StackHawk - Comprehensive Analysis Report

Summary

StackHawk is a Denver, Colorado-based company founded in 2019, specializing in cloud-based security testing software. Its core mission is to empower developers to identify and resolve application security bugs within Continuous Integration/Continuous Delivery (CI/CD) pipelines before they reach production. StackHawk offers an agile, developer-friendly approach to software security, integrating security seamlessly into the daily workflow rather than relying on traditional, periodic checks. The company emphasizes building trust and confidence, collaboratively tackling complex problems, and fostering a culture of innovation. StackHawk's significance in the industry lies in its "shift-left DAST" (Dynamic Application Security Testing) strategy, enabling earlier detection and remediation of vulnerabilities in modern architectures like APIs and microservices.

1. Strategic Focus & Objectives

Core Objectives

StackHawk's main business objective is to empower developers to find and fix application security bugs in CI/CD pipelines, preventing vulnerabilities from reaching production. The company aims to provide real-time identification and remediation of security issues within the development workflow.

Its long-term goals include:

• Expediting product development and features that enable modern teams to scale safely.

• Particularly focusing on data-sensitive industries such as healthcare and fintech as they embrace AI-driven development.

• Building support for mid-market and enterprise companies.

Specialization Areas

StackHawk specializes in "shift-left DAST," moving security testing earlier into the software development lifecycle. Key areas of expertise include:

• Securing modern architectures such as APIs, microservices, GraphQL, and gRPC.

• Providing dynamic testing capabilities that run directly within CI/CD pipelines.

• Automatically discovering API endpoints and generating OpenAPI specifications.

• Executing runtime security testing before deployment to uncover critical vulnerabilities like authorization flaws, injection attacks, and business logic vulnerabilities.

Target Markets

StackHawk primarily targets companies with employee counts ranging from 50 to over 5,000, with a particular focus on those with 500 to 3,000 employees. The company aims to improve the application security posture of these organizations, regardless of whether they have a dedicated AppSec team.

2. Financial Overview

Funding History

StackHawk has raised a total of $47.4 million across eight funding rounds since its inception in 2019.

• Latest Funding Round (Series B): May 22, 2025 – $12 million.

• Key Investors: Led by existing investors Sapphire Ventures and Costanoa Ventures.

• Fund Utilization: Intended to expedite product development and features that enable modern teams to scale safely, especially in data-sensitive industries as they embrace AI-driven development.

• Impact on Company Growth: This strategic investment signifies sustained investor confidence and supports the company's growth trajectory by fueling innovation in critical product areas.

• Previous Funding Round (Series B): 2022 – $20.7 million.

• Key Investors: Co-led by Sapphire Ventures and Costanoa Ventures.

As of April 2026, StackHawk generates an estimated $5.5 million in revenue.

3. Product Pipeline

While a software company, StackHawk's "pipeline development" refers to its ongoing product development and feature roadmap, continuously enhancing its Dynamic Application Security Testing (DAST) platform to address evolving security challenges, particularly with AI-driven development.

Key Products/Services

• DAST Platform (HawkScan):

• Description: A developer-oriented Dynamic Application Security Testing (DAST) tool focused on "shift-left" security, integrating directly into CI/CD pipelines. It performs automated scans at every pull request against an application, service, or API to find newly introduced vulnerabilities.

• Development Stage: Actively developed with continuous enhancements.

• Target Market/Condition: Developers and security teams in companies using CI/CD pipelines; ensures security for modern architectures (REST, SOAP APIs, GraphQL, gRPC).

• Expected Timeline: Ongoing development and feature releases.

• Key Features and Benefits:

• Automated scans at every pull request.

• Tests running applications and APIs in pre-production environments.

• Sends real requests, analyzes responses, and simulates attack scenarios.

• Uncovers critical authorization and business logic flaws.

• Simplified deployment model (configurable as code or Docker container).

• Clear remediation guidance to reduce false positives.

• Supports various API types (REST, SOAP APIs, GraphQL, gRPC).

Ongoing Product Development and Innovation (Key Areas):

• AI-driven Security Issue Discovery: Incorporating generative AI technology to discover security issues within code in GitHub repositories.

