# SAMMY Reviews **Vendor:** Codific **Category:** [Other GRC Tools](https://www.g2.com/categories/other-grc-tools) **Average Rating:** 4.9/5.0 **Total Reviews:** 6 ## About SAMMY SAMMY is an application security management platform that helps organizations run application security assessments, track maturity, and plan measurable improvements using industry frameworks. It is designed for application security leaders, security program managers, engineering leaders, and teams that need a structured way to evaluate current practices, identify gaps, and coordinate improvement work across one or more teams or scopes. SAMMY supports assessments against maturity, program, and control frameworks such as OWASP SAMM, OWASP DSOMM, BSIMM, NIST SSDF, ISO 27001, NIST CSF, and OWASP ASVS, plus other standards. To reduce duplicate effort, SAMMY includes framework mapping capabilities that can carry results from one framework to another, including OpenCRE mappings and direct mappings, with options that can generate a new assessment based on a mapping. • Multi framework assessments for different assessment types, including self assessments, top down, bottom up, external, and M & A assessments, to support different evaluation contexts. • Framework mappings to reuse results across frameworks and reduce redundant evaluation work when multiple standards are in scope. • Improvement roadmaps with assignments and deadlines, plus targets and objectives guidance, to turn assessment findings into planned work items for teams. • Live dashboards and internal reporting to track maturity scores, progress toward targets, and comparisons across teams, including gap analysis exports to Excel. • External reporting that generates formatted PDF reports to support audits and certifications using assessment results and validation data. SAMMY can also be used to create a repeatable assessment and governance cadence that keeps security improvement work visible, prioritized, and aligned with both engineering delivery and compliance expectations over time. ## SAMMY Reviews ### 1. SAMMY: Intuitive, Framework-Rich Platform for Security Maturity and Continuous Improvement **Rating:** 5.0/5.0 stars **Reviewed by:** Jim Stanhope - C. | Staff Engineer - Product Security, Enterprise (> 1000 emp.) **Reviewed Date:** February 27, 2026 **What do you like best about SAMMY?** SAMMY is an outstanding platform for any organization that is serious about maturing its application security and software assurance program. Built by contributors to OWASP SAMM (Software Assurance Maturity Model), SAMMY provides a structured, intuitive, and highly effective way to assess and improve security practices across the software development lifecycle. One of SAMMY’s biggest strengths is its broad support for industry frameworks. It seamlessly incorporates OWASP SAMM alongside standards such as ISO 27001, NIST SSDF, and NIST SP 800‑34, allowing teams to manage compliance and security maturity in one centralized place. That flexibility is especially valuable for organizations that need to balance multiple regulatory or security requirements. The platform also excels at assessment and continuous improvement. It helps teams quickly identify gaps in their current security posture and then build meaningful, measurable roadmaps to address them. SAMMY’s user‑friendly interface, combined with role‑based access, supports smooth collaboration between technical and non-technical stakeholders alike—an area where many security tools fall short. On top of that, the SAMMY team is extremely receptive to customer feedback and feature requests. I suggested adding the OWASP AIMA (Artificial Intelligence Maturity Assessment) feature, and they had AIMA in SAMMY within a few weeks. **What do you dislike about SAMMY?** I don’t have any dislikes. SAMMY is an excellent platform that delivers meaningful outcomes at a very reasonable cost. **What problems is SAMMY solving and how is that benefiting you?** Baselining software assurance program maturity, gap analysis, and improvement roadmap development. ### 2. A Powerful Platform for Cybersecurity Compliance and Continuous Maturity Improvement **Rating:** 5.0/5.0 stars **Reviewed by:** Mark W. | Chief Executive Officer, Small-Business (50 or fewer emp.) **Reviewed Date:** February 04, 2026 **What do you like best about SAMMY?** At Conquest Security, our GRC practice focuses on designing, implementing, and sustaining Information Security Management Systems (ISMS) that help organizations manage risk, demonstrate compliance, and continuously improve their cybersecurity maturity. We use SAMMY as a core platform to support NIST CSF–based programs, ISO/IEC 27001 implementations, and CMMC Level 1 and Level 2 readiness as a CMMC Registered Practitioner Organization (RPO). ISO/IEC 27001 and CMMC both require more than documented controls. They require operational discipline, defined responsibilities, and evidence of sustained execution. SAMMY provides a practical platform for documenting control implementation, assigning ownership, tracking risk treatment actions, and maintaining evidence over time. For our CMMC Level 1 and Level 2 readiness work, this is critical. We can clearly show how practices are implemented, monitored, and sustained rather than assembled as one-time compliance