No more typing reviews! Try our Samantha, our new voice AI agent.

Acunetix vs Checkmarx One vs Invicti comparison

Invicti and Checkmarx are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #10 with an average rating of 7.9, while Checkmarx is ranked #3 with an average rating of 8.2. Invicti holds a 2.6% mindshare in SAST, compared to Checkmarx’s 10.4% mindshare. Additionally, 88% of Invicti users are willing to recommend the solution, compared to 88% of Checkmarx users who would recommend it.
Acunetix
Read 36 Acunetix reviews
  • 6,676 Views
  • 4,072 Comparison Views
88% willing to recommend
Checkmarx One
Read 81 Checkmarx One reviews
  • 18,784 Views
  • 14,276 Comparison Views
88% willing to recommend
Invicti
Read 31 Invicti reviews
  • 3,717 Views
  • 2,379 Comparison Views
96% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Acunetix, Checkmarx One, and Invicti based on real PeerSpot user reviews.

Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: March 2026).
Buyer's Guide
Static Application Security Testing (SAST)
March 2026
Download the complete report
Helped 885,789 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of April 2026, in the Static Application Security Testing (SAST) category, the mindshare of Acunetix is 2.6%, down from 3.3% compared to the previous year. The mindshare of Checkmarx One is 10.4%, down from 11.2% compared to the previous year. The mindshare of Invicti is 1.5%, up from 1.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
Checkmarx One10.4%
Acunetix2.6%
Invicti1.5%
Other85.5%
Static Application Security Testing (SAST)
 

Featured Reviews

Rahul Kumar - PeerSpot reviewer
Rahul Kumar
Senior Engineer - Penetration Tester at a government with 10,001+ employees
Identifies vulnerabilities across bulk web applications but needs better support and cleaner reports
The best feature Acunetix offers is the centralized dashboard and the quality of reports it generates, which includes various options for selecting reports and developer options for directly sharing the reports with developers. The centralized dashboard of Acunetix gives visibility into the security aspects of mass applications; for instance, with more than 200 applications, it provides a valuable overview of findings and necessary fixes, along with a high-level summary that helps us achieve compliance through monthly and sometimes weekly scanning. In terms of reporting, Acunetix is excellent because it can generate different types of reports, such as an executive summary report, detailed reports, and developer reports that can be shared directly with developers. Acunetix positively impacts my organization by helping identify outdated libraries and applications, including legacy applications vulnerable to old attacks based on OWASP Top 10, thus aiding in compliance checks for PCI DSS and OWASP. Acunetix provides a centralized report with compliance-related aspects and a vulnerability timeline, effectively helping reduce vulnerabilities and save time.
Read full review
Shahzad Shahzad - PeerSpot reviewer
Shahzad Shahzad
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
Read full review
Valavan Sivgalingam - PeerSpot reviewer
Valavan Sivgalingam
Senior Manager, Security Engineering at ESS
Dynamic testing regularly identifies web vulnerabilities and has strong false positive confirmations
It has good false positive confirmations, confirmed issues identification, and proof of exploit-related features as part of it. We use Invicti for these things in our portfolios. The solution includes Proof-Based Scanning technology. Invicti is part of our SSDLC portfolio, and DAST dynamic testing is very important for our web applications and portfolios. For both the API endpoints and web applications, we do regular testing on a monthly basis for all our releases. Invicti does a good job. The only concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities. A full scan takes more time based on your website and other factors, but for us, it takes more than two to three days. The scan performance can be improved upon. When we check with them, they discuss proof-based scanning and related aspects. However, there could be intermittent results that could help us.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Our developers can run the attacks directly from their environments, desktops."
"The most valuable feature of Acunetix is the UI and the scan results are simple."
"Picks up weaknesses in our app setups."
"If an organization has 100 plus applications and wants to use an automated scanner, they should definitely go ahead with Acunetix because it is very cost-effective and will save time compared to focusing on other solutions and performing manual security assessments."
"Acunetix helps reduce the man-days and effort needed for scanning bulk applications through automated assessments, allowing good dashboard visualization that can be reported easily to management, providing complete visibility on vulnerability metrics."
"The tool's most valuable feature is scan configurations. We use it for external physical applications. The scanning time depends on the application's code."
"With Acunetix, we cut the time to make infrastructures and web applications for our colleagues more secure, and for one application with two or three critical vulnerabilities and some other vulnerabilities, it took about a week to remediate issues because the scan and findings were really fast."
"Acunetix is the best service in the world."
More Acunetix pros
"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application."
"The identification of verification-related security vulnerabilities is really important and one of the key things, and it also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution."
"The report function is the solution's greatest asset."
"Overall, we are very satisfied with Checkmarx and it is a product that I recommend."
"Less false positive errors as compared to any other solution."
"Checkmarx One has positively impacted the organization by providing resolution strategies and indicating which vulnerabilities need to be fixed."
More Checkmarx One pros
"The most valuable feature of Invicti is getting baseline scanning and incremental scan."
"The scanner and the result generator are valuable features for us."
"Netsparker has valuable features, including the ability to scan our website, an interactive approach, and security data integration."
"The solution generates reports automatically and quickly."
"The solution generates reports automatically and quickly and it's a very user-friendly product."
"I would rate the stability as ten out of ten."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"Scan, proxify the application, and then detailed report along with evidence and remediations to problems."
More Invicti pros
 

