Fluid Attacks’ Static Application Security Testing (SAST) detects security vulnerabilities in your applications. You don’t have to wait until they are built and in production to start evaluating them. Our assessments and analyses are supported by Asserts, our automatic tool, which provides feedback to developers, searching for vulnerabilities with easy, precise, and fast execution across your entire SDLC. However, it is our ethical hackers who carry the main responsibility of completing a more in-depth attack on your IT systems without compromising your company’s development pace. This form of white-box testing is available for diverse frameworks and languages, and examines in line with multiple industry standards. It aims to reduce risks and costs through the early detection of weaknesses in a non-running software and seamless integration into your CI pipelines.


Quick vulnerability detection

The fast and early detection of security flaws can accelerate the remediation processes and achieve significant money and time savings for your company.

Minimal rates of false positives

The rates of false positives appearing on Asserts’ automatic scans can be reduced to a minimum after thorough manual checks by our certified team of ethical hackers.

Scanning based on standards

Scans performed through Fluid Attacks’ SAST are based on many of the current industry standards and requirements (e.g., OWASP, NIST, PCI DSS, GDPR, HIPAA, CWE, NERC, CAPEC). SAST provides quick and detailed reports of any non-compliance in your applications for appropriate intervention.

Low rates of false negatives

A SAST technique performed both automatically and manually allows us to guarantee low rates of false negatives, contrary to what can be achieved by companies that depend exclusively on tools.

An element of a comprehensive test

The SAST technique can be complemented by other methods used in Fluid Attacks, such as DAST, IAST, SCA, RE, and Manual Pentesting, to constitute a comprehensive application security testing.



Our SAST tool achieved the best possible result against the OWASP Benchmark: A TPR (True Positive Rate) of 100% and an FPR (False Positive Rate) of 0%.

Supported Languages

  • ABAP
  • ActionScript
  • Apex
  • C
  • C#
  • C++
  • Cloudformation
  • Cobol
  • Go
  • Hana SQL Script
  • HTML
  • Informix
  • Java
  • JavaScript/TypeScript
  • JCL
  • JSP
  • Kotlin
  • Natural
  • Objective C
  • OracleForms
  • PHP
  • PL-SQL
  • PL1
  • PowerScript
  • Python
  • RPG4
  • Ruby
  • Scala
  • SQL
  • SQL
  • Swift
  • TAL
  • Terraform
  • Transact-SQL
  • VB.NET
  • VisualBasic 6
  • XML