I thought that some of these tools had a lot of open source components (look at https://github.com/aquasecurity for example) but they can still charge lots of money because it's yet another service that a company doesn't want to host/configure/maintain themselves.
