Try our new research platform with insights from 80,000+ expert users

Acunetix vs OWASP Zap vs Veracode comparison

Invicti and OWASP are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #12 with an average rating of 8.4, while OWASP is ranked #11 with an average rating of 8.0. Invicti holds a 3.1% mindshare in SAST, compared to OWASP’s 4.5% mindshare. Additionally, 86% of Invicti users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.
Acunetix
Read 33 Acunetix reviews
  • 5,850 Views
  • 3,803 Comparison Views
86% willing to recommend
OWASP Zap
Read 41 OWASP Zap reviews
  • 7,876 Views
  • 7,167 Comparison Views
88% willing to recommend
Veracode
Read 204 Veracode reviews
  • 19,095 Views
  • 12,985 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Acunetix, OWASP Zap, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: September 2025).
Buyer's Guide
Static Application Security Testing (SAST)
September 2025
Download the complete report
Helped 868,706 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of October 2025, in the Static Application Security Testing (SAST) category, the mindshare of Acunetix is 3.1%, up from 2.8% compared to the previous year. The mindshare of OWASP Zap is 4.5%, up from 4.4% compared to the previous year. The mindshare of Veracode is 6.9%, down from 10.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Market Share Distribution
ProductMarket Share (%)
Veracode6.9%
OWASP Zap4.5%
Acunetix3.1%
Other85.5%
Static Application Security Testing (SAST)
 

Featured Reviews

KashifJamil - PeerSpot reviewer
Has enabled teams to improve security testing with smooth integration and high accuracy
Acunetix has a very good ratio of fewer false positives, so users don't need to retest everything. Acunetix operates smoothly with no interruptions required, and it performs at 100% efficiency without issues in scanning anything. The solution is excellent at detecting SQL injection and cross-site scripting vulnerabilities. Acunetix integrates with every type of tool, including CI/CD tools, offering 100% integration in DevOps environments. The main benefit of Acunetix is that at the first level, users can address security issues related to penetration testing, allowing them to expose vulnerabilities and ensure all required testing is completed with very few false positives.
Read full review
Amit Beniwal - PeerSpot reviewer
Simplifies vulnerability discovery and has high quality support
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
Read full review
Kv Rao - PeerSpot reviewer
Integrates pipelines smoothly and fortifies code against vulnerabilities
I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us…
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"I haven't seen reporting of that level in any other tool."
"We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why."
"I find it to be one of the most comprehensive tools, with support for manual intervention."
"There is a lot of documentation on their website which makes setting it up and using it quite simple."
"Overall, it's a very good tool and a very good engine."
"By integrating with CI/CD tools, it enables a shift-left approach in the development process."
"Picks up weaknesses in our app setups."
"The solution is highly stable."
More Acunetix pros
"It's great that we can use it with Portswigger Burp."
"I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs."
"Simple and easy to learn and master."
"The community edition updates services regularly. They add new vulnerabilities into the scanning list."
"The solution has tightened our security."
"It scans while you navigate, then you can save the requests performed and work with them later."
"OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
More OWASP Zap pros
"The Veracode technical support is very good. They are responsive and very knowledgeable."
"It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."
"Each time I raise a ticket regarding something, they are very quick about the responses and get connected instantly."
"The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process."
"One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities."
"Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester."
"Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
More Veracode pros
 

Cons

"Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA."
"Acunetix should improve by further reducing false positives and providing more customized reports, plus better integration with newer tools such as GitHub and Azure DevOps."
"We have had issues during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"Tools that would allow us to work more efficiently with the mobile environment, with Android and iOS."
"There is room for improvement in the pricing."
"There's a clear need for a reduction in pricing to make the service more accessible."
"Acunetix needs to be dynamic with JavaScript code, unlike Netsparker which can scan complex agents."
More Acunetix cons
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"It would be nice to have a solid SQL injection engine built into Zap."
"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores."
"When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
More OWASP Zap cons
"It's very expensive for a small organization."
"The solution does not support Dynamic Application Security Testing."
"If you schedule two parallel scans under the same project, one of them will be a failure."
"Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
"There is room for improvement in documentation."
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
"I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."
"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."
More Veracode cons
 

