SAMMY Reviews & Product Details

SAMMY is an outstanding platform for any organization that is serious about maturing its application security and software assurance program. Built by contributors to OWASP SAMM (Software Assurance Maturity Model), SAMMY provides a structured, intuitive, and highly effective way to assess and improve security practices across the software development lifecycle.

One of SAMMY’s biggest strengths is its broad support for industry frameworks. It seamlessly incorporates OWASP SAMM alongside standards such as ISO 27001, NIST SSDF, and NIST SP 800‑34, allowing teams to manage compliance and security maturity in one centralized place. That flexibility is especially valuable for organizations that need to balance multiple regulatory or security requirements.

The platform also excels at assessment and continuous improvement. It helps teams quickly identify gaps in their current security posture and then build meaningful, measurable roadmaps to address them. SAMMY’s user‑friendly interface, combined with role‑based access, supports smooth collaboration between technical and non-technical stakeholders alike—an area where many security tools fall short.

On top of that, the SAMMY team is extremely receptive to customer feedback and feature requests. I suggested adding the OWASP AIMA (Artificial Intelligence Maturity Assessment) feature, and they had AIMA in SAMMY within a few weeks. Review collected by and hosted on G2.com.

I don’t have any dislikes. SAMMY is an excellent platform that delivers meaningful outcomes at a very reasonable cost. Review collected by and hosted on G2.com.

At Conquest Security, our GRC practice focuses on designing, implementing, and sustaining Information Security Management Systems (ISMS) that help organizations manage risk, demonstrate compliance, and continuously improve their cybersecurity maturity. We use SAMMY as a core platform to support NIST CSF–based programs, ISO/IEC 27001 implementations, and CMMC Level 1 and Level 2 readiness as a CMMC Registered Practitioner Organization (RPO).

ISO/IEC 27001 and CMMC both require more than documented controls. They require operational discipline, defined responsibilities, and evidence of sustained execution. SAMMY provides a practical platform for documenting control implementation, assigning ownership, tracking risk treatment actions, and maintaining evidence over time. For our CMMC Level 1 and Level 2 readiness work, this is critical. We can clearly show how practices are implemented, monitored, and sustained rather than assembled as one-time compliance artifacts.

SAMMY brings together assessments, control libraries, and evidence tracking in a single system. This integration is particularly valuable for organizations that align enterprise risk management, NIST CSF outcomes, ISO/IEC 27001, and CMMC practices. It reduces duplication, improves traceability, and supports consistent results across internal reviews, readiness assessments, and external audits. From an ISMS perspective, this directly supports continuous monitoring and management review activities.

The Codific team demonstrates a strong practical understanding of cybersecurity frameworks and real-world GRC implementation challenges. Their support reflects how organizations actually build and operate CSF-aligned programs, implement ISO/IEC 27001, and prepare for CMMC assessments. This domain expertise accelerates onboarding and improves long-term adoption, particularly for small and mid-sized organizations without dedicated internal GRC teams. Review collected by and hosted on G2.com.

SAMMY is designed to support structured, framework-driven cybersecurity programs, so organizations get the most value when they approach it with an Information Security Management System mindset. Teams that are early in their GRC maturity may need some initial guidance to fully align their processes, roles, and documentation with the platform. In our experience, when SAMMY is implemented alongside clear governance and advisory support, this upfront alignment quickly turns into a long-term strength. Review collected by and hosted on G2.com.

SAMMY’s strongest quality is its principled alignment with OWASP SAMM, delivered through a clear, guided interview workflow and automatic scoring. The structured questionnaires, embedded calculations and scorecards streamline workshops and keep assessments consistent across teams. In practice, this reduces preparation time and helps stakeholders focus on evidence and decisions rather than mechanics. The ability to export results in a benchmark‑friendly format is particularly helpful when we collaborate on maturity baselines and share anonymized insights with community initiatives.

We also appreciate the secure, role‑based access and multi‑factor onboarding, which supports our compliance mindset while keeping the tool accessible to non‑specialists. Coordinating licenses and invitations for new analysts has been straightforward and allows us to spin up working sessions quickly.

Overall, SAMMY offers a well‑balanced combination of methodology fidelity, operational efficiency, and pragmatic outputs that are easy to discuss with engineering and management alike. Its consistent structure helps us compare teams fairly, prioritize improvements, and connect assessment findings to actionable roadmaps without losing traceability.

Also, the team is very reactive and several times I've seen features that I requested being implemented in a few weeks! Review collected by and hosted on G2.com.

While SAMMY is effective, there are a few areas that could improve the user experience. Account lifecycle flows can be fragile at times (rarely to be honnest), which interrupts onboarding for busy project teams.

From a reporting perspective, the standardized scorecard is useful, but the layout and customization options feel limited for some audiences, richer templating (configurable narratives, visualizations, risk groupings,...) would help tailor deliverables to different stakeholders without post‑processing.

None of these points are blockers, and they do not diminish the value of the core product. Addressing them would simply make SAMMY more resilient in complex enterprise environments and further accelerate our facilitation during assessments Review collected by and hosted on G2.com.

It's the best commercially supported tool for rolling out SAMM, and scales well from a single scope to complex multinational organizations. It really shines when teams are empowered to take charge of their own improvement roadmap, as it creates a central hub for all stakeholders to keep tab on progress.

The pace of development is fast and the codific team is always ready to listen to feedback and incorporate suggested improvements if they believe it benefits the wider usebase. The tool has evolved from a SAMM tool to a more generic maturity management suite with coverage for several widely used frameworks in the GRC and product security space. Review collected by and hosted on G2.com.

The tool is still evolving and at times, functions or layouts change. On the other hand, it is a sign of continuous development. Review collected by and hosted on G2.com.

Turned a painful confusing process into an achievable one. And my support interaction with them was first class. Review collected by and hosted on G2.com.

I don't really have any complaints. I had some initially but I gave them feedback and they fixed everything the next day. Review collected by and hosted on G2.com.