Cons

"The only problem that they have is the price. It is a bit expensive, and you cannot change the number of applications for the whole year."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"In terms of what needs improvement, the way the licensing model is currently is not very convenient for us because initially, when we bought it, the licensing model was very flexible, but now it restricts us."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"The solution's pricing could be better."
"There is room for improvement in the pricing."
"Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic."
"I believe Acunetix can improve customer support, as the dedicated support staff are often unfamiliar with problems and troubleshooting, leading to communication gaps that delay issue resolution."
More Acunetix cons
"This product requires you to create your own rulesets. You have to do a lot of customization."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing."
"It is an expensive solution."
"The validation process needs to be sped up."
"The reports are good, but they still need to be improved considering what the UI offers."
"Unfortunately, Checkmarx doesn't do any automated backups which is quite inconvenient."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives."
More Checkmarx One cons
"Perhaps the custom attack preparation screen might be improved."
"Improvement could be made in the area of production."
"The support's response time could be faster since we are in different time zones."
"Netsparker doesn't provide the source code of the static application security testing."
"The scanner itself should be improved because it is a little bit slow."
"Speed: It spends about one hour on scanning; I would like it to be less than 30 minutes."
"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."
"The higher level vulnerabilities like Cross-Site Scripting, SQL Injection, and other higher level injection attacks are difficult to highlight using Netsparker."
More Invicti cons
 

Pricing and Cost Advice

"The cost is based on two types of licenses, ConsultLite, and ConsultPlus, as well as the number of domains that are scanned."
"The costs aren't very expensive. It costs around $3000 or $4000."
"When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay."
"Acunetix was around the same price as all the other vendors we looked at, nothing special."
"All things considered, I think it has a good price/value ratio."
"The pricing and licensing are reasonable to a point. In order to run multiple scans at a time, we are going to have to purchase a 100 count license, which is an overkill. Though, compared to what we were paying for, the cost seems reasonable."
"The price is exceptionally high."
"The pricing is a little high, and moreover, it's kind of domain-based."
More Acunetix pricing and cost advice
"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"The interface used to create custom rules comes at an additional cost."
"If you want more, you have to pay more. You have to pay for additional modules or functionalities."
"For around 250 users or committers, the cost is approximately $500,000."
"I believe pricing is better compared to other commercial tools."
"The price of Checkmarx could be reduced to match their competitors, it is expensive."
"We have purchased an annual license to use this solution. The price is reasonable."
More Checkmarx One pricing and cost advice
"The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers."
"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."
"We never had any issues with the licensing; the price was within our assigned limits."
"The price should be 20% lower"
"OWASP Zap is free and it has live updates, so that's a big plus."
"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."
"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."
"It is competitive in the security market."
More Invicti pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
885,789 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
12%
Computer Software Company
11%
Manufacturing Company
9%
Government
7%
Financial Services Firm
17%
Manufacturing Company
9%
Computer Software Company
9%
Government
6%
Financial Services Firm
15%
Manufacturing Company
9%
Computer Software Company
8%
Government
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business15
Midsize Enterprise7
Large Enterprise18
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
By reviewers
Company SizeCount
Small Business14
Midsize Enterprise4
Large Enterprise13
 

