Sold by: StackHawk, Inc.
Deployed on AWS
StackHawk is a DAST and API testing tool built for developers. With powerful automation and integration capabilities, StackHawk gives engineers the ability to find and fix security vulnerabilities in their AWS software development pipeline before they reach production.
4.6
Overview
Uniquely tailored to AWS customers StackHawk can be easily deployed into AWS environments. The platform can run as part of your CI/CD pipeline with AWS CodeBuild and AWS CodePipeline to automate security testing as part of your software delivery.
Our approach to security StackHawk is the only dynamic application (DAST) and API security testing tool that runs in CI/CD, making API and application security testing part of software delivery. The StackHawk platform offers engineering teams the ability to find and fix application bugs at any stage of software development and gives Security teams insight into the security posture of applications and APIs being developed. The platform also contains generative AI technology that can help Security teams identify hidden APIs, providing information about what APIs exist, where they live, and who they belong to.
Pricing information Pricing is available as either StackHawk Pro or StackHawk Enterprise. With both pricing plans, users receive unlimited scans, environments and applications.
StackHawk Pro features: - Docker-based application security scanner - CI/CD automation - Historical scan data - cURL based reproduction criteria - Findings triage - REST, GraphQL & SOAP support - StackHawk CLI - Custom scan discovery - Applications dashboard - Custom test data for REST - Custom test data for GraphQL - HawkScan ReScan - gRPC support (coming soon) - Email and Slack based support - Slack, Snyk, GitHub, and CodeQL integrations
StackHawk Enterprise features: - ALL features and integrations in StackHawk Pro - Single sign-on - Role-based permissions - Activity history & audit log - Log4Shell vulnerability - Seed paths - API access for Scan Results - Executive summary report - Custom test scripts - Team-based access - Policy management - Dedicated Slack based support - Premier Zoom support - Generic webhooks, Microsoft Teams, and DefectDojo integrations
For more information, visit: https://www.stackhawk.com/pricing/
For custom pricing, EULA, or a private contract, please contact marketplace-orders@stackhawk.com , for a private offer.
Highlights
- Shift Security Left with Automated DAST Scanning: StackHawk is purpose-built to run in the DevOps pipeline, ensuring your team has eyes on any new vulnerabilities before they hit production.
- Reliably Test Applications and APIs: With StackHawk, you can easily align your DAST testing with your architecture, including REST, SOAP, and GraphQL APIs, for better performance and faster fixes.
- Developer Focused and Built to Scale AppSec Teams: StackHawk's modern approach to DAST enables developers to write secure software fast and gives Security teams the ability to scale at the speed of software being deployed.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
StackHawk Pro | Priced per code contributor for applications under test (minimum 20) | $588.00 |
StackHawk Enterprise | Priced per code contributor for applications under test (minimum 25) | $708.00 |
Vendor refund policy
All fees are non-cancellable and non-refundable except as required by law.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
Unless otherwise agreed, email support is offered Monday - Friday during normal business hours.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By StackHawk, Inc.
By OpenText
By Blacklock -Penetration Test as a Service
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Dynamic Application Security Testing (DAST)
Automated dynamic application security testing tool designed to identify vulnerabilities in applications and APIs during the software development lifecycle.
CI/CD Pipeline Integration
Integrates with AWS CodeBuild and AWS CodePipeline to automate security testing as part of the continuous integration and continuous deployment workflow.
Multi-Protocol API Testing Support
Supports testing of REST, GraphQL, SOAP, and gRPC APIs with custom test data capabilities for REST and GraphQL protocols.
Generative AI-Powered API Discovery
Utilizes generative AI technology to identify hidden APIs and provide information about API existence, location, and ownership.
Enterprise Access Control and Compliance
Provides single sign-on, role-based permissions, activity history, audit logging, policy management, and team-based access controls for enterprise deployments.
