If you're listing on AppExchange in 2026, the security review is the gate that decides whether your enterprise pipeline opens this quarter or slips to next. The fee model changed in March 2023, Chimera was retired in June 2025, and the self-review wizard now auto-approves most updates after your first pass. I pulled the latest Salesforce ISVforce docs, the Concret.io and Noltic PDO reports, and the failure patterns we see at Appnigma to write the single guide I wish I had when I was helping a B2B SaaS founder ship their first managed package.

Pro Tip

TL;DR: The Salesforce AppExchange security review is a mandatory code and behavioral audit every managed package passes before it can be listed. It costs $999 per submission attempt for paid apps ($0 for free apps), takes 6 to 9 weeks for the initial pass plus 2 to 3 weeks per resubmission, and roughly half of first-time submissions fail according to PDO partner reports. Salesforce retired Chimera DAST on June 16, 2025, so partners must now run OWASP ZAP, Burp Suite, or Qualys. The eight check categories are defined in the ISVforce Security Review guidelines. The biggest failure cause: missing CRUD and Field-Level Security enforcement on Apex DML and SOQL.

The Salesforce AppExchange security review is a mandatory code-level and behavioral audit Salesforce runs on every managed package before it can be listed on AppExchange. The review combines static analysis (Checkmarx CxSAST, Salesforce Code Analyzer), dynamic application security testing (OWASP ZAP, Burp Suite, or Qualys since Chimera was retired in June 2025), and manual review against the eight check categories defined in the ISVforce Security Review guidelines.

It applies to every ISV that wants to distribute a paid or free managed package on AppExchange. There is no way to skip it. There is no fast lane. Every one of the 6,233 apps live on AppExchange as of December 2025 went through this same gate.

Pro Tip

Citation capsule: The canonical source is Salesforce ISVforce Guide, Security Review Guidelines. Combined with State of AppExchange 2026 (sfapps.info) for app-count figures.

$999 per submission attempt for paid apps. $0 for free apps. No partner-tier discount exists. The fee applies to the initial submission and to every resubmission after a failed review. Fail twice, and you've paid $2,997 in fees alone, before you count the engineering time and lost deal pipeline.

Pro Tip

What changed in March 2023: Salesforce moved from a $2,550 initial fee plus $150 annual model to the per-attempt $999 model. The new structure penalizes failure (resubmission costs the same as initial) and rewards quality (an app that passes on the first try pays once and is done until major architecture changes). Source: Salesforce Developer Docs, Security Review Fees.

Pre-queue validation runs in 1 to 2 days. The full initial review takes 6 to 9 weeks. A resubmission after fixing findings takes 2 to 3 weeks. Most version updates of an already-approved package are auto-approved in minutes via the self-review wizard introduced in March 2023, unless the update introduces new objects, new callouts, or significant architecture changes.

Source: Salesforce Developers Blog, Prepare Your App to Pass the Security Review and Concret.io review timeline.

Eight categories. The full list, with what each one means for your code, comes straight from the Salesforce ISVforce Guide, Create a Secure Solution.

The review combines automated scanners and manual analysis. Knowing which tools run against your code lets you run them locally first and clean up findings before submission.

Pro Tip

Chimera was retired June 16, 2025. If you're following a 2024 or older guide that tells you to "submit Chimera output," ignore it. Run OWASP ZAP, Burp Suite, or Qualys against your demo org and include the report in your submission materials. Source: Noltic, 2026 Security Review Guide.

Aggregated from the Salesforce Developers Blog (April 2023), Concret.io failure guide, and our own customer data at Appnigma:

Before (will fail Checkmarx and security review):

Pro Tip

List<Account> accs = [SELECT Id, Name, Industry FROM Account];
update accs;

After (enforces FLS at query time and before DML):

Pro Tip

List<Account> accs = [
SELECT Id, Name, Industry
FROM Account
WITH SECURITY_ENFORCED
];
SObjectAccessDecision sanitized = Security.stripInaccessible(
AccessType.UPDATABLE, accs
);
update sanitized.getRecords();

Run the review against yourself before Salesforce does. The 6 to 9 week wait window is the worst time to discover a finding you could have caught locally in a Friday afternoon.

1. Run Checkmarx CxSAST locally. Salesforce gives partners access via the Partner Security Portal. Fix every finding you can. Justify every one you cannot.

2. Run Salesforce Code Analyzer. Open source, ships with sfdx. Catches PMD, ESLint, and RetireJS findings before submission.

3. Run a DAST scan against your demo org. Pick OWASP ZAP, Burp Suite, or Qualys. Save the report. You'll attach it to the submission.

4. Write the Solution Architecture Document. Diagram the data flow, integration surface, sharing model, and external endpoints. The reviewer reads this first.

5. Provision a demo org with test credentials. Pre-load it with realistic data. Document login steps. The reviewer will use this org to exercise every feature.

6. Submit through the Security Review wizard in the Partner Community. Pay the $999 fee (paid apps only) and wait for the email when the review enters the queue.

Pro Tip

Companion deep dives: Our security review checklist walks line-by-line through what reviewers look for, and our step-by-step submission guide covers the wizard UI and required attachments.

Half of first-time submissions fail. That figure is a PDO industry estimate, not an official Salesforce number, but it's consistent across Concret.io, Noltic, and our own customer base. Plan for it.

If your app fails:

1. Salesforce returns a detailed report listing every violation by file and line with a remediation reference.

2. You fix the findings and attest to the fixes in the self-review wizard.

3. You resubmit. The follow-up review takes 2 to 3 weeks.

4. For paid apps, the $999 fee applies again per resubmission. Free apps remain free.

Pro Tip

The hidden cost of a failed review: $999 resubmission + 2 to 3 weeks of delay + every enterprise deal in your pipeline that needed AppExchange before signing. For a B2B SaaS company chasing a $100K+ ARR enterprise contract, a failed review can be a quarter slipping. The fee is the smallest part.

