Acunetix vs Checkmarx One vs Invicti comparison

Read 29 Invicti reviews

2,499 Views
500 Comparison Views

96% willing to recommend

Acunetix

Checkmarx One

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Acunetix, Checkmarx One, and Invicti based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).

Static Application Security Testing (SAST)

Download the complete report

Helped 855,164 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of Acunetix is 3.5%, up from 2.5% compared to the previous year. The mindshare of Checkmarx One is 9.5%, down from 12.8% compared to the previous year. The mindshare of Invicti is 1.5%, up from 1.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

KashifJamil

CEO at Xcelliti

Has enabled teams to improve security testing with smooth integration and high accuracy

Acunetix has a very good ratio of fewer false positives, so users don't need to retest everything. Acunetix operates smoothly with no interruptions required, and it performs at 100% efficiency without issues in scanning anything. The solution is excellent at detecting SQL injection and cross-site scripting vulnerabilities. Acunetix integrates with every type of tool, including CI/CD tools, offering 100% integration in DevOps environments. The main benefit of Acunetix is that at the first level, users can address security issues related to penetration testing, allowing them to expose vulnerabilities and ensure all required testing is completed with very few false positives.

Read full review

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

Kunal M

Capability Center Leader, ETRM Platforms at Shell

Proactive scanning measures and realistic audit recommendations enhance development focus

Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment. This feature helps us focus on priorities and prioritize the development team's effort, integrating seamlessly with DevOps to facilitate proactive scans of environments. Invicti also provides audit recommendations that are quite realistic, making it easy to discuss plans with developers.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"I haven't seen reporting of that level in any other tool."

"Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."

"The most valuable feature of the solution is the speed at which it can scan multiple domains in just a few hours."

"The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution."

"I find it to be one of the most comprehensive tools, with support for manual intervention."

"Picks up weaknesses in our app setups."

"It can operate both as a standalone and it can be integrated with other applications, which makes it a very versatile solution to have."

"The solution is highly stable."

More Acunetix pros

"Our static operation security has been able to identify more security issues since implementing this solution."

"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."

"Less false positive errors as compared to any other solution."

"One of the most valuable features is it is flexible."

"The most valuable features are the easy to understand interface, and it 's very user-friendly."

"The UI is user-friendly."

"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."

"We use the solution to validate the source code and do SAST and security analysis."

More Checkmarx One pros

"The scanner is light on the network and does not impact the network when scans are running."

"It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites."

"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."

"Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner."

"It has a comprehensive resulting mechanism. It is a one-stop solution for all your security testing mechanisms."

"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."

"The solution generates reports automatically and quickly."

"Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment."

More Invicti pros

Cons

"The solution can be improved by adding the ability to scan subdomains automatically, and by providing reports that can be exported to external databases to share with other solutions."

"The solution's pricing could be better."

"It should be easier to recreate something manually, with the manual tool, because Acunetix is an automatic tool. If it finds something, it should be easier to manually replicate it. Sometimes you don't get the raw data from the input and output, so that could be improved."

"The solution limits the number of scans. It would be much better if we could have unlimited scans."

"It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched."

"The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."

"The pricing is a bit on the higher side."

"In terms of what needs improvement, the way the licensing model is currently is not very convenient for us because initially, when we bought it, the licensing model was very flexible, but now it restricts us."

More Acunetix cons

"The reports are good, but they still need to be improved considering what the UI offers."

"You can't use it in the continuous delivery pipeline because the scanning takes too much time."

"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"

"I would like to see the DAST solution in the future."

"Updating and debugging of queries is not very convenient."

"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."

"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."

"We have received some feedback from our customers who are receiving a large number of false positives."

More Checkmarx One cons

"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."

"I think that it freezes without any specific reason at times. This needs to be looked into."

"The solution needs to make a more specific report."