• Source-based API Discovery: Enhancing the platform to understand the attack surface from source code and automatically discover API endpoints.

• AI-powered Remediations: Developing AI-powered guidance to help developers quickly fix identified vulnerabilities.

• Integration with Microsoft Ecosystem: Tailoring workflows for GitHub Actions and Azure DevOps, including SARIF integration for advanced security tooling.

• Fuzzing Capabilities: Utilizing targeted fuzzing for more efficient, less manual application testing.

• Enhanced Reporting and Auditing: Streamlining reporting and auditing processes to aid in compliance with regulations like HIPAA, GDPR, PCI DSS, and SOX.

• Mid-market and Enterprise Support: Building features for mid-market and enterprise companies, including an Azure Marketplace presence, team management features, and new roles with reduced permissions.

4. Technology & Innovation

Technology Stack

• Core Platforms and Technologies: StackHawk's DAST platform, HawkScan, integrates with popular CI/CD tools such as GitHub, GitLab, Jenkins, and CircleCI. It also integrates with cloud platforms like AWS and Azure. Findings can be sent to Jira and Slack for developer-native remediation workflows.

• Proprietary Developments: The DAST platform performs automated scans at every pull request, running against an application, service, or API to find newly introduced vulnerabilities. It distinguishes itself from legacy DAST tools by testing running applications and APIs in pre-production environments, sending real requests, analyzing responses, and simulating attack scenarios to uncover critical vulnerabilities.

• Scientific Methodologies: The platform supports testing for REST, SOAP APIs, GraphQL, and gRPC. It leverages a simplified deployment model configurable as code or via a Docker container, allowing the scanner to run on CI/CD servers or a developer's local machine. The focus is on genuinely exploitable vulnerabilities, providing clear remediation guidance to reduce false positives.

• Technical Capabilities:

• Automated dynamic scanning for applications and APIs.

• Real-time vulnerability detection in pre-production.

• Contextual remediation guidance.

• Integration with various developer and CI/CD tools.

AI-driven Capabilities

• Generative AI for Discovery: Incorporates generative AI technology for discovering security issues within code in GitHub repositories.

• AI-powered Remediations: Actively developing AI-powered remediation guidance to help developers quickly fix identified vulnerabilities. This innovation aims to empower security teams to keep pace with the increasing speed of AI-driven development.

5. Leadership & Management

Executive Team

• Joni Klippert - Co-Founder & CEO: Joni brings prior experience from Splunk and VictorOps, contributing significant expertise to the application security space.

• Scott Gerlach - Co-Founder & CSO: Scott has been instrumental in establishing StackHawk and defining its strategic security direction.

Recent Leadership Changes

• Joe Sullivan - Board of Directors: In March 2026, Joe Sullivan, former Chief Security Officer at Meta, Uber, and Cloudflare, joined the StackHawk Board of Directors. His appointment highlights the growing importance of runtime testing in the AI era and brings valuable industry leadership to the company.

6. Talent and Growth Indicators

Hiring Trends and Workforce

StackHawk is a Series B SaaS company with approximately 50 employees. The company operates as a remote-first organization with a physical office in Denver, CO. StackHawk is actively hiring, which signals a clear growth trajectory. The company is dedicated to diversity, equity, and inclusion, reflected in its diversity manifesto and a diverse management team.

Key Roles Being Recruited

StackHawk is "always hiring" and views open positions as an indicator of growth. Recently posted jobs, such as Sales Development Representative (SDR), indicate key roles being recruited to support expansion.

Company Growth Trajectory Indicators

• Active hiring and increasing employee count.

• Commitment to diversity, equity, and inclusion.

• Providing competitive benefits, including company equity, home-office stipends for remote employees, comprehensive healthcare (dental insurance, FSA, health insurance), and retirement benefits (401(K), disability insurance).

7. Social Media Presence and Engagement

Digital Footprint

StackHawk maintains a strong presence across several social media platforms.

• LinkedIn: Used for professional networking, company updates, and talent acquisition.

• Twitter/X: Engages with the cybersecurity community, shares industry insights, and promotes content.

