Acunetix Reviews

We use the solution for the scanning of vulnerabilities like SQL injections. 

Acunetix needs to be dynamic with JavaScript code, unlike Netsparker which can scan complex agents. 

I have been working with the solution for three years. 

Acunetix is very stable. 

The solution is scalable if you use the cloud version. You will face limitations with RAM and processor on the desktop. 

We have not faced any issues to complain about. 

I have used Netsparker before. 

Acunetix is easy to install and took only two minutes to deploy. For desktop applications, you need to download an EXE file. Deployment over the cloud requires API. 

I would rate Acunetix an eight out of ten. I don't recommend it for dynamic websites. It is recommended for static pages. 

Our company has more than 300 employees and we have regional offices in Japan and Malaysia. We are in the FinTech industry. We do banking solutions, mobile, branch-based, and agent banking. We are also into government projects.

We have two lines of application testing. One is for internal application deployments. Before all these deployments, we conduct testing with Acunetix and, based on the report generated, we do remediation. Once the remediation is done we will do more testing. Only once all the vulnerabilities have been fixed is it allowed to be deployed in the organization's environment. 

The second use case is that we do application development for banks. Whenever we develop backend applications or web applications, they are all tested for vulnerability. In addition, the mobile application code is tested using Acunetix.

We didn't have much in the way of exposure to this kind of information when I joined the organization. I introduced this system to test all the applications that were going to be released to customers, as well as for our internal vulnerability assessment and penetration testing purposes.

The number of "high" and "medium" vulnerabilities found using this solution will depend on the development process. But when we started using Acunetix, and other testing tools as well, we had a lot of vulnerabilities. We had to invest a lot of time in fixing vulnerabilities in those days, about two years back. Now, we don't get that many vulnerabilities because the developers and the application testers have improved a lot. They code in a way that results in fewer vulnerabilities.

Most of the vulnerability standards we've used give a fair number of false positives. But with the latest version of Acunetix, we have seen a good standard of false positive rates. Sometimes, customers actually want to have a list of false positives, but the number of false positives we now get is much less than earlier.

It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities. For anyone who does development, Acunetix is going to be a very powerful tool, and very easy to use. It gives all the required information for fixing your vulnerabilities.

The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified.

We've been using Acunetix Vulnerability Scanner for the last three years and we don't have a reason to change to a different solution.

We haven't come across unexpected downtime or unexpected issues.

We don't scan more than 35 solutions, but we are always working on improving them and, whenever an improvement comes up, we scan it.

We initially decided that it was going to be deployed on a central server and we didn't look into the scalability. We set up the environment and we have been using it for some time. We haven't come across the need for scalability.

We have five usernames for Acunetix, but most of the time only two of them are being used. Generally, in a week, we may conduct five or six tests. We don't have much load on it. We do intend to expand the number of users in another six months' time with an additional three or four users, as we are expecting more application testing in that time.

We had to contact technical support some ago but not since then. Sometimes the blog provides support very well, and we have also attended certain webinars.

We would really appreciate it if they would provide training on advanced usage or technical knowhow. That would help us to attend to things and sort them out.

The company had been using InMap and was using manual vulnerability assessment practices, using Kali Linux and some open source applications. But once I joined the company, we changed to a different level because we are an ISO 27000 certified company as well as being PCI DSS application certified with a PCI DSS certified data center. We host payment applications on behalf of Sri Lankan and Malaysian banks. Because of that we introduced these automation systems. We use Acunetix and we use PortSwigger and some other tools.

We used Nessus and we have experience with QualysGuard as well, but Acunetix gives us code-level identification of vulnerabilities and a good understanding of the code-level vulnerability fixes. It is much more helpful for us because we can understand how to fix the vulnerabilities at the code level. The vulnerability identification is much more powerful in Acunetix than in any other tool.

The initial setup is very simple. 