"Reporting should be improved. The reporting options should be made better for end-users. Currently, it is possible, but it's not the best. Being able to choose what I want to see in my reports rather than being given prefixed information would make my life easier. I had to depend on the API for getting the content that I wanted. If they could fix the reporting feature to make it more comprehensive and user-friendly, it would help a lot of end-users. Everything else was good about this product."

"Right now, they are missing the static application security part, especially web application security."

"The scanner itself should be improved because it is a little bit slow."

"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."

"Currently, there is nothing I would like to improve."

More Invicti cons

Pricing and Cost Advice

"The solution is expensive."

"The price is exceptionally high."

"Acunetix was around the same price as all the other vendors we looked at, nothing special."

"When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay."

"The costs aren't very expensive. It costs around $3000 or $4000."

"Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future."

"All things considered, I think it has a good price/value ratio."

"I would say that Acunetix is expensive because there are products on the market with similar features that are equally or better-priced."

More Acunetix pricing and cost advice

"Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."

"Be cautious of the one-year subscription date. Once it expires, your price will go up."

"The number of users and coverage for languages will have an impact on the cost of the license."

"Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."

"If you want more, you have to pay more. You have to pay for additional modules or functionalities."

"It is a good product but a little overpriced."

"The price of Checkmarx could be reduced to match their competitors, it is expensive."

"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."

More Checkmarx One pricing and cost advice

"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."

"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."

"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."

"We never had any issues with the licensing; the price was within our assigned limits."

"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."

"OWASP Zap is free and it has live updates, so that's a big plus."

"The price should be 20% lower"

"It is competitive in the security market."

More Invicti pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

855,164 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Computer Software Company

18%

Financial Services Firm

14%

Government

Manufacturing Company

Financial Services Firm

21%

Computer Software Company

14%

Manufacturing Company

10%

Government

Educational Organization

39%

Financial Services Firm

12%

Computer Software Company

Manufacturing Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about Acunetix Vulnerability Scanner?

The tool's most valuable feature is scan configurations. We use it for external physical applications. The scanning t...

What is your primary use case for Acunetix Vulnerability Scanner?

I typically use Acunetix ( /products/acunetix-reviews ) to identify vulnerabilities for clients.

What advice do you have for others considering Acunetix Vulnerability Scanner?

I would recommend Acunetix to others. Overall, I rate this solution seven out of ten.

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?

As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing mode...

What do you like most about Invicti?

The most valuable feature of Invicti is getting baseline scanning and incremental scan.

What needs improvement with Invicti?

Invicti's reporting capabilities need enhancement. We need enterprise-level information instead of repo-level details...

PortSwigger Burp Suite Professional vs Acunetix

Comparisons

OWASP Zap vs Acunetix

Compared 17% of the time

Compared 11% of the time

HCL AppScan vs Acunetix

Compared 9% of the time

PortSwigger Burp Suite Enterprise Edition vs Acunetix

Compared 6% of the time

Rapid7 Metasploit vs Acunetix

Compared 3% of the time

More Acunetix Competitors

SonarQube Server (formerly SonarQube) vs Checkmarx One

Compared 36% of the time

Veracode vs Checkmarx One

Compared 12% of the time

Checkmarx SAST vs Checkmarx One

Compared 6% of the time

Fortify on Demand vs Checkmarx One

Compared 6% of the time

GitLab vs Checkmarx One

Compared 1% of the time

More Checkmarx One Competitors

OWASP Zap vs Invicti

Compared 12% of the time

SonarQube Server (formerly SonarQube) vs Invicti

Compared 6% of the time

Veracode vs Invicti

Compared 6% of the time

Snyk vs Invicti

Compared 5% of the time

Fortify WebInspect vs Invicti

Compared 5% of the time

More Invicti Competitors

Product Reports

Acunetix

Download Acunetix product report

Checkmarx One

Download Checkmarx One product report

Download Invicti product report

May 2025

Also Known As

AcuSensor

No data available

Netsparker

Overview

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

Sample Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

Samsung, The Walt Disney Company, T-Systems, ING Bank

Static Application Security Testing (SAST)