Pricing and Cost Advice

"It is a bit expensive. If you need to check five applications, you have to pay almost 14,000. It is an agreement for two years at 7,000 per year for only five applications. You cannot change the applications in the license. So, you are stuck with the same license for the five applications for one full year."
"Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future."
"The cost is based on two types of licenses, ConsultLite, and ConsultPlus, as well as the number of domains that are scanned."
"The pricing is a little high, and moreover, it's kind of domain-based."
"I would say that Acunetix is expensive because there are products on the market with similar features that are equally or better-priced."
"When we looked at all other vendors and what they were asking for, to provide a third of what Acunetix was capable of doing, it was an easy decision... But now that it's coming to a cost where it's line with market value, it becomes more of a competition... Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted."
"Acunetix was around the same price as all the other vendors we looked at, nothing special."
"The costs aren't very expensive. It costs around $3000 or $4000."
More Acunetix pricing and cost advice
"It is open source, and we can scan freely."
"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"The tool is open source."
"OWASP Zap is free to use."
"It is highly recommended as it is an open source tool."
"The tool is open-source."
"We have used the freeware version. I believe Zap only has freeware."
More OWASP Zap pricing and cost advice
"The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements."
"The pricing is reasonable compared to other tools."
"We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach. So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily."
"I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform."
"Veracode is fairly priced."
"The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available."
"It's worth the value"
"The price of Veracode Static Analysis could improve."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
868,706 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
17%
Financial Services Firm
12%
Manufacturing Company
9%
University
8%
Computer Software Company
16%
Financial Services Firm
10%
Manufacturing Company
8%
University
8%
Financial Services Firm
16%
Computer Software Company
15%
Manufacturing Company
9%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business15
Midsize Enterprise5
Large Enterprise14
By reviewers
Company SizeCount
Small Business10
Midsize Enterprise11
Large Enterprise21
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise43
Large Enterprise112
 

Questions from the Community

What do you like most about Acunetix Vulnerability Scanner?
The tool's most valuable feature is scan configurations. We use it for external physical applications. The scanning t...
See all answers
What is your primary use case for Acunetix Vulnerability Scanner?
Most of the customers who use Acunetix are looking for security testing. The primary use case is performing penetrati...
See all answers
What advice do you have for others considering Acunetix Vulnerability Scanner?
Acunetix supports multi-user environments effectively. Acunetix is targeted for small to mid-size teams in a DevSecOp...
See all answers
Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...
See all answers
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...
See all answers
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...
See all answers
What do you like most about Veracode Static Analysis?
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...
See all answers
What is your experience regarding pricing and costs for Veracode Static Analysis?
When considering pricing, Veracode stands out due to its lower cost per service and more scalable options. It offers ...
See all answers
 

Comparisons

PortSwigger Burp Suite Professional vs Acunetix Logo
PortSwigger Burp Suite Professional vs Acunetix
Compared 9% of the time
HCL AppScan vs Acunetix Logo
HCL AppScan vs Acunetix
Compared 8% of the time
Invicti vs Acunetix Logo
Invicti vs Acunetix
Compared 8% of the time
PortSwigger Burp Suite Enterprise Edition vs Acunetix Logo
PortSwigger Burp Suite Enterprise Edition vs Acunetix
Compared 5% of the time
SonarQube Server (formerly SonarQube) vs Acunetix Logo
SonarQube Server (formerly SonarQube) vs Acunetix
Compared 5% of the time
More Acunetix Competitors
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
Compared 18% of the time
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Compared 11% of the time
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Compared 9% of the time
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
Compared 5% of the time
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
Compared 5% of the time
More OWASP Zap Competitors
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Compared 15% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 9% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 7% of the time
JFrog Xray vs Veracode Logo
JFrog Xray vs Veracode
Compared 4% of the time
OpenText Core Application Security vs Veracode Logo
OpenText Core Application Security vs Veracode
Compared 4% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Acunetix
September 2025
Acunetix reportDownload Acunetix product report
Buyer's Guide
OWASP Zap
September 2025
OWASP Zap reportDownload OWASP Zap product report
Buyer's Guide
Veracode
September 2025
Veracode reportDownload Veracode product report
 

Also Known As

AcuSensor
No data available
Crashtest Security , Veracode Detect
 

Overview

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Invicti

OWASP Zap is a free and open-source web application security scanner. 

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Static Application Security Testing (SAST)
September 2025
Download Free Report
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: September 2025.
DOWNLOAD NOW
868,706 professionals have used our research since 2012.