Sold by: StackHawk, Inc.
Deployed on AWS
StackHawk is a DAST and API testing tool built for developers. With powerful automation and integration capabilities, StackHawk gives engineers the ability to find and fix security vulnerabilities in their AWS software development pipeline before they reach production.
4.6
Overview
Uniquely tailored to AWS customers StackHawk can be easily deployed into AWS environments. The platform can run as part of your CI/CD pipeline with AWS CodeBuild and AWS CodePipeline to automate security testing as part of your software delivery.
Our approach to security StackHawk is the only dynamic application (DAST) and API security testing tool that runs in CI/CD, making API and application security testing part of software delivery. The StackHawk platform offers engineering teams the ability to find and fix application bugs at any stage of software development and gives Security teams insight into the security posture of applications and APIs being developed. The platform also contains generative AI technology that can help Security teams identify hidden APIs, providing information about what APIs exist, where they live, and who they belong to.
Pricing information Pricing is available as either StackHawk Pro or StackHawk Enterprise. With both pricing plans, users receive unlimited scans, environments and applications.
StackHawk Pro features: - Docker-based application security scanner - CI/CD automation - Historical scan data - cURL based reproduction criteria - Findings triage - REST, GraphQL & SOAP support - StackHawk CLI - Custom scan discovery - Applications dashboard - Custom test data for REST - Custom test data for GraphQL - HawkScan ReScan - gRPC support (coming soon) - Email and Slack based support - Slack, Snyk, GitHub, and CodeQL integrations
StackHawk Enterprise features: - ALL features and integrations in StackHawk Pro - Single sign-on - Role-based permissions - Activity history & audit log - Log4Shell vulnerability - Seed paths - API access for Scan Results - Executive summary report - Custom test scripts - Team-based access - Policy management - Dedicated Slack based support - Premier Zoom support - Generic webhooks, Microsoft Teams, and DefectDojo integrations
For more information, visit: https://www.stackhawk.com/pricing/
For custom pricing, EULA, or a private contract, please contact marketplace-orders@stackhawk.com , for a private offer.
Highlights
- Shift Security Left with Automated DAST Scanning: StackHawk is purpose-built to run in the DevOps pipeline, ensuring your team has eyes on any new vulnerabilities before they hit production.
- Reliably Test Applications and APIs: With StackHawk, you can easily align your DAST testing with your architecture, including REST, SOAP, and GraphQL APIs, for better performance and faster fixes.
- Developer Focused and Built to Scale AppSec Teams: StackHawk's modern approach to DAST enables developers to write secure software fast and gives Security teams the ability to scale at the speed of software being deployed.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
StackHawk Pro | Priced per code contributor for applications under test (minimum 20) | $588.00 |
StackHawk Enterprise | Priced per code contributor for applications under test (minimum 25) | $708.00 |
Vendor refund policy
All fees are non-cancellable and non-refundable except as required by law.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
Unless otherwise agreed, email support is offered Monday - Friday during normal business hours.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By StackHawk, Inc.
By OpenText
By Blacklock -Penetration Test as a Service
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Dynamic Application Security Testing (DAST)
Automated dynamic application security testing tool designed to identify vulnerabilities in applications and APIs during the software development lifecycle.
CI/CD Pipeline Integration
Integrates with AWS CodeBuild and AWS CodePipeline to automate security testing as part of the continuous integration and continuous deployment workflow.
Multi-Protocol API Testing Support
Supports testing of REST, GraphQL, SOAP, and gRPC APIs with custom test data capabilities for REST and GraphQL protocols.
Generative AI-Powered API Discovery
Utilizes generative AI technology to identify hidden APIs and provide information about API existence, location, and ownership.
Enterprise Access Control and Compliance
Provides single sign-on, role-based permissions, activity history, audit logging, policy management, and team-based access controls for enterprise deployments.
Static Application Security Testing
Detects over 1137 unique categories of vulnerabilities across 29 programming languages spanning over 1 million individual APIs
Dynamic and Interactive Application Security Testing
Offers dynamic application security testing (DAST), interactive application security testing (IAST), and mobile application security testing (MAST) capabilities on demand
CI/CD Pipeline Integration
Integrates into development toolchain with Swagger-supported RESTful APIs, GitHub repository support, and plugins for DevOps, VSTS, and Jenkins ecosystem partners
Software Supply Chain Security
Provides precise identification and matching of custom code and third-party risks using proprietary research data to protect software integrity and SDLC
Cloud-Native Application Support
Purpose-built to secure rapidly evolving cloud-native technologies and architectures with flexibility to adapt to diverse application requirements and emerging attack vectors
Dynamic Application Security Testing
Combines multiple security tools for DAST and SAST testing to cover maximum attack surface area including web applications, API endpoints, and external infrastructure
Vulnerability Scanning Capabilities
Supports continuous unlimited vulnerability scanning on-demand, scheduled, or recurring basis with authenticated and unauthenticated testing modes
Manual Penetration Testing
Offers consultant-grade manual penetration testing including business logic testing, access control testing, and vulnerability verification
Remediation and Reporting
Generates automated reports in executive and developer formats with remediation code tailored to specific technology stacks and supports retesting after remediation
Integration and Automation
Provides flexible API integration for DevOps workflows and integrates with Slack, MS Teams, JIRA, and Github for automated bug reporting and tracking
Standard contract
No
No
Customer reviews
reviewer2795271
Automated security checks have transformed PCI compliance and provide unified vulnerability insights
Reviewed on Jan 14, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for StackHawk is primarily as a PCI requirement for DAST.
