Checkmarx

Checkmarx is an enterprise application security company specializing in static application security testing (SAST) headquartered in Atlanta, Georgia in the United States.^[1] It has over 900 employees.^[1]

Before founding Checkmarx, Maty Siman worked in the Mamram unit of the Israeli Defense Forces (IDF) and later in the Matzov unit. Then he worked a two years term until February 2006 as an advisor at the Israeli Prime Minister's Office.^[2]

Checkmarx was founded in 2006 by Maty Siman and Emmanuel Benzaquen.^[3][1]

In 2017, Checkmarx acquired Codebashing to add AppSec training.^[4] The following year, it acquired Custodela, DevSecOps consulting firm.^[5][6]

Checkmarx was acquired in April 2020 by Hellman & Friedman, a private equity firm with headquarters in San Francisco.

In August 2021, Checkmarx acquired Dustico, a software that detects backdoors and malicious attacks in the software supply chain.^[7][8]

In 2023, founder Emmanuel Benzaquen stepped down as CEO and was succeeded by Sandeep Johri.'^[9]

Checkmarx announced in December 2025 that it had acquired Tromzo, a California-based company known for its AI-native autonomous security agents.^[10] No financial details were made public. Checkmarx stated that Tromzo’s founders, Harshil Parikh and Harshit Chitalia, together with their full AI engineering team, will transition to Checkmarx’s product and engineering division.^[11] Tromzo’s cognitive architecture and reasoning engine will serve as an intelligence layer throughout the Checkmarx One platform and will drive new Assist agents beginning in early 2026.^[12]

Checkmarx maintains a research division, Checkmarx Zero, that has published findings on vulnerabilities and software supply chain risks:

• In 2019, researchers disclosed flaws in Google and Samsung Android camera apps that could enable remote surveillance.^[13]
• In 2022, Ars Technica reported a flaw in the Ring Android app that exposed sensitive user data.^[14]
• In 2025, Checkmarx reported malicious Python packages on PyPI designed to exfiltrate data.^[15]
• In 2025, Cybersecurity Dive reported survey data from Checkmarx indicating that 98% of organizations experienced breaches linked to software flaws.^[16]
• In 2025, ITProToday covered research warning that AI-generated code creates "blind spots" in DevSecOps.^[17]

Independent reporting on Checkmarx research also examined manipulation risks in AI coding agents via a "lies-in-the-loop" technique,^[18] alongside broader supply-chain findings in public repositories.^[19] Survey reporting highlighted that most organizations experienced breaches tied to vulnerable code amid growing adoption of AI development tools.^[20]

Checkmarx's early investors include Salesforce, which remains a partner as Checkmarx provides security reviews for the Salesforce AppExchange.^[21][22][23] In 2015, U.S. private equity and venture capital firm Insight Partners acquired Checkmarx for $84 million.^[23][1][3]

In April 2020, private equity firm Hellman & Friedman, alongside private investment firm TPG,^[24] acquired Checkmarx for $1.15 billion.^[1][3][25] After the acquisition, Insight Partners retained a minority interest in the company.^[1][26]

• Security testing