Two structural changes broke most older AppExchange security review guides.

Most B2B SaaS companies that need to list on AppExchange don't have a Salesforce developer on staff. The traditional answer was to hire a PDO at $20,000 to $40,000 for the build plus the security review prep. The 6 to 12 month timeline plus the 50% first-pass failure rate makes that a brutal bet for a startup chasing an enterprise deal.

The shorter answer in 2026: yes, if your code is generated against the secure coding standards from the start. Most security review failures come from a small set of pattern mistakes (CRUD/FLS, sharing model, SOQL injection, encoding). Those are exactly the patterns an AI-native managed-package generator can enforce by default.

At Appnigma AI, we generate every managed package with:

• 'with sharing' declared on every Apex class touching user data

• WITH SECURITY_ENFORCED in every SOQL query, or Security.stripInaccessible when dynamic

• Bind variables in every dynamic query, no string concatenation

• HTMLENCODE / JSENCODE in every Visualforce binding

• Named Credentials for every external endpoint, no hardcoded secrets

• Solution Architecture Document and DAST report templates pre-filled from the package metadata

Customers shipping on AppExchange this way: Warmly, Hyperbound, Pylon, Avoma, UserEvidence, Aline, Alguna, Salesbricks, and Seam AI. None of them hired a Salesforce dev team.

Pro Tip

Generate a security-review-ready managed package in 60 seconds. Type a prompt. Get Apex that clears Checkmarx and Salesforce Code Analyzer on the first scan. Book a demo.

The Salesforce AppExchange security review is a mandatory code-level and behavioral audit Salesforce runs on every managed package before it can be listed on AppExchange. The review combines static analysis (Checkmarx CxSAST, Salesforce Code Analyzer), dynamic application security testing (OWASP ZAP, Burp Suite, Qualys since Chimera was retired June 16, 2025), and manual review against the eight check categories defined in the ISVforce Security Review guidelines.

The Salesforce AppExchange security review costs $999 per submission attempt for paid apps and $0 for free apps. The fee applies to the initial submission and to every resubmission after a failed review. The legacy $2,550 initial plus $150 annual fee model was retired on March 16, 2023. No partner tier discount exists.

A pre-queue validation runs in 1 to 2 days. After that, the full review takes 6 to 9 weeks for an initial submission. A resubmission after fixing findings takes 2 to 3 weeks. Most version updates of an already-approved package are auto-approved in minutes via the self-review wizard, unless the update introduces new objects, callouts, or significant architecture changes.

The review covers eight categories: authentication and session management, authorization (CRUD plus Field-Level Security enforcement, sharing model), input validation (SOQL injection, XSS, CSRF), output encoding, cryptography (no MD5 or SHA-1, use platform Crypto class), communication security (HTTPS callouts only, valid TLS, CSP-safe remote sites), logging and error handling (no PII in debug logs), and storage of secrets (Named Credentials, Protected Custom Metadata, External Credentials).

Salesforce returns a detailed report listing every violation by file and line with a remediation reference. You fix the findings, attest in the self-review wizard, and resubmit. The follow-up review takes 2 to 3 weeks, and for paid apps the $999 fee applies again per resubmission. Roughly half of first-time submissions fail according to PDO partner reports.

Run Checkmarx CxSAST and Salesforce Code Analyzer locally before submission. Run an approved DAST tool (OWASP ZAP, Burp Suite, or Qualys, since Chimera was retired June 16, 2025) against your demo org. Write a false-positive justification for every finding you do not fix. Prepare the Solution Architecture Document, test credentials, and a demo org. Submit through the Security Review wizard in the Partner Community.

No. Salesforce retired Chimera on June 16, 2025. Partners must now run dynamic application security testing using OWASP ZAP, Burp Suite, or Qualys against their demo org and submit the report as part of the security review materials.

Yes. AI-native managed-package generators like Appnigma produce Apex with sharing, CRUD/FLS enforcement, bind-variable SOQL, output encoding, and Named Credentials by default. Because the generated code follows Salesforce's secure coding standards from the start, it clears Checkmarx and Salesforce Code Analyzer on the first pass. Customers including Warmly, Hyperbound, Pylon, Avoma, and Salesbricks listed on AppExchange without hiring Apex engineers.

The security review is one gate inside the larger ISV journey. The companion reads:

• The 2026 Salesforce ISV Partner Program guide. Tiers, costs, ISV vs OEM, and the path to becoming an ISV.

• The 2026 security review fee breakdown. Deep dive on every cost line item.

• The security review checklist. Line-by-line what reviewers look for.

• Security review submission, step by step. The Partner Community wizard UI and required attachments.

• The 2026 managed package guide. The artifact you're submitting for review.

• How to build a managed package without code. The no-code path.

• Salesforce Developers, Prepare Your App to Pass the AppExchange Security Review

• Salesforce ISVforce Guide, Security Review Guidelines

• Salesforce ISVforce Guide, Create a Secure Solution

• Salesforce ISVforce Guide, Security Review Fees

• Salesforce ISVforce Guide, Security Review Wizard

• Trailhead, ISV Security Review module

• Noltic, How to Pass the AppExchange Security Review (2026)

• Concret.io, Security Review Fees and FAQs

• Concret.io, Navigating Security Review Failure for ISVs

• MagicFuse, Updates and Tips for Passing the Security Review

• State of AppExchange 2026 (sfapps.info dataset)