UltraViolet Cyber has acquired Black Duck’s Application Security Testing services business, a move that expands its portfolio and signals a shift in how software security will be delivered. The timing is notable: enterprises are churning out AI-generated code, leaning harder than ever on open-source stacks, and operating under increasing regulatory scrutiny. In that environment, one-off security checks no longer cut it. By bringing Black Duck’s established testing arm under its umbrella, UltraViolet is betting that unifying offensive and defensive capabilities is the only way to keep pace.
UltraViolet CEO Ira Goldstein told Security Buzz the deal is a response to the market’s demand for “continuous assessment.” In his view, point-in-time tests can’t match the speed of digital transformation fueled by AI code. “Continuous testing and exposure management is in high demand,” he said, “and allows us as a provider to move further along that spectrum of SecOps to build and deliver the controls needed to address those risks and gaps.”
What UltraViolet gains
The deal brings a full slate of application security testing services into UltraViolet’s portfolio. That includes penetration testing, red teaming, threat modeling, cloud and container risk assessments, architecture risk analysis, and secure SDLC consulting
Black Duck is a proven player in this space. Its testing arm has been recognized for seven consecutive years in Gartner’s Magic Quadrant for Application Security Testing, cementing its place as a trusted name in the field. UltraViolet inherits that credibility in the deal and likely hopes to scale it by embedding these services into a broader offensive-defensive model.
Closing the gap between offense and defense
UltraViolet is betting that testing makes more sense when it’s wired directly into day-to-day security operations. Assessments are often treated as a separate function that hands findings to another team. By folding AST into a unified model, UltraViolet closes the gap between discovery and remediation and shortens the cycle from “we found a flaw” to “we fixed it.”
That philosophy addresses the simple question of when to act: build security in early or bolt it on later. The earlier vulnerabilities are uncovered in the development cycle, the cheaper and easier they are to fix. Wait until production and the costs climb sharply. By embedding Black Duck’s testing services into its offensive-defensive framework, UltraViolet is pushing for that earlier catch, when fixes are still fast and relatively painless.
From code to cloud to compliance
For customers, the appeal is practical. Enterprises and federal agencies alike want risks flagged earlier, when fixes don’t blow up budgets or timelines. UltraViolet says the combined offering can spot vulnerabilities earlier, covering modern distributed environments from multi-cloud workloads to DevSecOps pipelines and containerized deployments. It also addresses the regulatory demands that govern many of its clients.
The timing matters. Developers are now leaning on AI to crank out code at unprecedented speed, and those tools often pull from massive open-source libraries. That creates a double bind: more code to review and more external dependencies to vet. By pairing continuous testing with its detection and response muscle, UltraViolet is pitching itself as a partner that can keep that flow of AI-authored, open-source-laden software from turning into a new attack surface.
What the deal means for Black Duck
For Black Duck, the move is about narrowing its scope to where it can have the most impact. Shedding its AST services allows the company to double down on its core software and SaaS offerings, while still keeping customers connected to world-class testing through UltraViolet. Rather than walk away, Black Duck is extending the relationship in the form of a commercial partnership.
“Black Duck’s broad and distinguished portfolio of professional and managed services are [sic] highly complementary to UltraViolet’s offensive security offerings,” Black Duck CEO Jason Schmitt said in a press release. “This move ensures that our customers will continue to receive industry-leading security testing services and unlocks greater scale, scope, and specialization.”
Reading the market signals
Demand for application security testing is climbing fast as AI accelerates development cycles and supply-chain risks multiply. Every new dependency or code contribution expands the attack surface, and organizations are scrambling for ways to keep pace.
At the same time, the market is shifting away from stand-alone services toward integrated security operations that are judged by outcomes, not activity. Point-in-time tests may still have their place, but customers increasingly want security built into how software is created, deployed, and maintained. UltraViolet’s move to fold testing into a unified offense-defense model reflects that trend and signals that the next wave of competition in the sector will be about integration, not point solutions.
Success will be in the numbers
The hard part starts now. UltraViolet has to integrate Black Duck’s testing team and tools without losing momentum and then prove the value with data. Customers will be watching metrics like time-to-remediation, defect escape rates, and how fully the services cover containerized and multi-cloud pipelines. If those indicators don’t improve, the promise of a unified model falls flat.
The federal sector will be a key proving ground. Agencies want earlier risk discovery but expect it to be delivered at scale and under heavy compliance scrutiny. Success there could validate the model and open the door for broader adoption. UltraViolet also has to show it can drive cross-sell between testing and its detection-and-response services, while going deep on cloud and container assessments, a space still full of blind spots.
Support and staying power
UltraViolet isn’t making this move alone. The company has backing from Achieve Partners, giving it both financial muscle and a growth-minded investor behind the scenes. That support matters when scaling services and absorbing talent from an acquisition.
Aanand Radia of Achieve Partners said the acquisition “will play a critical role in ensuring that UltraViolet remains at the leading edge of helping organizations operate at the speed of the adversary, not behind it.” UltraViolet also recently landed on the Inc. 5000 list, a nod to its growth trajectory and operational traction. Put together, the investor backing and external recognition signal that the company sees itself not just as a niche player, but as one building toward larger scale in a crowded security market.
Where the risks lie
Every acquisition brings questions, and this one is no different. UltraViolet has to absorb Black Duck’s testing talent without losing the quality that gave the group its reputation. Scaling services often means stretching people thin, and customers will notice quickly if assessments start to feel less rigorous.
There’s also the matter of overlap. UltraViolet already offers a wide range of offensive and defensive services. The challenge will be making sure the new AST unit adds depth rather than duplication, and that testing teams can operate with enough independence to call out flaws candidly, even when those flaws surface in environments protected by UltraViolet’s own tools. Maintaining that objectivity will be key to preserving trust.
The takeaway
The acquisition is a bet on speed and integration. If UltraViolet can blend Black Duck’s testing services into its offense-defense model, customers stand to gain—finding flaws earlier, fixing them cheaper, and moving software through pipelines with less risk. In a world where AI is cranking out code and attackers move just as fast, that edge could be decisive.