artifacts. SAMMY brings together assessments, control libraries, and evidence tracking in a single system. This integration is particularly valuable for organizations that align enterprise risk management, NIST CSF outcomes, ISO/IEC 27001, and CMMC practices. It reduces duplication, improves traceability, and supports consistent results across internal reviews, readiness assessments, and external audits. From an ISMS perspective, this directly supports continuous monitoring and management review activities. The Codific team demonstrates a strong practical understanding of cybersecurity frameworks and real-world GRC implementation challenges. Their support reflects how organizations actually build and operate CSF-aligned programs, implement ISO/IEC 27001, and prepare for CMMC assessments. This domain expertise accelerates onboarding and improves long-term adoption, particularly for small and mid-sized organizations without dedicated internal GRC teams. **What do you dislike about SAMMY?** SAMMY is designed to support structured, framework-driven cybersecurity programs, so organizations get the most value when they approach it with an Information Security Management System mindset. Teams that are early in their GRC maturity may need some initial guidance to fully align their processes, roles, and documentation with the platform. In our experience, when SAMMY is implemented alongside clear governance and advisory support, this upfront alignment quickly turns into a long-term strength. **What problems is SAMMY solving and how is that benefiting you?** SAMMY solves the problem of organizations struggling to clearly understand their current security posture and define a realistic, measurable target posture across teams and scopes. Without this clarity, investments in cybersecurity controls are often inefficient, misaligned with business context, or driven solely by compliance checklists rather than actual improvement. SAMMY enables teams to map their current security posture and define target postures at a granular, team-level scope. These target postures can be compliance-driven, such as CMMC Level 1 or Level 2 requirements, or risk-driven, taking into account the organization’s technology stack, operational realities, and business objectives. This approach helps maximize return on investment by focusing effort on controls that meaningfully reduce risk or advance maturity. The platform’s library of predefined target postures provides practical guidance for different frameworks and operating contexts, including NIST CSF, ISO/IEC 27001, and CMMC. For Conquest Security, this allows us to guide clients toward achievable, defensible security outcomes and to demonstrate clear progress over time. It supports a management-system approach in which security posture improvement is intentional, measurable, and sustained, rather than reactive or assessment-driven. ### 3. Streamlined SDLC Maturity Assessments with SAMMY **Rating:** 4.5/5.0 stars **Reviewed by:** Simon M. | Secure Software Analyst, Mid-Market (51-1000 emp.) **Reviewed Date:** January 06, 2026 **What do you like best about SAMMY?** SAMMY’s strongest quality is its principled alignment with OWASP SAMM, delivered through a clear, guided interview workflow and automatic scoring. The structured questionnaires, embedded calculations and scorecards streamline workshops and keep assessments consistent across teams. In practice, this reduces preparation time and helps stakeholders focus on evidence and decisions rather than mechanics. The ability to export results in a benchmark‑friendly format is particularly helpful when we collaborate on maturity baselines and share anonymized insights with community initiatives. We also appreciate the secure, role‑based access and multi‑factor onboarding, which supports our compliance mindset while keeping the tool accessible to non‑specialists. Coordinating licenses and invitations for new analysts has been straightforward and allows us to spin up working sessions quickly. Overall, SAMMY offers a well‑balanced combination of methodology fidelity, operational efficiency, and pragmatic outputs that are easy to discuss with engineering and management alike. Its consistent structure helps us compare teams fairly, prioritize improvements, and connect assessment findings to actionable roadmaps without losing traceability. Also, the team is very reactive and several times I've seen features that I requested being implemented in a few weeks! **What do you dislike about SAMMY?** While SAMMY is effective, there are a few areas that could improve the user experience. Account lifecycle flows can be fragile at times (rarely to be honnest), which interrupts onboarding for busy project teams. From a reporting perspective, the standardized scorecard is useful, but the layout and customization options feel limited for some audiences, richer templating (configurable narratives, visualizations, risk groupings,...) would help tailor deliverables to different stakeholders without post‑processing. None of these points are blockers, and they do not diminish the value of the core product. Addressing them would simply make SAMMY more resilient in complex enterprise environments and further accelerate our facilitation during assessments **What problems is SAMMY solving and how is that benefiting you?