• YouTube: Features videos such as "StackHawk: Reimagining Application Security for the AI Era," which discusses the impact of AI on software development and StackHawk’s approach to API and application security. This content showcases their thought leadership and aims to foster community engagement on critical industry topics.

Brand Messaging and Positioning

StackHawk's brand messaging emphasizes developer empowerment, "shift-left" security, and the integration of security directly into the CI/CD pipeline. They position themselves as innovators in the evolving landscape of AI-driven development.

8. Recognition and Awards

Industry Recognition

• Outstanding API Security Platform (Global Infosec Awards): In May 2025, StackHawk was named the "Outstanding API Security Platform" by the Global Infosec Awards at RSA 2025, presented by Cyber Defense Magazine. This award acknowledges the company's innovative and compelling value proposition in the competitive infosecurity industry.

9. Competitive Analysis

StackHawk operates within the Dynamic Application Security Testing (DAST) market.

Major Competitors

• Veracode:

• Overview: Offers a comprehensive suite of application security testing solutions, including DAST, SAST, and SCA.

• Focus Areas: Enterprise-grade security solutions across the SDLC.

• NTT Application Security:

• Overview: Provides a range of application security services, including DAST and managed security services.

• Focus Areas: Scalable security testing and vulnerability management.

• FOSSA:

• Overview: Specializes in open-source software (OSS) management and license compliance.

• Focus Areas: Software composition analysis (SCA) and open-source risk management.

• Checkmarx:

• Overview: A leader in application security testing, offering SAST, DAST, IAST, and SCA.

• Focus Areas: End-to-end application security platform for enterprises.

• Snyk:

• Overview: Focuses on developer-first security for code, dependencies, containers, and infrastructure as code.

• Focus Areas: SAST, SCA, and container security, emphasizing developer integration.

• HackerOne:

• Overview: Provides a bug bounty platform and vulnerability disclosure programs.

• Focus Areas: Crowd-sourced security testing and ethical hacking.

• Invicti (formerly Netsparker and Acunetix):

• Overview: Offers DAST and IAST solutions for web application security.

• Focus Areas: Automated web vulnerability scanning and management.

• Bright Security:

• Overview: Provides DAST solutions that integrate into the CI/CD pipeline.

• Focus Areas: Developer-friendly DAST with a focus on ease of use and automation.

• Burp Suite Enterprise:

• Overview: An enterprise-grade DAST solution building on the popular Burp Suite Professional.

• Focus Areas: Continuous web vulnerability scanning and reporting for enterprise environments.

Competitive Positioning

StackHawk differentiates itself through its explicit developer experience design and its CI/CD-native deployment model, which prioritizes "shift-left" testing. This approach emphasizes embedding security directly into the development workflow, providing real-time feedback to developers, and focusing on exploitable vulnerabilities with clear remediation guidance, setting it apart from many traditional DAST tools that primarily cater to security teams and often operate later in the development cycle.

10. Market Analysis

Market Overview

The application security market is a significant and expanding industry. MarketsandMarkets projects this market to grow from $7.3 billion to $18.2 billion by 2028.

Growth Potential

The industry is experiencing rapid changes driven by the acceleration of AI-driven development. This trend leads to increased code generation, greater API creation, and a broader attack surface. Approximately 71% of internet traffic is driven by API calls, creating a "pressure cooker of risk" as AI-generated code has been shown to contain more vulnerabilities than human-written code.

Key Market Trends

• Shift-left Security: Integrating security testing earlier into the software development lifecycle.

• AI-driven Development: Rapid adoption of AI in code generation leading to new security challenges.

• API and Microservices Proliferation: Increased reliance on APIs and microservices expanding the attack surface.

• Developer-centric Security: Tools and processes designed to empower developers to own security responsibilities.

Market Challenges and Opportunities

• Challenges: Traditional security testing often occurs too late in the development cycle, making fixes expensive and disruptive. The proliferation of AI-generated code increases the volume and complexity of vulnerabilities.

• Opportunities: StackHawk's focus on "shift-left DAST" directly addresses these challenges by enabling developers to integrate security into their workflow. This positions the company within a crucial trend of proactive security in a fast-evolving threat landscape, especially for securing AI-accelerated software development.

