Fortify Static Code Analyzer (SCA) — now sold by OpenText after the Micro Focus acquisition of the HP Fortify product line — is one of the longest-standing enterprise SAST tools on the market. It is also one of the most expensive, and one of the least transparent about its pricing. This guide breaks down what Fortify actually costs, how its licensing model works, what hidden costs to expect, and how it compares to alternatives in 2026.
Why Fortify Pricing Is So Hard to Find
OpenText (like its predecessors Micro Focus and HP) does not publish Fortify pricing publicly. All pricing is delivered through direct sales conversations, and costs vary widely based on:
- Number of applications being scanned
- Lines of code (LOC) in scope
- Number of developers or seats
- Deployment model (Fortify on Demand SaaS vs. on-premise SCA)
- Whether DAST (WebInspect), the Software Security Center (SSC) management server, and support contracts are included
- Negotiated enterprise agreements and multi-year commitments
This opacity is deliberate — it allows Fortify to price based on perceived value for each account rather than a published rate card.
Fortify Pricing: What Enterprise Customers Actually Pay
Based on publicly available procurement records, customer reviews on G2 and Gartner Peer Insights, and conversations with enterprise buyers, here are realistic 2026 price ranges for Fortify deployments:
Fortify SCA (On-Premise)
Fortify SCA is the on-premise static analysis engine. Pricing is typically structured around number of applications or lines of code:
| Scope | Estimated Annual Cost |
|---|---|
| Small (1–5 apps, under 500k LOC) | $30,000–$60,000/year |
| Mid-size (5–20 apps, 500k–2M LOC) | $60,000–$120,000/year |
| Large enterprise (20+ apps, 2M+ LOC) | $120,000–$250,000+/year |
These estimates are for SCA only — the static analysis component. They do not include the Fortify Software Security Center (SSC) server, DAST, or support.
Fortify Software Security Center (SSC)
SSC is the web-based management server that stores scan results, manages projects, generates reports, and enforces security gates. It is a separate license from SCA:
- Entry-level SSC: $15,000–$30,000/year additional
- Enterprise SSC with advanced workflow, audit, and compliance features: $30,000–$60,000+/year additional
Many Fortify buyers are surprised to learn that the scan engine (SCA) and the results management platform (SSC) are licensed separately.
Fortify WebInspect (DAST)
Fortify’s dynamic application security testing product is WebInspect — a completely separate product that requires separate purchase, deployment, and configuration:
- WebInspect entry: $20,000–$40,000/year
- WebInspect Enterprise: $40,000–$100,000+/year
Unlike platforms that bundle SAST and DAST together, Fortify requires you to purchase, deploy, and maintain two completely separate products — SCA for static analysis and WebInspect for dynamic analysis — and then integrate their results manually.
Fortify on Demand (FoD) — SaaS
Fortify on Demand is the cloud-based version where code is uploaded to OpenText’s infrastructure for scanning. Pricing is typically per-application:
| Applications | Estimated Annual Cost |
|---|---|
| 1–3 apps | $15,000–$30,000/year |
| 5–10 apps | $30,000–$80,000/year |
| 10–25 apps | $80,000–$150,000+/year |
FoD includes the scanning service but not the full SSC platform. Results are managed through the FoD portal, which has fewer features than the on-premise SSC.
The True Total Cost of a Fortify Deployment
When enterprise buyers model a full Fortify deployment, the real cost includes far more than the base SCA license:
Component Cost Breakdown (Mid-Size Enterprise)
| Component | Annual Cost |
|---|---|
| Fortify SCA license | $80,000–$120,000 |
| SSC server license | $25,000–$40,000 |
| Support and maintenance (20% of license) | $21,000–$32,000 |
| WebInspect DAST (if needed) | $40,000–$80,000 |
| Professional services (initial setup) | $20,000–$50,000 (one-time) |
| Infrastructure (SSC server, DB, storage) | $10,000–$30,000/year |
| Total Year 1 | $196,000–$352,000+ |
| Total ongoing (Year 2+) | $176,000–$302,000+/year |
This is before accounting for the internal engineering time required to manage the Fortify deployment, tune rules, integrate with CI/CD pipelines, and maintain the SSC server.
Hidden Costs
1. Rule tuning and false-positive management Fortify SCA is known for generating significant false positives on complex codebases, especially in languages like JavaScript and Python. Enterprise customers report spending 20–40% of their AppSec engineer capacity on Fortify result triage, rule customization, and suppression management.
2. Slow scan speed Fortify SCA is significantly slower than modern alternatives. Full scans of large codebases (1M+ LOC) can take 4–8 hours, creating friction for CI/CD integration. Teams typically end up running Fortify as a nightly or weekly batch scan rather than per-pull-request — reducing its effectiveness at catching vulnerabilities early.