As a quick specific example of how I use StackHawk for that PCI requirement, it is one of the controls that sits alongside the requirement to have SAST . I deployed StackHawk and Snyk because those two products were easily integrated and therefore providing a unified view of vulnerabilities that existed either during the CI/CD process or running live.
What is most valuable?
The best features StackHawk offers are, most importantly, its ability to report any issues that may exist with code running live. The integration with Snyk provides a more holistic, complete picture of issues in the entire life cycle of the web application.
An example of how getting a holistic picture of issues across the life cycle has helped my team is related to both StackHawk and Snyk because they were basically joined at the hip. Prior to the PCI requirements, there was not a lot of interest in automating the analysis of code that was being developed. Code was being scrubbed for vulnerabilities by humans, which is frankly impractical. You cannot go through either a few thousand or a few million lines of code and expect a human to find vulnerabilities because they are biased. That would be asking a lot based on the sheer volume of data and expecting people to identify vulnerabilities is completely impractical.
Outside of getting StackHawk connected to websites, which was fairly painless, I have no additional features that stand out to me besides the integration and reporting. StackHawk has positively impacted my organization by introducing an automated process that did not exist previously, and it helped the company achieve PCI certification.
What needs improvement?
I cannot think of anything I would add to StackHawk, with the possible exception of adding any additional code bases that might be out there. I am thinking about a situation where a company might be in mergers and acquisitions mode and they onboard a company that has developed an application in a code base that is not covered by StackHawk, which would introduce some inefficiency and possible compliance difficulties. It would be great if StackHawk were continuously adding more and more languages and integrations.
On a scale of one to ten, I would rate StackHawk an eight, only because I wish the product was a little less expensive. It also is running into direct competition with Snyk, as they did an acquisition of another DAST company, and they should be sensitive to that and possibly offer a discount for current users because it would be under consideration to move to Snyk and reduce complexity even if it was by a little bit.
For how long have I used the solution?
I have been using StackHawk for a little over a year.
Which other solutions did I evaluate?
The advice I would give to others looking into using StackHawk is that the integration with Snyk was impressive. You would also consider just using Snyk and the DAST that they onboarded over the past year.
What other advice do I have?
StackHawk is deployed in my organization in the public cloud using the configuration on their site.
I use AWS as my cloud provider.
I rate this product an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Higher Education
Stachawk efficiently processed the data, providing insightful analytics and reports.
Reviewed on Apr 03, 2025
Review provided by G2
What do you like best about the product?
Stachawk efficiently performed a comprehensive security assessment, identifying potential issues such as SQL injection, XSS, and security misconfigurations. The detailed reports provided clear insights into each vulnerability, along with recommendations for remediation.
Another key feature was its ability to adapt to different environments, making it a versatile solution for both black-box and white-box testing scenarios.
Another key feature was its ability to adapt to different environments, making it a versatile solution for both black-box and white-box testing scenarios.
What do you dislike about the product?
A learning path should be added to help users maximize the potential of Stachawk. While the tool is powerful and intuitive, a structured learning path would provide step-by-step guidance on configuring scans, interpreting results, and implementing security best practices.
What problems is the product solving and how is that benefiting you?
Stachawk addresses the need for a DAST scanner that supports ethical hacking, enables early vulnerability detection, and enhances secure development practices. By automating security assessments, it allows cybersecurity professionals and development teams to identify weaknesses in web applications before they can be exploited. Its capabilities facilitate proactive security testing, helping organizations integrate security into their SDLC (Software Development Life Cycle) and adopt a shift-left approach. With Stachawk, teams can strengthen their security posture while ensuring compliance with industry standards and best practices.
Computer Software
Review
Reviewed on Feb 18, 2025
Review provided by G2
What do you like best about the product?
Its scanning capabilities and easy integration into our CI/CD pipelines
What do you dislike about the product?
Simplified documentation for the yml specs. I have to search all over and go through a ton of trial and error when it comes time to setup configurations for stackhawk.
What problems is the product solving and how is that benefiting you?
We needed DAST and it provides that to us
David M.
StackHawk is a great DAST security tool
Reviewed on Jan 23, 2025
Review provided by G2
What do you like best about the product?
We have recently partnered with StackHawk for dynamic security code scanning and the product has been fantastic. StackHawk has many methods for performing code scanning tests which have been helpful for our development team. But I want to mention that perhaps the greatest thing about StackHawk has been their employees and the support they provide. (Most big software manufacturers sort of drop you off the deep end of the pool and disappear.) I will say that the customer on-boarding we had from StackHawk and their professionals was one of the best I've seen in my long career. They have a bunch of experts who are friendly and will assist you in getting the tools set up, explaining all of the features and options, and there to assist when you need help. I'd like to extend my genuine thanks to all at StackHawk for making our security program better and being a great partner.
What do you dislike about the product?
I do not have any dislikes regarding StackHawk.
What problems is the product solving and how is that benefiting you?
We had been using tools from larger software vendors, but they were becoming less effective and their value was declining over time (compared to the ever increasing costs). We looked around this crowded vendor space and reviewed several solutions for code scanning, API scanning, etc. We found that StackHawk was quite easy to set up and integrate. We also found that their staff and support were top notch.
Restaurants
StackHawk Review
Reviewed on Jan 10, 2025
Review provided by G2
What do you like best about the product?
I like the ability to configure the YAML file centrally. I like the integrations that are available as well.
What do you dislike about the product?
The configs of the YAML file and authenticated scans can be frustrating.
What problems is the product solving and how is that benefiting you?
Scan apps pushed to staging in the pipeline