Decision: For standalone PR review pick CodeRabbit (breadth, lowest friction) or Greptile (depth, cross-file bugs in large repos). Use GitHub Copilot or GitLab Duo only when already paying for the platform. For regulated/air-gapped orgs Tabnine is the default. Security-primary teams should layer Snyk Code or Semgrep on top of whichever PR reviewer they choose — no single tool dominates both dimensions.
Market Pulse
$420M
2026 pure-play ARR, up 133% YoY [1]
44%
of eng teams use AI review on ≥some PRs [1]
27.6%
of PRs contain AI-generated code (was 1%) [28]
50–60%
F1 range for best tools on Martian bench [9]
Enterprise (10K+ employees) adoption leads at 62%; mid-market (500–5K) lags at 47%. [1]
Vendor Landscape
Nineteen vendors with material commercial presence, organized by go-to-market segment. Pricing is list as of June 2026; enterprise seats typically negotiate 20–40% off at 100+ seats.
Segment 1 — Standalone PR Review Specialists
Purpose-built bots that attach to GitHub/GitLab/Bitbucket and comment on every pull request. No IDE install required; activated per-repo or org-wide.
| Vendor | Pricing (list) | Platforms | Deploy | Key differentiator | Signal |
|---|---|---|---|---|---|
| CodeRabbit | Free (OSS); $24/user/mo Pro | GH · GL · BB · AzDO | Cloud / Self-hosted | Largest install base (2M repos, 13M PRs [3]); 40+ bundled linters; .coderabbit.yaml config |
$88M raised, $550M val [2] $60M Series B |
| Qodo (fka CodiumAI) | Free (250 credits/mo); $38/mo Teams; Enterprise custom [11] | GH · GL · BB | Cloud / On-prem (Ent) | Context Engine: multi-repo RAG indexing for microservice dependencies; generates missing unit tests at review time | F1 60.1% (own bench) [9] |
| Greptile | $30/user/mo (50 reviews/seat) [17] | GH · GL | Cloud / Self-hosted | Full codebase knowledge graph; catches cross-file bugs invisible from the diff; 82% internal bug-catch rate [18] | SOC 2 Type II; ~$30M Series A in talks |
| Graphite + Diamond | Free (Hobby); ~$20–40/user/mo [4] | GH only | Cloud | Stacked-PR workflow (merge queues) + Diamond standalone AI bug-finder; core review is free for all team sizes | ~$91M raised; Accel, a16z, Anthropic [5] $52M Series B |
| Ellipsis | Free (public repos); $20/dev/mo Business [16] | GH only | Cloud (AWS VPC, no code persisted) | Fix suggestions directly in PR comments; 13% merge-speed improvement claimed; YC W24 | GitHub-only limit is a real constraint |
| Bito AI | $15–25/user/mo | GH · GL · BB | Cloud | OWASP Top 10 security scanning bundled; IDE + PR bot combo; Jira ticket integration | — |
Segment 2 — Platform-Bundled (VCS & IDE Platforms)
Code review shipped as part of a broader developer platform subscription. Zero marginal cost if the platform seat is already paid, but depth typically shallower than specialists.
