Try our new research platform with insights from 80,000+ expert users

Acunetix vs OWASP Zap vs Veracode comparison

Invicti and OWASP are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #13 with an average rating of 8.3, while OWASP is ranked #11 with an average rating of 8.0. Invicti holds a 3.5% mindshare in SAST, compared to OWASP’s 4.7% mindshare. Additionally, 86% of Invicti users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.
Acunetix
Read 33 Acunetix reviews
  • 4,230 Views
  • 1,142 Comparison Views
86% willing to recommend
OWASP Zap
Read 41 OWASP Zap reviews
  • 9,575 Views
  • 514 Comparison Views
88% willing to recommend
Veracode
Read 201 Veracode reviews
  • 15,486 Views
  • 1,866 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Acunetix, OWASP Zap, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).
Buyer's Guide
Static Application Security Testing (SAST)
June 2025
Download the complete report
Helped 856,873 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of Acunetix is 3.5%, up from 2.5% compared to the previous year. The mindshare of OWASP Zap is 4.7%, down from 4.9% compared to the previous year. The mindshare of Veracode is 8.3%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

KashifJamil - PeerSpot reviewer
Has enabled teams to improve security testing with smooth integration and high accuracy
Acunetix has a very good ratio of fewer false positives, so users don't need to retest everything. Acunetix operates smoothly with no interruptions required, and it performs at 100% efficiency without issues in scanning anything. The solution is excellent at detecting SQL injection and cross-site scripting vulnerabilities. Acunetix integrates with every type of tool, including CI/CD tools, offering 100% integration in DevOps environments. The main benefit of Acunetix is that at the first level, users can address security issues related to penetration testing, allowing them to expose vulnerabilities and ensure all required testing is completed with very few false positives.
Read full review
Amit Beniwal - PeerSpot reviewer
Simplifies vulnerability discovery and has high quality support
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
Read full review
David-Robertson - PeerSpot reviewer
Static scanning and software composition analysis are very helpful, but the usability needs improvement
Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables. They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature of the solution is the speed at which it can scan multiple domains in just a few hours."
"The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
"We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why."
"The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution."
"One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."
"It comes equipped with an internal applicator, which automatically identifies and addresses vulnerabilities within the program."
"It generates automated reports."
"Acunetix is the best service in the world. It is easy to manage. It gives a lot of information to the users to see and identify problems in their site or applications. It works very well."
More Acunetix pros
"The community edition updates services regularly. They add new vulnerabilities into the scanning list."
"They offer free access to some other tools."
"One valuable feature of OWASP Zap is that it is simple to use."
"The solution is good at reporting the vulnerabilities of the application."
"You can run it against multiple targets."
"It scans while you navigate, then you can save the requests performed and work with them later."
"Simple and easy to learn and master."
"It's great that we can use it with Portswigger Burp."
More OWASP Zap pros
"I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes."
"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines."
"It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you are using libraries with vulnerabilities."
"What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities."
"The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms​."
"The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs."
"The SAST and DAST modules are great."
More Veracode pros
 

Cons

"The vulnerability identification speed should be improved."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"It should be easier to recreate something manually, with the manual tool, because Acunetix is an automatic tool. If it finds something, it should be easier to manually replicate it. Sometimes you don't get the raw data from the input and output, so that could be improved."
"There's a clear need for a reduction in pricing to make the service more accessible."
"The cost can be reduced as management has noted it to be on the higher side."
"The pricing is a bit on the higher side."
"When monitoring the traffic we always have issues with the bandwidth consumption and the throttling of traffic."
"I rate its stability six out of ten."
More Acunetix cons
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"Reporting format has no output, is cluttered and very long."
"Sometimes, we get some false positives."
"The technical support team must be proactive."
"For scalability, I would rate OWASP Zap between four to five out of ten."
More OWASP Zap cons
"While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode."
"The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer."
"From what we have seen of Veracode's SCA offering, it is just average."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
"The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed."
"In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me."
"Scanning large amounts of code can be a time-consuming process and there is scope for improvement."
More Veracode cons
 

