DryRun Security Named a High Performer in SAST on G2 Spring 2026
4.9 out of 5 stars. Verified customers only.
G2 released its Spring 2026 reports this week, and DryRun Security was recognized as a High Performer in the Static Application Security Testing (SAST) category, earning a 4.9 out of 5 rating from verified users.
G2 rankings are based entirely on customer feedback. No analyst opinions. No vendor submissions. Just security teams sharing what is actually working in their environments.
Many of the reviews point to something security teams are dealing with right now. Engineering teams are shipping more code than ever, and more of it is written with help from AI tools like Cursor, Copilot, and Claude Code. Traditional scanners were built for a very different development pace, and teams are starting to feel that gap.
What the reviews actually say
The same theme shows up across many of the reviews. Traditional rule-based SAST tools do a good job catching syntax issues and known patterns, but they often struggle with vulnerabilities tied to authorization logic, business workflows, and how code behaves in context.
That’s where many real exploits tend to show up.
Customers called that out directly in their reviews.
“Catches Logic and Authorization Flaws Traditional SAST Often Misses”
“We use traditional SAST tools, but they mostly rely on rule-based analysis. DryRun focuses on understanding code intent and logical flow, which makes it effective at finding authorization flaws, broken object-level authorization, insecure direct object reference, and insecure business logic. As AI assistants such as Cursor or ChatGPT-based tools become more widely adopted, we face new risks from AI-authored code. DryRun helps us focus specifically on the logic flaws that show up in AI-generated code snippets, issues that traditional scanners often miss.” - Jabez A., Director of Product Security Architecture (5/5)
Another reviewer summarized it this way.
“DryRun’s Context-Aware Scanning Beats Legacy SAST”
“DryRun’s use of LLMs and inclusion of context about the application makes it perform far better than traditional SAST tools. It is able to find business logic vulnerabilities that the legacy SAST scanners are simply unable to find." - Dan C., CTO (5/5)
Most traditional scanners focus on pattern matching. DryRun looks at how code behaves in context and surfaces the security impact directly in the pull request, giving security teams clearer visibility into what actually changed and what risk it might introduce.
High signal. Low noise.
Security tools only work if developers trust them. When scans generate too many false positives, the real issues get buried.
That signal quality shows up frequently in DryRun reviews.
“Next Gen of SAST Tool That Has Cutting Edge Tech”
“It provides value that other SAST tools have not provided but also is not noisy, and the high accuracy lets us find very critical bugs that have been missed in the past.” - Francis D., Lead AppSec Engineer (5/5)
“AppSec signal, not noise”
“DryRun Security gives me high-signal visibility into the changes that actually matter. It has become a practical way to scale AppSec review when PR volume is high.” - Todd B., CISO (4.5/5)
Built for the way security teams actually work
Another theme across the reviews is how naturally DryRun fits into development workflows. It installs once, automatically picks up new repositories, and surfaces findings directly in pull requests so developers can review and fix issues where they already work.
“Setup is a one-time process, and any new repos are scanned automatically. Findings appear as PR comments, which makes them easy for developers to notice, review, and act on.” - Chenkai G., Security Engineer (5/5)
“DryRun easily integrates into our existing build pipeline so that scans happen automatically and our developers get near real-time feedback on vulnerabilities in their code.” - Josh S., CEO / CISO (5/5)
Some reviewers also mentioned relying on DryRun as part of their daily code review process.
“We use several code review agents, but DryRun is the one we rely on to review the security of the code.” - Jonathan C., CTO (5/5)
Why this recognition matters in the SAST category
SAST has been around for a long time, and most security teams already run static analysis in their pipelines. It’s also a crowded category with tools that have existed for years.
What’s changing is how code is written and reviewed. Teams are shipping faster, codebases are larger, and AI-assisted development is becoming part of everyday workflows.
Traditional scanners were built to detect patterns. Today, security teams increasingly need tools that help them understand how code behaves and what risk new changes actually introduce.
DryRun approaches static analysis through that lens. By analyzing code changes in context and surfacing security impact directly in pull requests, security teams get a clearer picture of what new code actually does and where risk might appear. At DryRun, we think about that approach as Code Security Intelligence.
Recognition in the SAST category from G2 reflects how security teams are evaluating tools in real production environments today.
Thank you to our customers
We’re grateful to every team that took the time to share their experience on G2. That feedback helps other security teams evaluate tools and helps us continue improving DryRun.
If you’re curious what customers are saying, you can explore the full reviews on G2.