We use this application for testing in different environments, such as production and DR, and implementing of scanning in those environments can sometimes be a little bit tough. But that is not due to the complexity of the application but more because of the complexity of the environments that we maintain, to keep our compliance level high.

The way we set it up is that once development is over, we push it to a single location. For that, it's not a very complex environment, it's a single PC. We do the scanning on that PC so that development is actually on a single server. The setup for that didn't take much time. Within two to three days, the complete setup was finished and the initial testing was run.

We have seen ROI with Acunetix. That's the most convincing point I have to prove to my management when it comes to the next budgeting cycle. The ROI is seen in the fact that, at the time of application releases, we hold off the risk. When we do the assessment, we see that the distributed cost of Acunetix, across all our releases reduces our risk. It's a very convincing point.

When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay. Other than the licensing, we haven't come across any other costs.

We are very comfortable with the granularity of tests. Sometimes, for certain specific areas, we use different tools, but we feel that Acunetix is much more helpful for all the development teams in understanding the output of the system. In certain cases, the scope of the application and the exposure of the application is varied and then, for additional security measures, we use different tools to evaluate these applications. That makes us much more comfortable in explaining to our customers that we don't only rely on a single tool, that we use multiple tools to identify things in complex environments. Customers want to have different views, not only a single view, of application testing. 

Acunetix provides the primary vulnerability assessment. Once we believe we can rely on Acunetix, we will be able to save money on other licenses. The most interesting part is that the application security vulnerability reports of Acunetix are much more explainable in simple terms, for developers.

Also, the jargon that some of the applications that I have looked at—certain open source applications—use and the setup required are highly technical. You have to do a lot of maintenance to keep the environment up and running. Acunetix is a lot more comfortable. Newly recruited people and project managers can easily understand it. This is one of the winning points of Acunetix.

In our tests of Acunetix, we didn't find much difference, performance-wise, when comparing it with other applications. It's lightweight but it doesn't matter if it is a little bit heavy, since it provides a much broader spectrum of vulnerabilities. Acunetix is much more customizable for granular levels of testing.

In terms of the amount of time it takes to complete a scan using Acunetix, a web application, for example, with two or three endpoints takes between half an hour and 40 minutes. If I use the Kali Linux, it will take more time, and then you have to do much more customization which requires heavy technical knowledge. Other solutions take time to scan and may give a much more broader spectrum, but they do not identify vulnerabilities for the purpose of fixing them. They identify them to explore them. Acunetix scans for most commonly identified issues. The problem with other solutions is that, while we may be able to see a lot of vulnerabilities, if the solution has not been identified we end up with questions as to whether we are able to release it or not. We don't come up against that issue with Acunetix.

I would definitely recommend Acunetix to anyone who wants to do one vulnerability assessment from an application development perspective.

The amount of time it takes to remediate something will depend on the developer's knowledge and ability to fix vulnerabilities. That doesn't depend on the solution, on Acunetix, but rather on the technical knowhow of the people who engage in that.

But that particular jargon and the technical explanations we have for fixing vulnerabilities need to be improved, so that managers who don't have technical knowhow, can easily understand what needs to be done to fix the vulnerabilities.

Overall, I would rate the solution as a seven out of 10. While we use this tool for application testing, we need another tool to test application traffic interception. Acunetix doesn't have that ability. If it did, I would definitely rate it as nine or 9.5. After using Acunetix for application and code-level testing, the same application will be tested again for application traffic interception. With the results of the traffic interception, we again go back to the code level and then identify where the issues are. If Acunetix had that capability, I would be able to raise it as a nine or 9.5.

We use Acunetix for POC.

We have a scanner site website. We have two web applications, related to banking, that primarily serve our customers. We use Acunetix Vulnerability Scanner to ensure that the APAs that have been exposed to the customers are well-protected and don't have any major vulnerabilities.

We wanted to have some kind of vulnerability scanner which could evaluate our requests and tell us where any vulnerabilities may reside. For that purpose, we use Acunetix scanner.

