Why multiple versions
Organizations differ in scale, procurement needs, and deployment requirements.
SAMMY is available in several versions so you can start small, scale across scopes, and choose the level of support and control your enterprise needs.
One platform, multiple ways to run it
All versions are designed to help you assess maturity, define targets, build roadmaps, and communicate progress. The differences come down to:
Scale
Number of users and scopes (projects, applications, teams)
Capabilities
Mappings, integrations, control management, API
Assurance
Support, SLA, vendor onboarding
Deployment
SaaS, dedicated cloud, or on premises
OpenSAMMY
OpenSAMMY is the community driven OWASP project, based on SAMMY version 2. It is best when budget is tight and you have the internal capacity to deploy and maintain it yourself, especially if you only need OWASP SAMM and do not require additional frameworks, mappings, or advanced features.
Best for: teams with strong internal engineering capacity and a single framework focus.
SAMMY Free
SAMMY Free is the free tier of the commercial SAMMY platform. It includes most of the core SAMMY functionality, with a limit of 3 users and 3 scopes, and excludes capabilities such as JIRA integration, some frameworks, control management, and direct mappings.
Best for: very small teams, or larger organizations that want a quick way to evaluate the platform before scaling. If you are testing for an enterprise rollout, Codific can provide trial access to SAMMY Pro.
SAMMY Premium (Self serve)
SAMMY Premium is the self serve tier, purchased and managed via the website. It covers most SAMMY features, with a limit of 5 users and 5 scopes, and it does not include customization, vendor onboarding, an SLA, or personal support.
Best for: small teams that want strong capability, and prefer a self serve setup with in app guidance rather than a supported onboarding process.
SAMMY Pro
SAMMY Pro is the most widely used option for medium and large organizations. It includes all SAMMY features, full mappings, integrations, and API access, and it comes with an SLA and personal support, including help with vendor onboarding and approval processes.
Best for: organizations scaling security and compliance across multiple scopes, with mature vendor management expectations.
SAMMY Enterprise (On premises)
SAMMY Enterprise is the on premises deployment of SAMMY Pro. It includes the full feature set, with a higher level of customization and adaptability. It can be deployed in a dedicated environment, deployed where you require, or delivered as a self managed deployment with Codific support.
Best for: large enterprises that cannot use a shared SaaS environment, or that require a highly customized deployment.
Trusted by Industry Experts
Compare capabilities at a glance
Not sure? If you are evaluating for a multi team rollout, start with SAMMY Free and request a Pro trial to test without limitations.
| Features |
Open SAMMY |
SAMMY Free |
SAMMY Premium |
SAMMY PRO |
SAMMY Enterprise |
|---|---|---|---|---|---|
| Scopes | ∞ | 3 | 5 | ∞ | ∞ |
| Manage Users and Tasks | ✅ | ✅ | ✅ | ✅ | ✅ |
| Dashboards | ✅ | ✅ | ✅ | ✅ | ✅ |
| Automated Reports | ✅ | ✅ | ✅ | ✅ | ✅ |
| Other Frameworks | ❌ | ✅ | ✅ | ✅ | ✅ |
| Target Postures and Roadmaps | ❌ | ✅ | ✅ | ✅ | ✅ |
| Automated mappings | ❌ | ❌ | ✅ | ✅ | ✅ |
| JIRA Integration | ❌ | ❌ | ✅ | ✅ | ✅ |
| Control Management | ❌ | ❌ | ✅ | ✅ | ✅ |
| Personal Support | ❌ | ❌ | ❌ | ✅ | ✅ |
| API | ❌ | ❌ | ❌ | ✅ | ✅ |
| SLA | ❌ | ❌ | ❌ | ✅ | ✅ |
| Vendor Onboarding | ❌ | ❌ | ❌ | ✅ | ✅ |
| Custom Models | ❌ | ❌ | ❌ | Limited | ✅ |
| Custom Reports | ❌ | ❌ | ❌ | ❌ | ✅ |
| On Prem Deployments | ✅ | ❌ | ❌ | ❌ | ✅ |
Managing AppSec
Organizations
Assessments
Built for security leads who need progress, not paperwork
Codific builds SAMMY to help you run secure application management as a measurable program, across teams, frameworks, and reporting needs, with the right level of assurance for your environment.