Static Application Security Testing
Detects over 1137 unique categories of vulnerabilities across 29 programming languages spanning over 1 million individual APIs
Dynamic and Interactive Application Security Testing
Offers dynamic application security testing (DAST), interactive application security testing (IAST), and mobile application security testing (MAST) capabilities on demand
CI/CD Pipeline Integration
Integrates into development toolchain with Swagger-supported RESTful APIs, GitHub repository support, and plugins for DevOps, VSTS, and Jenkins ecosystem partners
Software Supply Chain Security
Provides precise identification and matching of custom code and third-party risks using proprietary research data to protect software integrity and SDLC
Cloud-Native Application Support
Purpose-built to secure rapidly evolving cloud-native technologies and architectures with flexibility to adapt to diverse application requirements and emerging attack vectors
Dynamic Application Security Testing
Combines multiple security tools for DAST and SAST testing to cover maximum attack surface area including web applications, API endpoints, and external infrastructure
Vulnerability Scanning Capabilities
Supports continuous unlimited vulnerability scanning on-demand, scheduled, or recurring basis with authenticated and unauthenticated testing modes
Manual Penetration Testing
Offers consultant-grade manual penetration testing including business logic testing, access control testing, and vulnerability verification
Remediation and Reporting
Generates automated reports in executive and developer formats with remediation code tailored to specific technology stacks and supports retesting after remediation
Integration and Automation
Provides flexible API integration for DevOps workflows and integrates with Slack, MS Teams, JIRA, and Github for automated bug reporting and tracking
Standard contract
No
No
Customer reviews
Ney Roman
Vulnerability visibility has improved across microservices but integration still needs refinement
Reviewed on Jun 14, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for StackHawk is to analyze our application live in our EKS cluster.
A specific example of how we use StackHawk in our EKS cluster is that we deployed an agent authenticated to the StackHawk platform and it is in charge of analyzing our different repositories, letting us know if we have any open vulnerabilities within our base code. Every scenario of analysis is completely published into the StackHawk platform so we can see if we have open vulnerabilities to solve and how much time it takes to perform the analysis.
What is most valuable?
The best feature StackHawk offers is called Attack Surface, which is a way of letting us know what repositories that we have hosted in any repository system have a surface attack, and in that case, we integrate the platform into StackHawk, then they let us know the application code base and how we have to integrate it and easily set up the application.
The Attack Surface feature has helped our team by having an inventory of our repositories and which of them have a surface attack.
StackHawk has positively impacted my organization by giving us a new vision of how vulnerabilities were seen, as we now have more visibility in that matter. We now take care of not just the static analysis and the composition analysis, but the dynamic analysis. When our microservices are running, we do have a vision of how it performs, and it also lets us know if we have any open vulnerabilities so we can close them.
Since we started using StackHawk, we've seen reports on different vulnerabilities that we have in our current microservices within the cluster, so now we have a wide vision and a wide perspective, and also we have new ideas about what we need to do. We also have similar microservices, so most of them are common errors and now we are closing up that gap of vulnerabilities.
What needs improvement?
StackHawk can be improved in the way that it is integrated, as at the very beginning, the idea was to, within the pipeline, mount the different resources that our microservices needed to start to run. For example, if we have a service that needed Redis , maybe Kafka, or a database to initialize, we did need to have a Docker Compose file, get up those services, and after that, do the analysis. It didn't have that; it wasn't reachable at the very beginning and it wasn't that good as we expected. But at some point, we decided to mount it as an agent in the Docker file, and it was waiting for new jobs. It was even better, and when we figured out how to integrate it within our EKS cluster, suddenly we started reaching to the services, knowing what was going on, and everything related to security. As long as we have a P2T to our QA site or cluster, we do not have garbage in our databases, but StackHawk does put a little information, a garbage information, doing their job.
That's the main area I'm focusing on right now regarding needed improvements.
For how long have I used the solution?
I've been using StackHawk for almost a year.
What do I think about the stability of the solution?
StackHawk is stable.
What do I think about the scalability of the solution?