Originally, we used version 3.12, but they provided us with different products including Acunetix premium and Acunetix 360. We figured Acunetix 360 would be much better suited for our solutions; that's why we are currently using the trial version of Acunetix 360 at the moment.

Within our company, there are around five to ten people using this solution. Some from DevOps, IT Security, and a few penetration testers use it.

The reporting is pretty good. I haven't seen reporting of that level in any other tool. It also allows for segregation. If I want to generate a report regarding vulnerabilities, I can simply select that particularly vulnerable section and it will generate a report with all the work in the web application. 

Similarly, for PCAD assisting, I can also generate a report — in multiple formats, including PDF, HTML, and doc files. 

Segregation of reports is really, really good with Acunetix; it provides us with a lot of in-depth details. This feature stood out when comparing Acunetix with other tools.

It provides me with a list of vulnerabilities that we weren't able to identify when doing manual penetration testing. It located and picked out some hidden vulnerabilities as well, which are hard to spot with the naked eye.

The scanning speed could be faster. It digs really deep, so that could be one of the reasons why it takes a while. If I want to scan an application, it's going to take over three to four hours. That's something I think they could improve.

Instead of posting hundreds of requests to find the vulnerability, if it simply had the capability to find that particular vulnerability in the payload itself, that would make a big impact.

The vulnerability identification speed should be improved. It takes more time compared to other tools I have used. 

Simply put, Acunetix passes too many payloads in order to identify one part of the ratio. That's probably why it can take a while to identify a particular issue. Other tools are able to identify vulnerabilities with just a few requests. Acunetix takes more time to make certain if a vulnerability exists. That's one of the areas which they can improve on.

The scan configuration could be improved. The first thing that we need to do is set up a site policy and a scan policy. By site policy, I mean we have to choose what kind of technology our site is developed with so that it will only pass payloads related to that technology.

For example, if I'm using MySQL or Python as my backend database, it will only check payloads related to MySQL or Python; it won't check Java or other programming languages.

We have to define the scanning configuration as well as the site configuration each and every time. This has to be done whenever we are adding a new set of sites or domains.

Other tools provide a list of predefined scan policies, but with Acunetix, we have to create our own every time. We have to spend a lot of time setting up these configurations, rather than just picking them from a vast variety of predefined sets of configurations, which is much easier.

We have been using a trial version of Acunetix for about a month.

The stability is good. The scans always produce consistent and reliable results.

We used Acunetix to scan three of our web applications.

I think it needs to expand to other operating systems because most organizations use a Linux- based environment, which it currently doesn't support. I think that's a big problem.

The technical support is really good. Whenever we experienced an issue, we just scheduled a call. It's not directly with Acunetix, their providers in India got in touch with us. 

They are the ones who told us about the product, its features, and its specifications. They are who we speak with if we have any issues or need support. They act as a middle-man between Acunetix and us — they are resellers.

Initially, I believe Acunetix provided us with two solutions. One was a SaaS, which means that they host it on their cloud. They also provide the option to host Acunetix on our internal servers, behind our firewalls, with an on-premise version.

The problem with the on-premise version is that it works only on Windows Servers. I can't install it on a Mac or a Linux-based machine. That was quite challenging for us because all of our cloud infrastructure has been AWS instance, which is of a Linux-based operating system. 

As far as security testing is concerned, we would prefer to host Acunetix, on-premise, because everything would be within our firewall. If we wanted to host it on the cloud, then we would have to sign a non-disclosure, because they know what vulnerabilities exist on our site.

For this reason, we generally prefer to host it on-premise so that they will have a restriction within our firewall, so no one can gain access from the outer wall. Setting up the on-premise version of Acunetix is quite challenging and it's not that straightforward because it only supports one operating system.

However, we found it so difficult to host on-premise that we actually had to stop. Instead, we have decided to go for the cloud version. All we have to do is send them our application to scan in their cloud.

We followed an implementation strategy. With our compliance and security team, we followed a procedure with Acunetix so that any vulnerable information that exists on our site remains safe and secure.