** SAMMY helps us standardize and scale our SDLC maturity assessments. By mapping directly to SAMM to other frameworks such as ISO27001, it provides a common language across governance and technical teams, ensuring practices are evaluated consistently and improvement actions are traceable. This clarity reduces debate over criteria, accelerates workshops, and supports evidence‑based decision‑making. Operationally, the tool’s guided interviews and automated scoring shorten cycle time and improve quality, allowing us to compare multiple teams on equal footing and identify high‑impact remediations. It also strengthen the collaboration between several assessors on a single project. In short, SAMMY reduces assessment overhead, increases consistency, and turns maturity findings into actionable, prioritized roadmaps. ### 4. Best-in-Class SAMM Tool with Outstanding Support and Scalability **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Consulting | Mid-Market (51-1000 emp.) **Reviewed Date:** January 12, 2026 **What do you like best about SAMMY?** It's the best commercially supported tool for rolling out SAMM, and scales well from a single scope to complex multinational organizations. It really shines when teams are empowered to take charge of their own improvement roadmap, as it creates a central hub for all stakeholders to keep tab on progress. The pace of development is fast and the codific team is always ready to listen to feedback and incorporate suggested improvements if they believe it benefits the wider usebase. The tool has evolved from a SAMM tool to a more generic maturity management suite with coverage for several widely used frameworks in the GRC and product security space. **What do you dislike about SAMMY?** The tool is still evolving and at times, functions or layouts change. On the other hand, it is a sign of continuous development. **What problems is SAMMY solving and how is that benefiting you?** For me, Sammy solves the deployment of SAMM at enterprise scale. The default SAMM toolbox is a decent tool to start with but as soon as you pass the mark of 8-10 teams to manage, juggling toolbox files become a nightmare. Sammy is a breath of fresh air and allows you to manage 10s or even 100s of teams with ease, with powerful features for identifying dependencies, reporting on progress and mapping external compliance drivers to team roadmaps. ### 5. Intuitive SAMMY Tool with Clear Dashboards, Powerful Integrations, and Amazing Support **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Information Technology and Services | Small-Business (50 or fewer emp.) **Reviewed Date:** March 21, 2026 **What do you like best about SAMMY?** SAMMY helps bring the Software Assurance Maturity Model to life. It provides an intuitive interface to capture the current state of answers in SAMM and goes beyond by offering goal-setting for targets and project planning. The integrations with numerous complementary frameworks is invaluable for compliance or understanding coverage. SAMMY supports multiple teams or business lines so the entire organization can be represented. The dashboards and reports are clear and provide good insight into the current status and progress being made. The UI is responsive and smooth. The team has provided amazing support when needed. **What do you dislike about SAMMY?** I don't really have any dislikes about SAMMY at the moment. I appreciate that it's focused on providing a solid management tool for software assurance at a good price, without trying to be everything to everyone. **What problems is SAMMY solving and how is that benefiting you?** Trying to manage secure software development at scale. The Excel spreadsheet that SAMM provides is a good starter, but when you reach the point that you need to keep up with progress, change, improvements, and multiple teams, SAMMY is invaluable in this space and saves a lot of time and helps ensure consistency and accuracy. ### 6. Turned a Painful, Confusing Process into an Achievable One **Rating:** 5.0/5.0 stars **Reviewed by:** Verified User in Education Management | Small-Business (50 or fewer emp.) **Reviewed Date:** February 25, 2026 **What do you like best about SAMMY?** Turned a painful confusing process into an achievable one. And my support interaction with them was first class. **What do you dislike about SAMMY?** I don't really have any complaints. I had some initially but I gave them feedback and they fixed everything the next day. **What problems is SAMMY solving and how is that benefiting you?** We use it to do NIST-800-171 compliance process tracking - [View SAMMY pricing details and edition comparison](https://www.g2.com/products/sammy/reviews?section=pricing&secure%5Bexpires_at%5D=2026-06-01+14%3A38%3A42+-0500&secure%5Bsession_id%5D=4e504e4c-1fe8-48f0-a3bf-4c17d9bbe217&secure%5Btoken%5D=ed891b51ecd8b9155c2cd55d79643fcd129d65d556000448c0810e6ea2214084&format=llm_user) ## Top SAMMY Alternatives - [Microsoft Purview Records Management](https://www.g2.com/products/microsoft-purview-records-management/reviews) - 4.3/5.0 (39 reviews) - [Formalize](https://www.g2.com/products/formalize/reviews) - 4.9/5.0 (37 reviews) - [SAP Management of Change](https://www.g2.com/products/sap-management-of-change/reviews) - 4.1/5.0 (17 reviews)