Works well within existing pipelines. The dashboards are intuitive to use. It's is simple for developers to find their findings to address their code issues. The SLAs per branch is useful when you have many different development teams. The newer AI capabilities work well to find real issues instead of FUD.

I deployed Arnica to replace Checkmarx at a previous company, and I have brought it with me to several startups I support since then. I still use it in my current role, in a somewhat different capacity than the full enterprise program I originally ran. The policy engine was the primary reason we selected it after evaluating multiple products, since none of the other vendors we tested could offer comparable granularity at the time. It deployed fast across GitHub and Azure DevOps through SCM integration, with no CI rework to start getting value, and our first blocking policy was live within 90 days. We were able to create granular PR policies on severity, EPSS, finding type, direct versus transitive and prod versus dev dependencies, and package reputation, which let us stage enforcement from annotations into blocking and turn rollout into measurable maturity milestones. It also strengthened our Security Champions program, since we could empower champions to review dismissals for their own teams. Developer experience improved because people handled findings in code they were already changing instead of years of historical debt. Customer success has been a genuine strength, responsive and willing to help with rollout, and several requests we raised shipped faster than I expected. The SBOM explorer experience is also something I personally appreciate, I use it regularly to check exposure across the organizations I support whenever another large supply chain attack hits the news. My use of the AI review features is still early, more proof of concept than a rollout. I feel positive about the direction, since reviewing AI-generated code is a real challenge and having policy enforcement meet it at the source is the right place to solve it. On cost, it was priced competitively against the other vendors we evaluated and the per-identity model scaled sensibly as the team grew.

ou quickly understand the security posture of your codebase and can maintain continuous oversight while delegating day-to-day security responsibilities to contributing developers.