Acunetix vs Checkmarx One vs OWASP Zap comparison

Invicti and Checkmarx are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #12 with an average rating of 8.4, while Checkmarx is ranked #3 with an average rating of 8.3. Invicti holds a 3.1% mindshare in SAST, compared to Checkmarx’s 10.0% mindshare. Additionally, 86% of Invicti users are willing to recommend the solution, compared to 87% of Checkmarx users who would recommend it.

Acunetix

Read 33 Acunetix reviews

5,850 Views
3,803 Comparison Views

86% willing to recommend

Checkmarx One

Read 71 Checkmarx One reviews

18,550 Views
15,582 Comparison Views

87% willing to recommend

OWASP Zap

Read 41 OWASP Zap reviews

7,876 Views
7,167 Comparison Views

88% willing to recommend

Acunetix

Checkmarx One

OWASP Zap

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Acunetix, Checkmarx One, and OWASP Zap based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: September 2025).

Buyer's Guide

Static Application Security Testing (SAST)

September 2025

Download the complete report

Helped 868,706 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of October 2025, in the Static Application Security Testing (SAST) category, the mindshare of Acunetix is 3.1%, up from 2.8% compared to the previous year. The mindshare of Checkmarx One is 10.0%, down from 12.1% compared to the previous year. The mindshare of OWASP Zap is 4.5%, up from 4.4% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST) Market Share Distribution
Product	Market Share (%)
Checkmarx One	10.0%
OWASP Zap	4.5%
Acunetix	3.1%
Other	82.4%

Static Application Security Testing (SAST)

Featured Reviews

KashifJamil

CEO at Xcelliti

Has enabled teams to improve security testing with smooth integration and high accuracy

Acunetix has a very good ratio of fewer false positives, so users don't need to retest everything. Acunetix operates smoothly with no interruptions required, and it performs at 100% efficiency without issues in scanning anything. The solution is excellent at detecting SQL injection and cross-site scripting vulnerabilities. Acunetix integrates with every type of tool, including CI/CD tools, offering 100% integration in DevOps environments. The main benefit of Acunetix is that at the first level, users can address security issues related to penetration testing, allowing them to expose vulnerabilities and ensure all required testing is completed with very few false positives.

Read full review

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

Amit Beniwal

Project Manager at Al Hassan LLC

Simplifies vulnerability discovery and has high quality support

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"I find it to be one of the most comprehensive tools, with support for manual intervention."

"The tool's most valuable feature is performance."

"One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."

"The solution is excellent at detecting SQL injection and cross-site scripting vulnerabilities."

"The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution."

"The solution is highly stable."

"The most valuable feature of the solution is the speed at which it can scan multiple domains in just a few hours."

"It can operate both as a standalone and it can be integrated with other applications, which makes it a very versatile solution to have."

More Acunetix pros

"The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code."

"The SAST component was absolutely 100% stable."

"It gives the proper code flow of vulnerabilities and the number of occurrences."

"The most valuable feature for me is the Jenkins Plugin."

"We use the solution to validate the source code and do SAST and security analysis."

"The most valuable features of Checkmarx are the automation and information that it provides in the reports."

"The administration in Checkmarx is very good."

"The value you can get out of the speedy production may be worth the price tag."

More Checkmarx One pros

"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."

"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."

"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."

"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."

"The scalability of this product is very good."

"The solution has tightened our security."

"The API is exceptional."

"The product helps users to scan and fix vulnerabilities in the pipeline."

More OWASP Zap pros

Cons

"Acunetix needs to include agent analysis."

"There was an issue related to updates from the internet."

"While we do have it integrated with other solutions, it could still offer more integrations."

"The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."

"The cost can be reduced as management has noted it to be on the higher side."

"It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched."

"The solution is generally stable, however, there might be room for improvement regarding glitches or bugs."

"Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA."

More Acunetix cons

"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."

"We have received some feedback from our customers who are receiving a large number of false positives."

"Checkmarx could improve the speed of the scans."

"The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."

"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."

"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."

"I would like to see the rate of false positives reduced."

"I would like to see the tool’s pricing improved."

More Checkmarx One cons

"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."

"The technical support team must be proactive."

"Sometimes, we get some false positives."

"The product reporting could be improved."

"OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."

"The product should allow users to customize the report based on their needs."

