Checkmarx

Checkmarx is an information security company specializing in software application security testing and risk management for software supply chains. It is headquartered in Atlanta, Georgia in the United States.^[1] It has over 900 employees.^[1]

Checkmarx

Company type	Private
Industry	Software Security, Application security
Founded	2006
Founder	Maty Siman (CTO), Emmanuel Benzaquen (Former CEO)
Headquarters	Atlanta, Georgia, US
Key people	Sandeep Johri (CEO)
Website	checkmarx.com

Background

Before founding Checkmarx, Maty Siman worked in the Mamram unit of the Israeli Defense Forces (IDF) and later in the Matzov unit. Then he worked a two years term until February 2006 as an advisor at the Israeli Prime Minister's Office.^[2]

History

Checkmarx was founded in 2006 by Maty Siman and Emmanuel Benzaquen.^[3][1]

In 2017, Checkmarx acquired Codebashing to add AppSec training.^[4] The following year, it acquired Custodela, DevSecOps consulting firm.^[5][6]

Checkmarx was acquired in April 2020 by Hellman & Friedman, a private equity firm with headquarters in San Francisco.

In August 2021, Checkmarx acquired Dustico, a software that detects backdoors and malicious attacks in the software supply chain.^[7][8]

In 2023, founder Emmanuel Benzaquen stepped down as CEO and was succeeded by Sandeep Johri.'^[9]

Checkmarx announced in December 2025 that it had acquired Tromzo, a California-based company known for its AI-native autonomous security agents.^[10] No financial details were made public. Checkmarx stated that Tromzo’s founders, Harshil Parikh and Harshit Chitalia, together with their full AI engineering team, will transition to Checkmarx’s product and engineering division.^[11] Tromzo’s cognitive architecture and reasoning engine will serve as an intelligence layer throughout the Checkmarx One platform and will drive new Assist agents beginning in early 2026.^[12]

Research

Checkmarx maintains a research division, Checkmarx Zero, that has published findings on vulnerabilities and software supply chain risks:

• In 2019, researchers disclosed flaws in Google and Samsung Android camera apps that could enable remote surveillance.^[13]
• In 2022, Ars Technica reported a flaw in the Ring Android app that exposed sensitive user data.^[14]
• In 2025, Checkmarx reported malicious Python packages on PyPI designed to exfiltrate data.^[15]
• In 2025, Cybersecurity Dive reported survey data from Checkmarx indicating that 98% of organizations experienced breaches linked to software flaws.^[16]
• In 2025, ITProToday covered research warning that AI-generated code creates "blind spots" in DevSecOps.^[17]

Independent reporting on Checkmarx research also examined manipulation risks in AI coding agents via a "lies-in-the-loop" technique,^[18] alongside broader supply-chain findings in public repositories.^[19] Survey reporting highlighted that most organizations experienced breaches tied to vulnerable code amid growing adoption of AI development tools.^[20]

Funding

Checkmarx's early investors include Salesforce, which remains a partner as Checkmarx provides security reviews for the Salesforce AppExchange.^[21][22][23] In 2015, U.S. private equity and venture capital firm Insight Partners acquired Checkmarx for $84 million.^[23][1][3]

In April 2020, private equity firm Hellman & Friedman, alongside private investment firm TPG,^[24] acquired Checkmarx for $1.15 billion.^[1][3][25] After the acquisition, Insight Partners retained a minority interest in the company.^[1][26]

See also

• Security testing