| Vendor | Pricing (review) | Platforms | Deploy | Key differentiator | Caveat |
|---|---|---|---|---|---|
| GitHub Copilot | Bundled: Business $19/user/mo, Enterprise $39/user/mo [12] | GH (native); others via IDE | Cloud (usage-based from Jun 2026 [26]) | Agentic code review GA March 2026: full-project context + auto-generates fix PRs; ~2.4M bundled review seats | Agentic review now consumes GH Actions minutes [26] |
| GitLab Duo | Bundled with GitLab tiers (~$29–59/user/mo) [13] | GitLab (self-hosted & SaaS) | Cloud / Self-hosted | Code Review Flow: multi-step reasoning, full-file context, custom instructions in .gitlab/duo/mr-review-instructions.yaml; SAST/DAST/SCA built-in on Ultimate |
Only viable if standardized on GitLab |
| Amazon Q Developer Replaces CodeGuru ⚠ | Free tier; Pro $19/user/mo [8] | GH · GL · BB (via IDE) | Cloud (AWS) | AWS-native; SAST, secrets, SCA, IaC scanning; test generation; Java upgrade agent | CodeGuru Security sunset Nov 20 2025 [6]; CodeGuru Reviewer maintenance mode Nov 7 2025 [7] |
| Cursor BugBot | ~$32/user/mo + Cursor subscription | GH · GL | Cloud | 8-pass majority-voting architecture; 70%+ claimed resolution rate; "Fix in Cursor" one-click flow from review comment to IDE edit | Requires Cursor IDE adoption by dev team |
Segment 3 — Code Quality / Security Platforms with AI Review Layer
Deterministic static analysis and security scanning products that have added an AI reasoning layer on top. Primary value is quality gates, compliance, and security posture; AI review is additive.
| Vendor | Pricing | Platforms | Deploy | Primary angle | AI layer |
|---|---|---|---|---|---|
| SonarQube / SonarCloud | Free (Community); ~$32/user/mo Team (Cloud) [22] | GH · GL · BB · AzDO | Cloud / Self-hosted | Code quality (85% of rules) + SAST (15%); quality gates; duplication and coverage tracking | AI-generated code detection; quality gate policies |
| Snyk Code | Free tier; Team/Business pricing (per dev) | GH · GL · BB · AzDO | Cloud / Self-hosted | AI-based SAST from DeepCode (ETH Zurich, acq. 2020); semantic code graph; ML on known vulnerability patterns [23] | Strongest for security vuln detection; complements SCA |
| Codacy | ~$15/user/mo; free for OSS [21] | GH · GL · BB | Cloud / Self-hosted | 40+ languages; unified quality + security + AI governance; AI Guardrails scans AI-generated code in real-time in IDE for free | AI Reviewer combines rule-based + context-aware AI feedback [21] |
| Semgrep Code | Free (OSS); ~$30/user/mo Teams | GH · GL · BB · AzDO | Cloud / Self-hosted | Security-focused SAST with custom rule engine; AI reasoning layer for triage; 3K+ community rules | AI-assisted triage to reduce false positives |
| CodeAnt AI | ~$24/user/mo [20] | GH · GL · BB · AzDO | Cloud | Bundles AI PR review + SAST + secrets detection + IaC scanning in one CI/CD workflow; 50M+ LOC scanned [20] | F1 51.7% on Martian benchmark [9] |
| Pixee | Custom (AppSec-team pricing) | GH · GL · BB | Cloud | Agentic AppSec: triages scanner findings, auto-generates fix PRs; 98% noise reduction, 76% merge rate [24] | Downstream of scanners — consumes Snyk/SonarQube output |
| DeepSource | ~$35/user/mo | GH · GL · BB · AzDO | Cloud / Self-hosted | 20+ languages; duplication detection; auto-fix PRs; transformer-based analysis engine | Auto-fix rate claimed at 85% of surfaced issues |
Segment 4 — Enterprise / Privacy-First & Large-Codebase
Vendors whose primary differentiation is deployment control (on-prem, air-gap, BYO LLM) or handling of very large monorepos.
