2025 Gartner® Magic Quadrant™: API Security Among Key Features of Modern AST Platforms

The application security landscape is in constant motion. For security leaders, the challenge is no longer just securing monolithic applications or scanning code repositories. Today's applications are a complex, distributed web of microservices, third-party integrations, and increasingly, autonomous AI agents. This new Agentic Action Layer is creating an explosive new attack surface. What is the critical connective tissue for this entire modern architecture? APIs. 

To us, the release of the 2025 Gartner® Magic Quadrant™ for Application Security Testing (AST) reflects this new reality. The report dissects a market evolving to meet the demands of "modern application designs" and an "expanding attack surface". 

While foundational AST capabilities such as Static (SAST) and Dynamic (DAST) testing remain mandatory, modern application security requires additional measures to address evolving risks. Gartner now identifies API security testing as a common and essential feature of modern AST platforms, emphasizing the need to discover APIs across development and production. 

A Leader with API Security

As previously shared, HCLSoftware has been named a Leader in the 2025 Gartner® Magic Quadrant™ for Application Security Testing for its product — HCL AppScan. For CISOs evaluating multiple vendors, the most revealing insights come from the platform’s specific capabilities—and in our view, API security stands out as one of HCL AppScan’s most comprehensive capabilities.

The platform delivers extensive, multilayered API security, using AI-driven continuous discovery to identify APIs—including hidden or inactive ones—via eBPF inspection and dynamic testing to improve visibility and protection. 

This approach of discovering unknown assets, identifying "zombie" APIs, and going beyond simple vulnerability scanning, is the very essence of a modern, full-lifecycle API security strategy. 

To see the full vendor analysis and market landscape, get a complimentary copy of the report from here. 

What This Means for Security Leaders 

For a CISO, one of the key strategic takeaways is clear: You can no longer treat API security as a siloed, add-on capability.

Traditional AST tools were built to find vulnerabilities in code. They were not designed to understand the complex business logic or discover the thousands of "shadow" APIs created by developers in a fast-moving, "API-first" world. 

The partnership between HCLSoftware and Salt Security bridges this critical gap and delivers an integrated solution called HCL AppScan API Security. It combines Salt’s continuous discovery and posture governance with HCL AppScan’s dynamic analysis to provide a full-lifecycle API security solution. 

This unified approach means you can consolidate vendors without compromising on security for your most significant attack vector. You get a holistic view of application risk, from the first line of code written to the last API call in production. 

The Future of AST is API-Centric 

It’s increasingly clear that the market is catching up to the reality that developers have already embraced: modern applications run on APIs. Securing them requires a modern approach. 

To learn more about our integrated approach to AST and API security, visit our official page. 

Disclaimer

Gartner, Magic Quadrant for Application Security Testing, Gartner, Magic Quadrant for Application Security Testing, Jason Gross, Mark Horvath, Aaron Lord, Giles Williams, Shailendra Upadhyay, Dionisio Zumerle, October 6, 2025

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.