"There's very little documentation that comes with OWASP Zap."

"It would be nice to have a solid SQL injection engine built into Zap."

More OWASP Zap cons

Pricing and Cost Advice

"Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future."

"The pricing and licensing are reasonable to a point. In order to run multiple scans at a time, we are going to have to purchase a 100 count license, which is an overkill. Though, compared to what we were paying for, the cost seems reasonable."

"The solution is expensive."

"The price is exceptionally high."

"The costs aren't very expensive. It costs around $3000 or $4000."

"Acunetix was around the same price as all the other vendors we looked at, nothing special."

"The pricing is a little high, and moreover, it's kind of domain-based."

"When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay."

More Acunetix pricing and cost advice

"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."

"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."

"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."

"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products."

"It is a good product but a little overpriced."

"Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."

"The solution is costly."

"It's relatively expensive."

More Checkmarx One pricing and cost advice

"The tool is open source."

"It is highly recommended as it is an open source tool."

"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."

"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."

"This solution is open source and free."

"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."

"The tool is open-source."

"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."

More OWASP Zap pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

868,706 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Computer Software Company

17%

Financial Services Firm

12%

Manufacturing Company

University

Financial Services Firm

19%

Computer Software Company

13%

Manufacturing Company

10%

Government

Computer Software Company

16%

Financial Services Firm

10%

Manufacturing Company

University

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	15
Midsize Enterprise	5
Large Enterprise	14

By reviewers
Company Size	Count
Small Business	30
Midsize Enterprise	9
Large Enterprise	38

By reviewers
Company Size	Count
Small Business	10
Midsize Enterprise	11
Large Enterprise	21

Questions from the Community

What do you like most about Acunetix Vulnerability Scanner?

The tool's most valuable feature is scan configurations. We use it for external physical applications. The scanning t...

See all answers

What is your primary use case for Acunetix Vulnerability Scanner?

Most of the customers who use Acunetix are looking for security testing. The primary use case is performing penetrati...

See all answers

What advice do you have for others considering Acunetix Vulnerability Scanner?

Acunetix supports multi-user environments effectively. Acunetix is targeted for small to mid-size teams in a DevSecOp...

See all answers

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

See all answers

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

See all answers

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

See all answers

Is OWASP Zap better than PortSwigger Burp Suite Pro?

OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...

See all answers

What do you like most about OWASP Zap?

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...

See all answers

What is your experience regarding pricing and costs for OWASP Zap?

OWASP might be cost-effective, however, people prefer to use the free edition available as open source.

See all answers

Comparisons

PortSwigger Burp Suite Professional vs Acunetix

Compared 9% of the time

HCL AppScan vs Acunetix

Compared 8% of the time

Invicti vs Acunetix

Compared 8% of the time

Veracode vs Acunetix

Compared 5% of the time

OpenText Dynamic Application Security Testing vs Acunetix

Compared 3% of the time

More Acunetix Competitors

SonarQube Server (formerly SonarQube) vs Checkmarx One

Compared 44% of the time

Veracode vs Checkmarx One

Compared 8% of the time

Checkmarx SAST vs Checkmarx One

Compared 7% of the time

OpenText Core Application Security vs Checkmarx One

Compared 5% of the time

SonarQube Cloud (formerly SonarCloud) vs Checkmarx One

Compared 1% of the time

More Checkmarx One Competitors

SonarQube Server (formerly SonarQube) vs OWASP Zap

Compared 18% of the time

Qualys Web Application Scanning vs OWASP Zap

Compared 9% of the time

Veracode vs OWASP Zap

Compared 9% of the time

PortSwigger Burp Suite Professional vs OWASP Zap

Compared 5% of the time

HCL AppScan vs OWASP Zap

Compared 5% of the time

More OWASP Zap Competitors

Product Reports

Buyer's Guide

Acunetix

September 2025

Download Acunetix product report

Buyer's Guide

Checkmarx One

September 2025

Download Checkmarx One product report

Buyer's Guide

OWASP Zap

September 2025

Download OWASP Zap product report

Also Known As

AcuSensor

No data available

Overview

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Invicti

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

OWASP Zap is a free and open-source web application security scanner.

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Sample Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Buyer's Guide

Static Application Security Testing (SAST)

September 2025

Download Free Report

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: September 2025.

DOWNLOAD NOW

868,706 professionals have used our research since 2012.