Regarding StackHawk's scalability, I don't have a clear vision about how scalable it is, but we can use it in every microservice that we have, and we have almost 300 microservices and all of them can be analyzed within the cluster with our agent.
How are customer service and support?
The customer support was amazing; every time they could, they brought a Spanish translator, so the communication was really smooth. I would rate the customer support ten out of ten.
Which solution did I use previously and why did I switch?
I didn't previously use a different solution for dynamic analysis.
How was the initial setup?
Regarding my experience with pricing, setup cost, and licensing, I'm not sure about pricing since I wasn't part of the team that got the application. The setup cost was actually really cheap; I hosted a self-runner with an image based on the StackHawk one, so it was really cheap and easy. I want to emphasize that I was not part of the pricing details and I'm also not sure about what kind of license we have.
What about the implementation team?
I was just in charge of implementing StackHawk, and I'm actually not part of the security team, so I cannot measure its accuracy and reliability.
Since we started using StackHawk, we've seen reports on different vulnerabilities that we have in our current microservices within the cluster, so now we have a wide vision and a wide perspective, and also we have new ideas about what we need to do. We also have similar microservices, so most of them are common errors and now we are closing up that gap of vulnerabilities.
Actually, I cannot say that we have seen a return on investment, as we've been using it recently and the company hasn't adopted it with all the services, so there isn't any measurement about that. Also, at the very beginning, we were just working with two engineers, and now we have maybe just one, but I don't know, it's complicated.
What was our ROI?
Actually, I cannot say that we have seen a return on investment, as we've been using it recently and the company hasn't adopted it with all the services, so there isn't any measurement about that. Also, at the very beginning, we were just working with two engineers, and now we have maybe just one, but I don't know, it's complicated.
What's my experience with pricing, setup cost, and licensing?
The setup cost was actually really cheap; I hosted a self-runner with an image based on the StackHawk one, so it was really cheap and easy.
Which other solutions did I evaluate?
We did not evaluate other options before choosing StackHawk; we went straightforward to it.
What other advice do I have?
I don't actually have a clear perspective on StackHawk's AI capabilities regarding its governance and security.
My advice to others looking into using StackHawk is to stay prepared. Document how your architecture works, whether you have decoupled services or not. Based on that, it will be easier or not to use the application. In our case, we had to deploy an agent within our cluster and that was the only way we could analyze our microservices. So be prepared, especially technically, because they can help a lot in different areas, but you're the owner of your own infrastructure, so it relies on you how you're going to implement the solution.
My overall rating for this review is seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
reviewer2795271
Automated security checks have transformed PCI compliance and provide unified vulnerability insights
Reviewed on Jan 14, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for StackHawk is primarily as a PCI requirement for DAST.
As a quick specific example of how I use StackHawk for that PCI requirement, it is one of the controls that sits alongside the requirement to have SAST . I deployed StackHawk and Snyk because those two products were easily integrated and therefore providing a unified view of vulnerabilities that existed either during the CI/CD process or running live.
What is most valuable?
The best features StackHawk offers are, most importantly, its ability to report any issues that may exist with code running live. The integration with Snyk provides a more holistic, complete picture of issues in the entire life cycle of the web application.
An example of how getting a holistic picture of issues across the life cycle has helped my team is related to both StackHawk and Snyk because they were basically joined at the hip. Prior to the PCI requirements, there was not a lot of interest in automating the analysis of code that was being developed. Code was being scrubbed for vulnerabilities by humans, which is frankly impractical. You cannot go through either a few thousand or a few million lines of code and expect a human to find vulnerabilities because they are biased. That would be asking a lot based on the sheer volume of data and expecting people to identify vulnerabilities is completely impractical.
Outside of getting StackHawk connected to websites, which was fairly painless, I have no additional features that stand out to me besides the integration and reporting. StackHawk has positively impacted my organization by introducing an automated process that did not exist previously, and it helped the company achieve PCI certification.
What needs improvement?