Questions from the Community

What is your primary use case for Acunetix Vulnerability Scanner?
My main use of Acunetix is to scan my web application. I mostly deal with web applications and with Acunetix Network ...
See all answers
What advice do you have for others considering Acunetix Vulnerability Scanner?
I am still working with Acunetix, and we have even moved to their new platform, Invicti. I have requested a demo for ...
See all answers
What is your experience regarding pricing and costs for Acunetix?
I would say the pricing is average, but still, it is higher than low.
See all answers
What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...
See all answers
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additi...
See all answers
What needs improvement with Checkmarx?
One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If i...
See all answers
What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?
The setup cost is pretty competitive. For example, if you want to talk about the SAST license, it comes to about $150...
See all answers
What needs improvement with Invicti?
At this time, there is nothing that comes to mind. However, most of the products in the market are pretty much neck-t...
See all answers
What is your primary use case for Invicti?
I have worked on a couple of products, specifically in web application security. I have worked on Invicti, and with r...
See all answers
 

Comparisons

OWASP Zap vs Acunetix Logo
OWASP Zap vs Acunetix
Compared 10% of the time
PortSwigger Burp Suite Professional vs Acunetix Logo
PortSwigger Burp Suite Professional vs Acunetix
Compared 7% of the time
Veracode vs Acunetix Logo
Veracode vs Acunetix
Compared 5% of the time
HCL AppScan vs Acunetix Logo
HCL AppScan vs Acunetix
Compared 4% of the time
Tenable Nessus vs Acunetix Logo
Tenable Nessus vs Acunetix
Compared 4% of the time
More Acunetix Competitors
SonarQube vs Checkmarx One Logo
SonarQube vs Checkmarx One
Compared 41% of the time
Veracode vs Checkmarx One Logo
Veracode vs Checkmarx One
Compared 4% of the time
Checkmarx SAST vs Checkmarx One Logo
Checkmarx SAST vs Checkmarx One
Compared 3% of the time
OpenText Core Application Security vs Checkmarx One Logo
OpenText Core Application Security vs Checkmarx One
Compared 2% of the time
More Checkmarx One Competitors
Veracode vs Invicti Logo
Veracode vs Invicti
Compared 9% of the time
OpenText Dynamic Application Security Testing vs Invicti Logo
OpenText Dynamic Application Security Testing vs Invicti
Compared 5% of the time
SonarQube vs Invicti Logo
SonarQube vs Invicti
Compared 5% of the time
Rapid7 InsightAppSec vs Invicti Logo
Rapid7 InsightAppSec vs Invicti
Compared 4% of the time
Aikido Security vs Invicti Logo
Aikido Security vs Invicti
Compared 3% of the time
More Invicti Competitors
 

Product Reports

Buyer's Guide
Acunetix
April 2026
Acunetix reportDownload Acunetix product report
Buyer's Guide
Checkmarx One
April 2026
Checkmarx One reportDownload Checkmarx One product report
Buyer's Guide
Invicti
March 2026
Invicti reportDownload Invicti product report
 

Also Known As

AcuSensor
No data available
Netsparker
 

Overview

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Invicti

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • API security
  • Dynamic Application Security Testing (DAST)
  • Container security
  • IaC security
  • Correlation, prioritization, and risk management
  • Codebashing secure code training
  • AI security
  • Tech partnerships extending AppSec into runtime analysis
  • Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

Invicti
 

Sample Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand
YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Samsung, The Walt Disney Company, T-Systems, ING Bank
Buyer's Guide
Static Application Security Testing (SAST)
March 2026
Download Free Report
Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: March 2026.
DOWNLOAD NOW
885,789 professionals have used our research since 2012.