Pricing and Cost Advice

"I would say that Acunetix is expensive because there are products on the market with similar features that are equally or better-priced."
"When we looked at all other vendors and what they were asking for, to provide a third of what Acunetix was capable of doing, it was an easy decision... But now that it's coming to a cost where it's line with market value, it becomes more of a competition... Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted."
"The cost is based on two types of licenses, ConsultLite, and ConsultPlus, as well as the number of domains that are scanned."
"The price is exceptionally high."
"Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future."
"It is a bit expensive. If you need to check five applications, you have to pay almost 14,000. It is an agreement for two years at 7,000 per year for only five applications. You cannot change the applications in the license. So, you are stuck with the same license for the five applications for one full year."
"All things considered, I think it has a good price/value ratio."
"The costs aren't very expensive. It costs around $3000 or $4000."
More Acunetix pricing and cost advice
"The tool is open-source."
"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."
"The tool is open source."
"The solution’s pricing is high."
"We have used the freeware version. I believe Zap only has freeware."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"It is open source, and we can scan freely."
"This solution is open source and free."
More OWASP Zap pricing and cost advice
"The pricing is pretty high."
"For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
"The cost of Veracode is high."
"Aside from the standard licensing fees, we also have to pay for a competent Success Manager."
"Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode."
"They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey."
"The pricing of the product depends upon the number of codes or the number of applications."
"Veracode provides value for the cost, with no additional charges apart from the standard licensing fee."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
856,873 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
18%
Financial Services Firm
14%
Government
9%
Manufacturing Company
8%
Computer Software Company
18%
Financial Services Firm
12%
Manufacturing Company
8%
Government
7%
Computer Software Company
17%
Financial Services Firm
16%
Manufacturing Company
8%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Acunetix Vulnerability Scanner?
The tool's most valuable feature is scan configurations. We use it for external physical applications. The scanning t...
See all answers
What is your primary use case for Acunetix Vulnerability Scanner?
I typically use Acunetix ( /products/acunetix-reviews ) to identify vulnerabilities for clients.
See all answers
What advice do you have for others considering Acunetix Vulnerability Scanner?
I would recommend Acunetix to others. Overall, I rate this solution seven out of ten.
See all answers
Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...
See all answers
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...
See all answers
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...
See all answers
 

Comparisons

PortSwigger Burp Suite Professional vs Acunetix Logo
PortSwigger Burp Suite Professional vs Acunetix
Compared 11% of the time
HCL AppScan vs Acunetix Logo
HCL AppScan vs Acunetix
Compared 9% of the time
Invicti vs Acunetix Logo
Invicti vs Acunetix
Compared 7% of the time
PortSwigger Burp Suite Enterprise Edition vs Acunetix Logo
PortSwigger Burp Suite Enterprise Edition vs Acunetix
Compared 6% of the time
SonarQube Server (formerly SonarQube) vs Acunetix Logo
SonarQube Server (formerly SonarQube) vs Acunetix
Compared 5% of the time
More Acunetix Competitors
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
Compared 20% of the time
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Compared 10% of the time
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Compared 9% of the time
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
Compared 6% of the time
Fortify WebInspect vs OWASP Zap Logo
Fortify WebInspect vs OWASP Zap
Compared 5% of the time
More OWASP Zap Competitors
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Compared 19% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 10% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 7% of the time
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Compared 4% of the time
JFrog Xray vs Veracode Logo
JFrog Xray vs Veracode
Compared 3% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Acunetix
June 2025
Acunetix reportDownload Acunetix product report
Buyer's Guide
OWASP Zap
May 2025
OWASP Zap reportDownload OWASP Zap product report
Buyer's Guide
Veracode
May 2025
Veracode reportDownload Veracode product report
 

Also Known As

AcuSensor
No data available
Crashtest Security , Veracode Detect
 

Overview

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Invicti

OWASP Zap is a free and open-source web application security scanner. 

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Static Application Security Testing (SAST)
June 2025
Download Free Report
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: June 2025.
DOWNLOAD NOW
856,873 professionals have used our research since 2012.