11. Strategic Partnerships

StackHawk focuses on strategic integrations with existing developer tools and platforms to strengthen its market position and capabilities.

• Partner Organization: CI/CD Tools (GitHub, GitLab, Jenkins, CircleCI)

• Nature of Partnership: Seamless integration for embedding DAST directly into CI/CD pipelines.

• Strategic Benefits: Enables automated security testing with every pull request, facilitating a "shift-left" security approach.

• Partner Organization: Cloud Platforms (AWS, Azure)

• Nature of Partnership: Integration to facilitate developer workflows within these environments.

• Strategic Benefits: Expands reach and provides seamless security testing for cloud-native applications. StackHawk's presence in the Azure Marketplace and enabling SARIF integration further demonstrates a strategic alignment with Microsoft.

• Partner Organization: Developer-centric tools (Jira, Slack)

• Nature of Partnership: Integration for sending security findings.

• Strategic Benefits: Enables developer-native remediation workflows and faster resolution of vulnerabilities.

• Future Collaborations: StackHawk foresees integrations with more SAST technologies, viewing DAST as complementary for prioritizing findings and correlating lines of code. The company also expects to form more partnerships with other popular developer testing tools, leveraging its API-based approach.

12. Operational Insights

StackHawk's core operational strength and competitive advantage lie in its developer-first "shift-left DAST" approach.

• Current Market Position: Positions itself as a leader in CI/CD-native DAST, differentiating from traditional DAST tools that typically target security teams and conduct testing later in the development cycle.

• Competitive Advantages:

• Developer-First Design: Empowers developers to find and fix vulnerabilities as they write code.

• CI/CD Native Deployment: Embeds dynamic application and API security testing directly into CI/CD pipelines.

• Real-time Feedback: Provides immediate feedback and actionable remediation guidance during pull requests and pre-production phases.

• Modern Architecture Support: Supports various API types (REST, GraphQL, gRPC) and addresses the complexity of microservices.

• Automated Security: Focuses on automating security checks to reduce manual effort and cost of remediation.

• Shared Visibility: Provides engineering and AppSec teams with a shared dashboard for insights into security fixes.

• Operational Strengths: Ability to integrate seamlessly with existing developer tools and workflows, enhancing efficiency and reducing friction in adopting security practices.

• Areas for Improvement: Continuous adaptation to the rapidly evolving threat landscape, particularly with the acceleration of AI-driven development.

13. Future Outlook

Strategic Roadmap

StackHawk's strategic roadmap is heavily influenced by the acceleration of AI-driven development and the associated increase in attack surfaces and vulnerabilities.

Planned Initiatives

• Securing AI-Driven Development: Equipping modern teams embracing AI-driven development with solutions to scale safely, especially in data-sensitive industries like healthcare and fintech. This includes providing new solutions that help engineering teams identify and fix security issues generated by the speed of AI.

• Enhanced Observability for Security Teams: Innovating to provide security teams with better visibility and observability into how quickly codebases are changing due to AI, enabling effective security program management.

• Expansion of DAST Capabilities: Pursuing further integrations with Static Application Security Testing (SAST) technologies to create a synergistic approach, allowing for quicker prioritization of SAST findings and line-of-code correlation for DAST findings.

• Partnerships with Developer Testing Tools: Expects to form more partnerships with other popular developer testing tools, leveraging its API-based approach.

• Growing Market Share in Mid-market and Enterprise: Building support for mid-market and enterprise companies, including specific integrations and features tailored for the Microsoft ecosystem.

Growth Strategies

Focus on product innovation, particularly in AI-driven security discovery and remediation, expanding integrations, and targeting larger market segments.

Expansion Opportunities

The company aims to capitalize on the growing application security market by addressing the unique challenges presented by modern, rapidly evolving software development practices, especially those impacting AI-generated code.

Future Challenges and Mitigation Strategies

• Challenges: The rapid pace of AI-driven development introduces new types and volumes of vulnerabilities, and the increasing attack surface of modern architectures.

• Mitigation Strategies: StackHawk addresses these by integrating AI-driven security issue discovery and remediation, enhancing observability for security teams, and extending its DAST capabilities through integrations with other security tools.