We didn't deploy it ourselves because we used their SaaS model. There is no deployment from our side. Initially, we thought of hosting it on our own server; if we did, we would have required a dedicated person to look after the deployment and setup.

Since we don't have a Windows Server, we opted for the SaaS model because the on-premise version is only compatible with a Windows Server. We don't have a license for a Windows Server so instead of purchasing all of the licensing, we just opted for the SaaS solution. 

The pricing is a little high, and moreover, it's kind of domain-based. For example, if I have one site that has a lot of sub-domains, they will register all of the sub-domains as individual sites. That caused problems for us.

We have three sites with 10 sub-domains each — so technically 30. We ended up having to purchase 30 licenses, which costs a lot. Instead of paying per site, I think it would be better if they proposed some other kind of pricing and licensing model, like Burp's model. That's why we preferred Burp over Acunetix.

With Burp,10 agents can scan 10 sites. Even if we scale our application, we don't have to purchase a new license. We can reshuffle the agents to scan multiple websites. One agent can scan our site today, and the same agent can scan another site tomorrow. This is the pricing model of Burp, which was perfect for us.

The Acunetix licensing and pricing model is somewhat complicated. If we calculated all of our domains and sub-domains, the sum would be huge. That's why we thought of leaving Acunetix.

I believe we also evaluated Zap and Portswigger Burp suite.

The false-positive rate is not that high, but it's not very low either. There were a few false-positive cases that were triggered when we scanned both of our web applications. So, they're not minimal, but they're not high either, they occur somewhere in between.

The time it takes to remediate issues with Acunetix depends on the type of issue. Minor issues can be resolved within a day. Bigger issues, involving debugging from scratch can take around a week.

In total, we experienced about five high-level vulnerabilities, three mid-level, and 17 low-level vulnerabilities. We also found a few DOM-based, cross-site scripting vulnerabilities.

If you're interested in this solution, you have to consider the pricing model, because when your application is scaling, the cost of Acunetix also spikes up. If you want to scale, you need to look into the cost of Acunetix as well.

Also, the on-premise version takes a lot of effort. Maintaining a Linux-based system is a lot easier; it's difficult for some engineers to maintain a Windows-based operating system. 

On a scale from one to ten, I would give this solution a rating of five.

On the positive side, they have a good reporting module and scanner, which is capable of identifying most vulnerabilities. On the negative side, I think the on-premise version needs to be improved. Rather than sticking to one operating system, it needs to support multiple operating systems.

Apart from that, the pricing model also needs to be revisited. If you want to scale an application, you have to spend more money with Acunetix because it uses a domain-based pricing model, which is not something I like using. For these reasons, I am giving Acunetix Vulnerability Scanner a rating of five. 

We are doing dynamic code testing with some of our different websites and other applications that we've developed in-house.

Right now, we are doing the basic kick-off the target, control, and see what it comes up with in the report. We haven't done any importing yet.

We are using the Windows onsite solution.

We have had more success with this particular product being able to control our different applications better than some of the other applications that we have used in the past, as far as checking for vulnerabilities. We know our apps are more secure.

It takes a few weeks just to look at the entire process. We take the reports, send it to the business team, who give it the analysts, and then come up with the remediation plan. Afterwards, we scan it again unless there are critical issues, which are done in less time.

The ability to be on the website and test for different vulnerabilities. 

We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why.

I can have a scan set up within five to ten minutes by double checking the login script works, so it doesn't take long at all.

We have found a few cross-site scripting vulnerabilities.

On the vulnerabilities screen, where you put your target on the drop down, it would be nice to have more choices, not have such limited options.

One thing that we used to be able to do in other applications with a macro was step-by-step filing in the fields of the app and being able to test certain forms. I haven't seen this in Acunetix. This would be a longer macro instead of doing a login, i.e., we are looking for a workflow process.

We have experienced few false positives. Though, it does depend on the application because sometimes it will identify false positives on one application, but not on another.

