria in this evaluation cycle:

  • Product or Service: Assessment of vendor’s current product and service capabilities, quality, feature sets and skills;
  • Overall Viability: Assessment of vendor’s overall financial health, as well as the financial and practical success of the business unit;
  • Sales Execution/Pricing: Vendor’s capabilities in all presales activities and the structure that supports them;
  • Market Responsiveness/Record: Vendor’s ability to respond, change direction, be flexible and achieve success as opportunities develop, competitors act, customer needs evolve and market dynamics change;
  • Marketing Execution: Assessment of vendor’s clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers; and
  • Customer Experience: Vendor’s quality of supplier/buyer interactions, technical support or account support.

The following “Ability to Execute” metric wasn’t evaluated by Gartner in this review cycle: Operations.

‘Completeness of Vision’ Evaluation Criteria in Magic Quadrant Report

When evaluating vendors on their Completeness of Vision, the following evaluation criteria were utilized:

  • Market Understanding: Assessment of the vendor’s ability to understand buyers’ needs and translate them into usable SAST, DAST, IAST and MAST products and services;
  • Marketing Strategy: Vendor’s ability to provide clear, differentiated messaging consistently communicated internally, externalized through social media, advertising, customer programs and positioning statements;
  • Sales Strategy: Vendor’s ability to offer a sound strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service and communication;
  • Offering (Product) Strategy: Evaluation of the vendor’s development and delivery of a solution that’s differentiated from the competition in a way that uniquely addresses critical customer requirements;
  • Innovation: Assessment of how vendors are innovating to support enterprise security intelligence, as well as developing methods to make security testing more accurate; and
  • Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

The following “Completeness of Vision” metrics weren’t evaluated by Gartner in this evaluation cycle: Business Model and Vertical/Industry Strategy.

Characteristics of ‘Leaders’ in Gartner Magic Quadrant for Application Security Testing

Leaders provide mature offerings that meet market demand. They’ve demonstrated the vision necessary to sustain their market positioning, especially as technology requirements evolve. The hallmark of Leaders is that they focus on and invest in their technology offerings to lead the market and affect its overall direction.

Leaders can be the vendors to watch as you try to understand how new offerings might evolve. Leaders typically possess a significant, satisfied customer base and enjoy high market visibility. Their size and maturity enable them to remain viable under constantly evolving market conditions. Leaders typically respond to a wide market audience by supporting broad market requirements. However, they may fail to meet the specific needs of vertical markets or other more specialized segments.

So these evaluation criteria clearly present high bars for achievement.

Get Your Complimentary Copy of 2018 Gartner Magic Quadrant for Application Security Testing

For a complete copy of the 2018 Gartner Magic Quadrant report for Application Security Testing, which provides an overview of all application security testing vendors, including IBM, and outlines their Strengths and Cautions, click on the box below.

Download the Gartner Magic Quadrant Report Now

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…