3. Upgrade complexity Major Fortify versions require database migrations, rule set updates, and re-baseline activities that require professional services engagements. Customers on multi-year Fortify contracts regularly report surprise upgrade costs of $20,000–$50,000 for major version transitions.
4. Training Fortify’s interface (both the SCA scan interface and the SSC portal) requires training for both security engineers and developers. OpenText offers training courses, typically billed separately from the license.
What You Get for the Price
To be fair to Fortify, the price buys real capabilities:
Genuine interprocedural taint analysis: Fortify SCA has a strong taint analysis engine with broad language coverage and a large library of rules for enterprise frameworks (Java EE, Spring, ASP.NET, SAP, Salesforce Apex, COBOL, PL/SQL).
Compliance reporting: Fortify’s compliance reporting is mature — OWASP Top 10, CWE Top 25, PCI-DSS, HIPAA, FISMA, NIST 800-53, and custom audit correlation. For regulated industries, the built-in compliance mappings save significant reporting effort.
Market tenure: Fortify has been used in US government agencies, defense contractors, and large financial institutions for 20+ years. In some regulated environments, Fortify is specifically mandated by compliance frameworks or existing procurement contracts.
On-premise operation: For organizations with strict data sovereignty requirements (classified systems, air-gapped environments), Fortify SCA can be deployed fully on-premise with no data leaving the organization’s network.
Fortify Pricing vs. Alternatives
The natural question when evaluating Fortify pricing is: what else is available for a similar or lower investment?
Fortify vs. Checkmarx
| Criterion | Fortify SCA | Checkmarx |
|---|---|---|
| Analysis engine | Taint analysis | Taint analysis |
| DAST included | ❌ Separate (WebInspect) | ❌ Separate |
| On-premise | ✅ Yes | ⚠️ Complex |
| Pricing model | Per-application | Per-seat |
| Estimated annual cost | $80k–$200k+ | $20k–$100k+ |
| Scan speed | ⚠️ Slow | ✅ Faster |
Checkmarx is generally less expensive than Fortify at scale, with a faster scan engine. However, Checkmarx also requires a separate DAST purchase, and per-seat pricing becomes expensive for large teams.
Fortify vs. Veracode
| Criterion | Fortify SCA | Veracode |
|---|---|---|
| Analysis approach | Source code | Compiled binary |
| On-premise | ✅ Yes | ❌ SaaS only |
| DAST included | ❌ Separate | ✅ Separate product |
| Pricing model | Per-application | Per-seat |
| Estimated annual cost | $80k–$200k+ | $30k–$150k+ |
Veracode is SaaS-only — compiled binaries are uploaded to Veracode’s infrastructure. For organizations with source code confidentiality requirements, this is a disqualifying constraint. Veracode’s binary analysis is also less precise than source-level analysis for complex data flow vulnerabilities.
Fortify vs. Offensive360
For organizations evaluating Fortify who want an alternative with equivalent or better security analysis capabilities at a significantly lower cost:
| Criterion | Fortify SCA | Offensive360 |
|---|---|---|
| Analysis engine | Taint analysis | Taint analysis |
| DAST included | ❌ Separate (WebInspect) | ✅ Included |
| SCA included | ❌ Add-on | ✅ Included |
| On-premise | ✅ Yes | ✅ OVA + air-gap |
| SaaS option | ✅ FoD | ❌ On-premise only |
| Language count | 27+ | 60+ |
| Pricing model | Per-application | Flat annual rate |
| Second-order injection | ✅ Yes | ✅ Yes |
| Scan speed | ⚠️ Slow | ✅ Faster |
| Malware analysis | ❌ No | ✅ Yes |
| IaC scanning | ⚠️ Limited | ✅ Terraform, K8s, Helm |
The most significant difference: Offensive360 includes DAST, SCA, and SAST in a single license at a flat annual rate. With Fortify, the equivalent capability requires purchasing and integrating SCA + WebInspect + SSC separately — often at 3–5× the total cost.
For a detailed feature-by-feature breakdown, see our full Offensive360 vs. Fortify comparison.
Who Should Still Choose Fortify
Despite the price and complexity, Fortify SCA remains the right choice in specific scenarios:
Government and defense with existing Fortify mandates: Some US federal agencies and defense contractors have Fortify specifically written into their security compliance programs. In those environments, the switching cost and procurement risk of replacing Fortify outweigh the price savings.
Organizations already invested in the Fortify ecosystem: If your organization has years of Fortify baseline results, custom rule libraries, SSC integrations, and audit workflows built around Fortify, the migration cost to a new tool is real. Evaluate switching costs carefully before moving.
Very large codebases with specific Java EE compliance requirements: Fortify has the deepest rule library for some legacy Java EE, Struts, and SAP ABAP patterns. For organizations running these specific stacks and needing the Fortify rule pedigree for compliance reporting, alternatives may require custom rule development to match Fortify’s coverage.