The solution is stable.

We have had issues/hiccups during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version. This has been frustrating, because there have been some tweaks that hurt us from this perspective. This hasn't happened on every release, just a couple.

I am the main user for the product. We also have a couple of other people on staff who run scans.

It seems to be scalable. Right now, we are just using it at our primary locations and and are scanning about 25 different apps. We are looking at the process of being able to scan more than one app simultaneously. It should fit our needs going forward.

The technical support has been very helpful, and pretty quick to respond to emails or when I call in. 

The speed is phenomenal. Some of our applications can do a scan in less ten minutes, even some of our bigger scans. We were using Micro Focus Fortify WebInspect when it is was owned by HPE, and it would take two or three days for it to scan everything. Acunetix can scan everything within 13 hours, which is sort of long time, but still much shorter than the other apps that we were using. So, it seems to be pretty quick and pretty thorough.

We switched solutions because of cost and the timing of the scans was taking too long. 

The setup is very straightforward with the database and the way that we use it. 

They have a very good support website, so you can find out answers to questions and reach out to the support team. 

Downloading and updating the software took ten to 15 minutes (deployment). I am the person who does the deployments and upgrades.

We did the deployment in-house. We did use the Acunetix support when dealing with the install or any type of setup piece. It was seamless, which was good.

We found it to improve our processes and findings. 

The solution is paying for itself, as our applications are more secure.

We have found several hundred medium to high level vulnerabilities in our applications. In just one application, we were able to identify 75 of these vulnerabilities.

The pricing and licensing are reasonable to a point. In order to run multiple scans at a time, we are going to have to purchase a 100 count license, which is overkill. Though, compared to what we were paying for, the cost seems reasonable.

We went with the recommendations of our parent company. This was one of the approved solutions.

It is a pretty good product.

Do a demo and test whatever application that you are using right now. If you have a site where it is more difficult to identify vulnerabilities, or you have issues scanning, use this to check your particular software. If it can handle your more challenging apps, then it will definitely handle the easier, less technical sites. 

We view it on a very traditional PC. Aesthetically, you can see what you are looking for. Unfortunately, we don't utilize the dashboard as much as we should and take full advantage of it. Right now, we're pretty much in the infancy of building the solution. It's nice to be able to look at the dashboard and see the vulnerabilities which are there. However, at this time, we not doing the retesting with the scans to clear them out. So, we are not taking advantage of this feature.

We are looking to increase the usage of the product to do multiple scans. We will potentially be increasing the number of applications that we are scanning. We are also looking to add the AcuSensor piece with our Jenkins Pipeline, but we haven't gotten there yet.

The solution's most valuable feature is its capability to scan the rest APIs. 

They should include the features for reporting in the solution's next release. Also, a dashboard feature could help us view scanning targets segregated into different categories. In addition, there should be a feature to export the data into Excel Spreadsheet.

We have been using the solution for 15 years.

The solution is highly stable. I rate its stability an eight out of ten.

I rate the solution's scalability a four out of ten. Our clients are enterprise businesses. Also, we have two solution users in our organization.

For standard use cases, we deploy it on a notebook or a desktop machine. In case of integration with a development system, we deploy it on a server or a virtual memory machine. I rate the solution's initial setup process a five out of ten.

The solution is expensive. Its price is based on the number of targets. It has an annual subscription plan and costs around HK$500,000. I rate its pricing a nine out of ten.

I advise others to stay connected to the solution online to ensure the license is up-to-date. I rate it an eight out of ten.

The most valuable feature of Acunetix is the UI and the scan results are simple.

There are some versions of the solution that are not as stable as others.

I have been using Acunetix for approximately two years.

The stability of Acunetix is good.

Acunetix is scalable.

We have approximately 50 engineers using Acunetix.

I have requested support from the vendor regarding our scan results that have false positives. The vendor double checks and adds a patch if needed. However, their response is too slow.

