Vulkro vs Bearer
Two things lead this comparison:
- Your source code never leaves your machine. Both tools take a "never upload source" stance, so this is a tie on intent, but Vulkro is a single offline binary with no account and no telemetry of any kind.
- Vulkro beats Bearer on a published, reproducible benchmark. On our published corpus Vulkro reported more catalogued bugs than Bearer 2.0.2 (44 vs 37) with 6.7x fewer false positives (10 vs 67), at roughly 7x Bearer's speed (36.1s vs 250.0s total). Harness, corpus, and scoring code all public.
Bearer is the SAST tool that made "data-flow first" a category. Instead of CVSS-ordered findings, Bearer scores by the sensitive data type a vulnerability touches: PII, PHI, payment data, and so on. That framing is genuinely useful, and a deliberate influence on how Vulkro thinks about privacy-class findings.
So when do you pick Vulkro over Bearer?
At a glance
| Vulkro | Bearer CLI | Bearer Pro | |
|---|---|---|---|
| License | Closed-source detectors. Free tier, or Pro per-term, no auto-renewal | Elastic License 2.0 (free in-house) | Commercial; ELv2 with hosted-service restriction |
| Runs where | Your machine | Your machine | Your machine / cloud |
| Source code uploaded | Never | Never | Never (claims) |
| Telemetry | None | Opt-out | Opt-out |
| Languages | Python, JS/TS, Go | Go, Java, JS, TS, PHP, Python, Ruby | + C#, Kotlin, Elixir, VB.Net |
| Cross-file taint | Yes (default) | Limited | Yes (Pro) |
| Privacy / PII detection | Yes (security::pii, security::phi) | Yes (120+ data types; flagship feature) | Same + advanced GDPR reports |
| CVE / SCA matching | Local bundle in same scan | Separate; needs SCA tier | Same |
| API Top 10 + LLM | OWASP API:2023 + LLM 01/06 | API security via rules | Same |
| Public benchmark | Yes (reproducible) | Internal claims | Internal claims |
Benchmark numbers
Measured on our published corpus, July 2026: 15 deliberately vulnerable public codebases with 90 catalogued bugs, of which 76 sit in the languages Vulkro analyzes deeply (JS/TS, Python, Go). Scored at Vulkro's default high-confidence setting. Same machine, same pinned commits, same scoring for every tool.
| Vulkro | Bearer 2.0.2 | |
|---|---|---|
| Catalogued bugs found (of 76) | 44 | 37 |
| False positives | 10 | 67 |
| Precision (how few false alarms) | 0.81 | 0.36 |
| Recall (how many real bugs found) | 0.58 | 0.49 |
| F1 score (overall accuracy) | 0.68 | 0.41 |
| Total scan time | 36.1s | 250.0s |
Two honesty notes. First: the roll-up above excludes the corpus's 3 PHP and Java repos, because Vulkro does not analyze those languages; Bearer does, and it finds real bugs there that Vulkro cannot. Second: in July 2026 we grew our own ground truth from 69 to 90 catalogued bugs and published the recall drop that came with it. The corpus is versioned and the numbers regenerate from one command.
Reproduce them yourself with bench/comparison/run.sh --tier1 --tools vulkro,bearer. The harness and the ground-truth corpus are
public, so these are reproducible figures, not vendor claims. The
locked numbers matching each release also ship in the public
changelog.
The architectural distinction
Both tools take a "never upload source" stance, so the split is narrower than vs Semgrep AppSec Platform or Snyk. The decision hinges on:
-
License model. Bearer CLI is Elastic License 2.0: free for in-house use; you can't offer Bearer as a hosted service to third parties. Bearer Pro adds an explicit commercial license for that case. Vulkro is closed-source detectors with a Free tier and a Pro tier: Free is permanent and needs no card; Pro is a $39 monthly or $349 annual pass that expires (instead of auto-billing) and then drops back to the Free tier.
-
Coverage shape. Bearer is data-type-first; the rule pack is organised around what the code TOUCHES (
email,phone,health record). Vulkro is OWASP-API-first; the rule pack is organised around what the code EXPOSES (BOLA, BFLA, mass assignment, SSRF, etc.). Both surfaces matter; pick the one that matches your team's mental model. -
Verification surface. Vulkro publishes the benchmark harness and the ground-truth corpus (
bench/comparison/ groundtruth/). Bearer's precision numbers come from internal measurement that isn't externally reproducible.
Where Bearer wins
Concessions first, because they are real:
- Privacy reporting is its flagship, and it is better at it. 120+ sensitive data types and data-protection reports built as the primary deliverable. If GDPR, CCPA, or HIPAA reports are what your auditor asks for, Bearer's privacy reporting is deeper than Vulkro's PII/PHI detectors.
- More languages. Bearer analyzes PHP, Java, and Ruby (and Bearer Pro adds C#, Kotlin, Elixir, VB.Net). On the 3 PHP and Java repos in our own corpus, Bearer finds catalogued bugs that Vulkro does not scan at all.
- ELv2 in-house use is free. If free-for-in-house licensing is the requirement and you accept the re-hosting restriction, Bearer CLI costs nothing.
When to pick Vulkro
- Your audit posture is OWASP-API-first, with privacy as one of several axes (Vulkro emits PII/PHI findings, just not as the organising principle).
- You want CVE / SCA in the same scan rather than a separate Bearer tier.
- You're auditing a Salesforce codebase (Bearer doesn't cover Apex; the separate Vulkro for Salesforce product does).
- You want a per-term license that doesn't auto-renew (and drops to a working Free tier on expiry, instead of going dark): the contrast with SaaS billing is a positioning advantage when your procurement team has been burned by renewal surprises.
What we kept from Bearer's playbook
Two ideas in Bearer are good enough to take inspiration from:
- Data-flow priority on PII findings. Vulkro's
security::piiandsecurity::phidetectors emit findings whose severity is shaped by the data type, mirroring Bearer's data-flow-first approach for that specific category. - Per-finding confidence and remediation text. Bearer's
compact remediation snippets influenced how Vulkro renders
vulkro explain <ID>output.
The credit lines up; the moat is elsewhere (CVE bundle, OWASP API completeness, reproducible benchmark, no-auto-renewal license).
Try both side by side
# In your project root:
vulkro scan . --format sarif > vulkro.sarif
bearer scan . --output bearer.sarif --report security
# Diff in your favourite SARIF viewer.
Both tools emit SARIF; GitHub Code Scanning ingests either format.
See also: Vulkro vs Semgrep, Vulkro vs Snyk, Safety, CVE bundle changelog.