| Vendor | Pricing | Deploy modes | Key differentiator | Trade-off |
|---|---|---|---|---|
| Tabnine Enterprise | ~$39/user/mo Enterprise [14] | SaaS / VPC / On-prem / Air-gapped | Zero-data-retention contract; BYO LLM; Kubernetes + Helm deployment; Code Review Agent won "Best AI Coding Innovation 2025" [27] | Higher ops burden for self-hosted; review quality depends on chosen LLM |
| Sourcegraph Cody | $59/user/mo (enterprise-only; free/pro discontinued Jul 2025) [15] | SaaS / On-prem / Air-gapped | 1M-token context window; batch changes across repos; Context Filters for PII/financial code; combined search + review + agents in one platform | Price premium vs. Copilot Enterprise; no SMB option anymore |
| Augment Code | $20–200/user/mo (tier-based) | Cloud | Handles 1M+ file codebases; 65% precision on codebase-context benchmark [25]; unified generation + agents + IDE + review | Wide pricing range; positioning still maturing |
Independent Benchmark — Martian Code Review Bench
Martian (researchers from DeepMind, Anthropic, Meta) released Code Review Bench in March 2026 — the first third-party evaluation not funded by a vendor. [10] Methodology: 17 tools, 200K+ real open-source PRs, scoring based on whether developers acted on suggestions (precision), and how many real issues were caught (recall).
| Tool | F1 Score | Note |
|---|---|---|
| Qodo | 60.1% (own separate bench, 56.7% recall) | Highest recall claimed; test-generation angle boosts actionability [9] |
| CodeAnt AI | 51.7% | Third globally on Martian Bench [9] |
| CodeRabbit | 51.2% | "Highest overall balance of precision and recall" on Martian Bench [9] |
| Baz | — | Led precision metric (lowest noise); developers most likely to act on suggestions |
| Greptile | 82% bug-catch (internal) | Not on Martian bench; internal metric measures issues found, not developer action rate [18] |
| All others (avg) | ~45–50% | DiffRay AI research found 29–45% hallucination rates across frontier models on code review tasks [19] |
⚠ Vendors use incompatible methodologies. "F1 on Martian Bench" and "bug-catch rate" measure different things — don't compare across rows naively.
Funding & Market Signals
| Event | Date | Implication |
|---|---|---|
| CodeRabbit $60M Series B at $550M val [2] | Sep 2025 | Standalone PR review is a real business category; NVIDIA bet signals AI-code-volume play |
| Graphite $52M Series B (Accel, Anthropic, a16z) [5] | Mar 2025 | Bet on merging stacked-PR workflow + AI review into one surface; Anthropic backing = Claude-native review depth |
| GitHub Copilot code review GA (agentic) [12] | Mar 2026 | Microsoft competing directly with standalone bots; bundled pricing creates floor pressure |
| Amazon CodeGuru Security sunset; Reviewer maintenance mode [6] | Nov 2025 | AWS consolidated onto Amazon Q Developer; signals model-era displacement of pre-LLM tools |
| Sourcegraph drops free/pro tiers; pure enterprise [15] | Jul 2025 | PLG-to-enterprise pivot; individual developers redirected to new "Amp" product |
| Martian Code Review Bench released (open-source) [10] | Mar 2026 | First vendor-neutral benchmark; expect vendor claims to be increasingly measured against it |
Picks by Use Case
| Situation | Primary pick | Rationale |
|---|---|---|
| Startup, low budget, GitHub | CodeRabbit Free | Free for OSS; $24/mo Pro for private repos; widest language coverage; highest install base = most community config examples |
| Large monorepo, cross-service bugs | Greptile | Knowledge graph indexed from full repo; catches interface breaks across services that diff-only tools miss |
| Test coverage is the primary gap | Qodo | Generates missing unit tests at review time, not just comments about what to test |
| Already on GitHub Copilot Business | Copilot Code Review (try first) | Zero marginal cost; agentic GA in Mar 2026; if depth inadequate, layer CodeRabbit Pro on top |
| Regulated / air-gapped | Tabnine Enterprise | Only major vendor with fully air-gapped Kubernetes deployment + zero-data-retention contract guarantee |
| Security-primary (AppSec team) | Snyk Code + Pixee | Snyk finds security issues; Pixee auto-generates fix PRs downstream — complement, not substitute, for PR review bots |
| Full DevSecOps platform consolidation | GitLab Duo (Ultimate) | SAST/DAST/SCA/IaC + AI review + CI/CD in one subscription if organization is standardized on GitLab |