Who Should Look Beyond Fortify
For the majority of enterprise security programs evaluating Fortify without an existing mandated relationship:
Cost is a primary constraint: Fortify’s total cost of ownership — SCA + SSC + WebInspect + support + infrastructure — typically runs $150,000–$350,000+/year for a mid-size enterprise. For teams that need genuine taint analysis at a fraction of this cost, alternatives like Offensive360 provide equivalent security analysis with flat-rate pricing.
DAST is required: Fortify does not include DAST. Every team that needs dynamic application testing alongside static analysis must separately budget, procure, and integrate WebInspect — at additional five-figure annual cost.
Scan speed matters for CI/CD: Fortify’s scan speed is a known limitation. Teams wanting per-pull-request SAST feedback will struggle with Fortify’s scan times on large codebases. If your CI/CD pipeline needs sub-30-minute SAST results, evaluate faster alternatives.
Language coverage beyond Java and .NET: Fortify’s strongest coverage is Java/J2EE, .NET/C#, and C/C++. Its JavaScript, Python, Ruby, Go, and mobile coverage is weaker. For polyglot codebases, Offensive360’s 60+ language coverage with equally strong engines across JavaScript, Python, and mobile platforms is a meaningful advantage.
How to Get Fortify Pricing
Since OpenText does not publish Fortify pricing, the standard approach is:
- Contact OpenText sales via the Fortify product page. Expect 1–3 weeks for a quote.
- Request a proof-of-concept scan as part of the evaluation — any serious vendor will accommodate this.
- Get itemized quotes for SCA, SSC, WebInspect, and support separately — don’t accept a bundled quote without seeing the component costs.
- Push for multi-year pricing — Fortify discounts improve significantly with 3-year commitments.
- Ask about migration credits if you are replacing another tool.
Alternatively, before engaging Fortify’s sales team, consider running a one-time SAST scan with Offensive360 for $500. This gives you a concrete baseline of your codebase’s vulnerability profile — including taint-analysis results — to use as a comparison point when evaluating Fortify’s proof-of-concept scan results.
Frequently Asked Questions
What does Fortify SCA cost per year?
Fortify SCA pricing is not publicly listed. Based on customer reports, enterprise contracts typically range from $50,000 to $200,000+ per year for the scan engine alone. The total cost including Software Security Center (SSC), WebInspect DAST, support, and infrastructure is typically $150,000–$350,000+/year for a mid-size enterprise deployment.
Does Fortify pricing include DAST?
No. Fortify Static Code Analyzer (SCA) is a SAST-only product. Dynamic Application Security Testing (DAST) requires Fortify WebInspect, which is a separate product with separate licensing. Organizations needing both static and dynamic testing from Fortify must budget for and integrate both products independently.
Is there a free trial or one-time scan option for Fortify?
Fortify offers proof-of-concept evaluations through their sales team. There is no self-serve free trial or one-time scan option. If you need a baseline scan of your codebase to understand your vulnerability profile before committing to an enterprise contract, Offensive360’s one-time SAST scan ($500) provides a cost-effective alternative.
How does Fortify SCA compare to Checkmarx on price?
Checkmarx is generally less expensive than Fortify at the entry point, with enterprise contracts typically starting around $20,000/year vs. Fortify’s ~$50,000+ entry. Both use per-application or per-seat pricing models. Both require separate purchases for DAST.
Does Fortify support on-premise deployment?
Yes. Fortify SCA with the SSC management server can be deployed fully on-premise. This is one of Fortify’s advantages in regulated industries with data sovereignty requirements. Offensive360 also supports on-premise deployment via OVA virtual appliance with 100% air-gapped operation.
What is the difference between Fortify SCA and Fortify on Demand?
Fortify SCA is the on-premise installation where the scan engine runs on your infrastructure and results are stored in your SSC server. Fortify on Demand (FoD) is the SaaS option where code is uploaded to OpenText’s cloud and scanned there. FoD is simpler to start but lacks the full SSC feature set and requires uploading source code to a third-party server.
Summary: Fortify Pricing Reality
Fortify SCA is a capable, mature SAST tool with genuine taint analysis and strong compliance reporting. But its true total cost — when you include the SSC management server, WebInspect DAST, support contracts, infrastructure, and the ongoing engineering overhead of managing the platform — typically lands between $150,000 and $350,000+ per year for a mid-size enterprise.
For organizations evaluating Fortify who need equivalent security analysis (interprocedural taint analysis, second-order injection detection, compliance reporting) without the per-product fragmentation and cost, Offensive360 delivers SAST + DAST + SCA in a single flat-rate platform with on-premise OVA deployment and faster scan times.
Before committing to an enterprise Fortify contract, run a one-time SAST scan for $500 to establish a concrete vulnerability baseline — then compare the results directly with a Fortify proof-of-concept on the same codebase.
See the full feature and price comparison: Offensive360 vs. Fortify — or book a demo to see Offensive360’s taint analysis on your own code.