I have used previously used other solutions, such as Aspen and Laguna. We chose Acunetix because it is easy to use.

The initial installation of Acunetix was simple.

We did the deployment of the solution ourselves. We have approximately 20 people that do the support and deployment of Acunetix.

I rate Acunetix an eight out of ten.

The solution is mostly used for vulnerability scanning purposes. 

I'm drawn to Information Security. I immediately look for security threats vulnerabilities. Therefore, the report generation, the reports that are being monitored are great in that they were very easy to read and understand. 

It's user-friendly and the language that they use is pretty good. 

Overall, the tool is very good in context. It's definitely helpful from a tech intelligence perspective and for identifying vulnerabilities. I like that we can sort the vulnerabilities based on severity levels. 

The initial setup is easy.

There is a lot of documentation on their website which makes setting it up and using it quite simple.

Technical support is available 24/7.

Normally, the product asks for the URL address before scanning a certain application. Acunetix is immediately used for web application scanning purposes for vulnerability assessment. However, it doesn't seem very helpful or useful for scanning web services, and that has what I feel that the organization could work better on that.

The pricing is a bit on the higher side.

I've been using the solution for about two years at this point.

The solution is very stable. There are no bugs or glitches. It doesn't crash or freeze. it's reliable. 

The solution is scalable in the sense that it can be easily migrated.

We have about 50 to 55 users on the solution currently.

Technical support is fine. Whenever we have any queries the support is available. We have the paid version. We have paid for it, however, it's great due to the fact that it's available 24/7.

Although we are working with Acunetix, we are planning to migrate to Nessus in the future. We used Nessus around seven or so years ago. The current solution is a good one, however, my organization wants to try a new, different product. That is the reason we now moving to Nessus.

The initial setup is not overly complex or difficult. It's very straightforward and very easy. On their website, they have lots of documentation that walks you through the process. 

For deployment or maintenance, you only need a maximum of four or five people.

We do pay extra for technical support, however, it's 24/7 support which means we always have access to them if we need them.

The pricing is on the higher side. That could be okay for certain organizations. That said, if they could lower it, that would be ideal. Yeah. To me, it actually all depends upon the companies. My organization is not too big, and we're using it for managing a small set of people. If I have to spend much more, it wouldn't make any sense. 

We are into telecommunications, we have bought this product from the vendors.

We're using the latest version of the solution. We try to only use the most up-to-date option.

Overall, the tool is efficient enough to identify and track your vulnerabilities and it's good for intelligence scanning purposes. I'd advise users to just be cautious while the installation happens in terms of what logins are included and what are missing. 

The main thing is that users have to define their scope and objectives and only on the basis of that will the tool work. 

That said, you always have choices in the market - if this one does not fit your needs.

I'd rate the solution at a seven out of ten.

The solution is primarily used purely as a web-based vulnerability scanning tool.

The solution is a very flexible tool.

Overall, it's a very good tool and a very good engine.

The product is very scalable.

We found the solution to be quite stable.

For the number of features on offer, the price point is quite good.

The installation is very straightforward.

The solution should work on dealing with the number of false positives it delivers.

While we do have it integrated with other solutions, it could still offer more integrations.

I've been dealing with the solution for the past two years.

The solution is very stable. There are no bugs or glitches. It does not crash or freeze. It's very good.

The solution is scalable. If a company needs to expand it, it can do so with relative ease.

Right now, we have four or five of our customers using the product.

The solution's technical support is okay. We have no complaints. They are helpful and responsive and we are satisfied with their level of service. 

The initial setup is not too complex. It is simple and straightforward. A company should be able to implement it with ease.

The price point is good. It offers very good value for money.

We are resellers.

We deal with various deployment models including on-premises and the cloud.

I'd recommend the solution to other companies. This is a very good tool for vulnerability assessment. Every organization who has their assets over the internet and are exposed to a public website needs to have vulnerability assessment using Acunetix.

In general, I would rate the solution at a seven out of ten.