We're thrilled to announce that for the first time, Semgrep has been recognized in the 2025 Gartner Magic Quadrant for Application Security Testing. To us, this recognition mirrors what we've been hearing from customers: organizations need modern approaches to application security that can scale with their business objectives while addressing the fundamental challenges that have long plagued traditional AppSec solutions.
Application security is a crowded space, and this research document from Gartner helps organizations make sense of the landscape to make informed decisions about securing their critical applications. If you want to skip straight ahead to the document, get your complimentary copy of the Magic Quadrant report here.
From SAST to an AI-enabled AppSec platform
Semgrep's journey reflects the broader evolution needed in application security. We released open source SAST through Semgrep Community Edition in 2020. With a focus on build-time security, Semgrep's commercial offerings then expanded to address key customer pain points:
In 2022 we launched commercial offerings with Semgrep Code and Semgrep Supply Chain, becoming one of the first vendors to use reachability analysis to significantly reduce false positives from dependency alerts
In 2023 we introduced Semgrep Secrets and shipped our first AI features through Semgrep Assistant
Now in 2024, our advanced AI capabilities with triage and remediation features have processed more than 6 million security findings.
From the beginning, Semgrep has been developed to help AppSec teams address the biggest challenges they face with security solutions: reducing noise from false positives, and increasing developer engagement to the level needed to remediate security issues at scale. We believe successful security programs must address both.
Solving the false positive problem
The foundation of effective AppSec programs starts with high-quality signals. Semgrep Code, Semgrep Supply Chain, and Semgrep Secrets all employ advanced techniques like cross-file analysis, dataflow reachability, and secrets validation to reduce noise from false positives. This ensures that Semgrep scan results are inherently high signal.
Semgrep Assistant's AI Triage adds another layer of precision by analyzing context beyond what rules-based analysis can provide. It considers source code context, historical triage decisions from security and developer teams, and plain English guidance from Assistant Memories. This mirrors the analysis that senior security engineers typically perform, but automated at scale.
In addition to reducing noise for security teams, we believe it’s also critical to reduce noise for developers, and to create solutions that complement and fit with their workflows, rather than ones that expect developers to have the same security context that AppSec teams have.
Developer engagement for security at scale
Creating frictionless security for developers means being minimally disruptive to their workflows, not expecting them to switch into security tooling, and presenting them only with issues that need to be addressed in a timely manner. Unlike older code scanning tools that so often frustrated developers, this approach builds trust by presenting only the issues that matter.
Semgrep Assistant’s AI remediation provides just-in-time, context-aware code remediation to resolve security issues directly in the developer workflow. This usually takes the form of providing developers with specific actionable steps before code ships to production. Ultimately, we believe AppSec programs must drive developer engagement through to issue resolution in order to have an impact at scale.
The real-world impact of AI
The results from Semgrep Assistant have been impressive. Through its AI Triage capabilities, it has now analyzed more than 6 million security findings across thousands of deployments, and achieved a 96% agreement rate. That’s the real-world rate at which users and security researchers agree with Semgrep Assistant’s classification of false positives and true positives.
This year, Semgrep Assistant is filtering out 60% of SAST findings as false positives before AppSec teams ever see them (they’re still available in the platform for review). That removes a mountain of work that otherwise would have burdened AppSec teams, and countless moments of developer frustration avoided.
For developers, once false positives are filtered out, AI remediation becomes possible. Our data shows that teams using Assistant’s remediation guidance experience on average a 30 minute reduction in developer remediation time per finding. This means developers can help security scale while still keeping their focus on shipping code quickly.
AppSec for the future of software development
As AI transforms software development, we anticipate significant changes in how applications are secured. Security teams will need to expand their focus beyond developer-written vulnerabilities to include machine-generated code, while taking advantage of AI capabilities that can identify and address security issues with increasing sophistication.
We’re honored to be named in the Gartner Magic Quadrant for Application Security Testing, but even more grateful for the partnerships with the community and customers that make Semgrep better every day. Your feedback and collaboration continue to make Semgrep better. Get your complimentary copy of the Gartner Magic Quadrant for Application Security Testing and see how the landscape is evolving.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.
Gartner, Magic Quadrant for Application Security Testing, Jason Gross, Mark Horvath, Giles Williams, Shailendra Upadhyay, Dionisio Zumerle, Aaron Lord, Oct 7, 2025
