The eight products in scope are Coverity Static (SAST), Black Duck SCA (Software Composition Analysis), Polaris (cloud-native SaaS unifying SAST and SCA with DAST, IaC, and secrets), Signal (agentic AI overlay), Continuous Dynamic (service-led DAST), Seeker Interactive (IAST), Defensics Protocol Fuzzing, and Software Risk Manager (ASPM). Merito sells every product and operates the rule design, integration, and ongoing run.
Black Duck portfolio
The full Black Duck AppSec stack, sold and operated by Merito.
Static analysis, supply chain governance, runtime testing, protocol fuzzing, and application security posture management. Eight Black Duck products under one Merito-led program.
Why Merito for Black Duck
A Black Duck engagement is policy authoring, finding tuning, and operating-model design. Merito is the team that does the work after the licenses are signed.
Black Duck is a specialist AppSec vendor with depth across the analysis-engine surface most enterprise programs need. Coverity Static covers source-code SAST across 22 languages and 200-plus frameworks. Black Duck SCA covers open-source dependency, license, and supply-chain risk backed by a KnowledgeBase that catalogs more than 10 million open-source projects. Polaris unifies SAST, SCA, DAST, IaC scanning, and secrets detection in a single SaaS console with concurrent scan engines. Signal is the agentic AI overlay that grounds reachability and prioritization across the analysis engines.
Continuous Dynamic and Seeker Interactive cover runtime testing. Continuous Dynamic is a service-led DAST with Threat Research Center engineers configuring production-safe scans on customer applications. Seeker Interactive is the IAST platform that instruments running applications for real-time vulnerability detection during functional and automated test cycles. Defensics covers protocol fuzzing for IoT, ICS, and network-equipment programs that need zero-day discovery on standard or proprietary protocols.
Software Risk Manager is the ASPM platform that correlates findings from 150-plus security tools across SAST, DAST, IAST, SCA, and manual pentest. It deduplicates the same issue across multiple scanners and maps findings to 20-plus compliance frameworks. Programs running multi-vendor AppSec stacks use Software Risk Manager as the consolidation surface.
Merito's role across every Black Duck engagement is the same. We sell the license. We design the policy and rules so the program produces signal rather than noise. We integrate the products into CI/CD, IDE, and ticketing surfaces. We tune findings and stand up the operating model that decides who owns triage. And we stay on the program through the false-positive review cycles that decide whether the AppSec investment earns developer trust.
The Black Duck toolchain
The Black Duck AppSec portfolio Merito sells and operates
Static and supply chain
The static-mode analysis engines that catch vulnerabilities and license-compliance risks before code ships.
Static analysis
Coverity Static
SAST engine covering 22 languages and 200-plus frameworks with Code Sight IDE integration, PR-time scanning, and custom rules. Path-sensitive analysis with low false-positive math.
See product pageSupply chain
Black Duck SCA
Open-source dependency, license, and supply-chain risk management backed by the Black Duck KnowledgeBase. Snippet matching for AI-generated code, SBOM import and export, AI Model Risk Insights.
See product pageRuntime testing
Production-safe DAST, runtime-instrumented IAST, and protocol fuzzing for the categories static analysis cannot cover.
Runtime testing
Continuous Dynamic
Service-led DAST with Black Duck Threat Research Center engineers configuring production-safe scans, AI verification, and manual business-logic testing on high-priority applications.
See product pageRuntime testing
Seeker Interactive
IAST platform that instruments running applications during functional and automated test cycles. Active verification, sensitive-data flow tracking, real-time vulnerability detection.
See product pageRuntime testing
Defensics Protocol Fuzzing
Generative model-based protocol fuzzer with 300 prebuilt suites covering RFCs, file formats, and protocols. Black-box testing for APIs, network protocols, and IoT.
See product pageUnified platform and agentic AI
Polaris consolidates the analysis engines under a single SaaS console. Signal adds reachability and agentic AI prioritization.
Unified platform
Polaris
Cloud-native SaaS unifying SAST, SCA, DAST, IaC, and secrets detection under one console. Concurrent scan engines, single policy plane, automated SCM onboarding.
See product pageAgentic AI
Signal
Agentic AI overlay across the AppSec stack with reachability analysis, CVSS 4.0 and EPSS-grounded prioritization, and pre-commit risk identification inside AI code-assistant workflows.
See product pageApplication security posture
Cross-vendor ASPM correlating findings from 150-plus tools and mapping evidence to compliance frameworks.
Merito services
Merito services across the Black Duck portfolio
01
Implementation
Coverity rule design, SCA policy authoring, Polaris tenant setup, Continuous Dynamic engagement, Seeker instrumentation, Defensics lab setup, and Software Risk Manager integration onboarding.
02MAPS Assessment
AppSec program scoping for Black Duck adoption alongside Checkmarx, Snyk, Sonatype, OpenText Application Security, and Semgrep.
03DevOps Consulting
PR-time scanning gates, build-gate policy, IDE plugin rollout, and findings flowing into developer ticketing across Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket.
04CRAFT Enablement
Developer-facing AppSec adoption and AppSec champion programs across Coverity, SCA, and Polaris.
05Premium Support
Named engineer, priority SLAs, and release-window coverage for Black Duck programs Merito implements.
06Managed Services
Long-term run support including ongoing policy tuning, finding triage operating model, KnowledgeBase policy maintenance, and ASPM integration health.
07Training and Enablement
Role-based training for AppSec architects, developers, security engineers, and ASPM operators using Black Duck output.
08Staff Augmentation
Merito-placed AppSec engineers and Black Duck specialists embedded on long-running programs.
Black Duck licensing
Buy Black Duck from the partner that authors the policies and runs the operating model.
An AppSec program is the rule design, the operating model, and the false-positive discipline. Buy Black Duck through Merito and get the licenses plus the program around them.
Related solutions
Where Black Duck connects to the rest of the Merito program
Application Security
Where Black Duck fits inside Merito's broader AppSec program with Checkmarx, Snyk, Sonatype, Akamai, and the rest of the catalog.
Read moreDevOps Toolchain
AppSec gates inside CI/CD with Black Duck as the foundational scanning surface and developer-friendly findings management.
Read moreSoftware Delivery Acceleration
Reachability-grounded AppSec reducing remediation cycle time across the analysis-engine surface.
Read moreFrequently Asked Questions
Black Duck FAQs
Consultation request
Talk to Merito about Black Duck
Share the AppSec program you are running and the gap you are trying to close. A Merito Black Duck specialist follows up within one business day.
Full Black Duck portfolio
Eight products under one statement of work
Coverity Static, Black Duck SCA, Polaris, Signal, Continuous Dynamic, Seeker Interactive, Defensics, and Software Risk Manager. Sold and operated by Merito.
MAPS-driven scoping
AppSec program scoping by Merito
MAPS Assessment sizes the AppSec program before Black Duck implementation begins, including coverage gaps, integration points, and operating-model design.
Next step
Pick the Black Duck product that closes the right gap. Merito designs the program around it.
A Black Duck conversation with Merito starts with the AppSec maturity assessment. We recommend the product (or product mix) that fits the gap rather than pitching the full catalog.