I cannot think of anything I would add to StackHawk, with the possible exception of adding any additional code bases that might be out there. I am thinking about a situation where a company might be in mergers and acquisitions mode and they onboard a company that has developed an application in a code base that is not covered by StackHawk, which would introduce some inefficiency and possible compliance difficulties. It would be great if StackHawk were continuously adding more and more languages and integrations.
On a scale of one to ten, I would rate StackHawk an eight, only because I wish the product was a little less expensive. It also is running into direct competition with Snyk, as they did an acquisition of another DAST company, and they should be sensitive to that and possibly offer a discount for current users because it would be under consideration to move to Snyk and reduce complexity even if it was by a little bit.
For how long have I used the solution?
I have been using StackHawk for a little over a year.
Which other solutions did I evaluate?
The advice I would give to others looking into using StackHawk is that the integration with Snyk was impressive. You would also consider just using Snyk and the DAST that they onboarded over the past year.
What other advice do I have?
StackHawk is deployed in my organization in the public cloud using the configuration on their site.
I use AWS as my cloud provider.
I rate this product an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Higher Education
Stachawk efficiently processed the data, providing insightful analytics and reports.
Reviewed on Apr 03, 2025
Review provided by G2
What do you like best about the product?
Stachawk efficiently performed a comprehensive security assessment, identifying potential issues such as SQL injection, XSS, and security misconfigurations. The detailed reports provided clear insights into each vulnerability, along with recommendations for remediation.
Another key feature was its ability to adapt to different environments, making it a versatile solution for both black-box and white-box testing scenarios.
Another key feature was its ability to adapt to different environments, making it a versatile solution for both black-box and white-box testing scenarios.
What do you dislike about the product?
A learning path should be added to help users maximize the potential of Stachawk. While the tool is powerful and intuitive, a structured learning path would provide step-by-step guidance on configuring scans, interpreting results, and implementing security best practices.
What problems is the product solving and how is that benefiting you?
Stachawk addresses the need for a DAST scanner that supports ethical hacking, enables early vulnerability detection, and enhances secure development practices. By automating security assessments, it allows cybersecurity professionals and development teams to identify weaknesses in web applications before they can be exploited. Its capabilities facilitate proactive security testing, helping organizations integrate security into their SDLC (Software Development Life Cycle) and adopt a shift-left approach. With Stachawk, teams can strengthen their security posture while ensuring compliance with industry standards and best practices.
Computer Software
Review
Reviewed on Feb 18, 2025
Review provided by G2
What do you like best about the product?
Its scanning capabilities and easy integration into our CI/CD pipelines
What do you dislike about the product?
Simplified documentation for the yml specs. I have to search all over and go through a ton of trial and error when it comes time to setup configurations for stackhawk.
What problems is the product solving and how is that benefiting you?
We needed DAST and it provides that to us
David M.
StackHawk is a great DAST security tool
Reviewed on Jan 23, 2025
Review provided by G2
What do you like best about the product?
We have recently partnered with StackHawk for dynamic security code scanning and the product has been fantastic. StackHawk has many methods for performing code scanning tests which have been helpful for our development team. But I want to mention that perhaps the greatest thing about StackHawk has been their employees and the support they provide. (Most big software manufacturers sort of drop you off the deep end of the pool and disappear.) I will say that the customer on-boarding we had from StackHawk and their professionals was one of the best I've seen in my long career. They have a bunch of experts who are friendly and will assist you in getting the tools set up, explaining all of the features and options, and there to assist when you need help. I'd like to extend my genuine thanks to all at StackHawk for making our security program better and being a great partner.
What do you dislike about the product?
I do not have any dislikes regarding StackHawk.
What problems is the product solving and how is that benefiting you?
We had been using tools from larger software vendors, but they were becoming less effective and their value was declining over time (compared to the ever increasing costs). We looked around this crowded vendor space and reviewed several solutions for code scanning, API scanning, etc. We found that StackHawk was quite easy to set up and integrate. We also found that their staff and support were top notch.