No more typing reviews! Try our Samantha, our new voice AI agent.

Acunetix vs OWASP Zap vs Veracode comparison

Invicti and OWASP are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #10 with an average rating of 7.9, while OWASP is ranked #9 with an average rating of 8.2. Invicti holds a 2.6% mindshare in SAST, compared to OWASP’s 3.4% mindshare. Additionally, 88% of Invicti users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.
Acunetix
Read 36 Acunetix reviews
  • 6,676 Views
  • 4,072 Comparison Views
88% willing to recommend
OWASP Zap
Read 41 OWASP Zap reviews
  • 7,440 Views
  • 6,845 Comparison Views
88% willing to recommend
Veracode
Read 208 Veracode reviews
  • 19,227 Views
  • 11,921 Comparison Views
89% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Acunetix, OWASP Zap, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: March 2026).
Buyer's Guide
Static Application Security Testing (SAST)
March 2026
Download the complete report
Helped 885,444 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of April 2026, in the Static Application Security Testing (SAST) category, the mindshare of Acunetix is 2.6%, down from 3.3% compared to the previous year. The mindshare of OWASP Zap is 3.4%, down from 4.8% compared to the previous year. The mindshare of Veracode is 4.8%, down from 10.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
Veracode4.8%
OWASP Zap3.4%
Acunetix2.6%
Other89.2%
Static Application Security Testing (SAST)
 

Featured Reviews

Rahul Kumar - PeerSpot reviewer
Rahul Kumar
Senior Engineer - Penetration Tester at a government with 10,001+ employees
Identifies vulnerabilities across bulk web applications but needs better support and cleaner reports
The best feature Acunetix offers is the centralized dashboard and the quality of reports it generates, which includes various options for selecting reports and developer options for directly sharing the reports with developers. The centralized dashboard of Acunetix gives visibility into the security aspects of mass applications; for instance, with more than 200 applications, it provides a valuable overview of findings and necessary fixes, along with a high-level summary that helps us achieve compliance through monthly and sometimes weekly scanning. In terms of reporting, Acunetix is excellent because it can generate different types of reports, such as an executive summary report, detailed reports, and developer reports that can be shared directly with developers. Acunetix positively impacts my organization by helping identify outdated libraries and applications, including legacy applications vulnerable to old attacks based on OWASP Top 10, thus aiding in compliance checks for PCI DSS and OWASP. Acunetix provides a centralized report with compliance-related aspects and a vulnerability timeline, effectively helping reduce vulnerabilities and save time.
Read full review
NK
Nithin-K
Technical Analyst at Hexaware Technologies Limited
Open source testing tool empowers manual activities and has room to improve integration and reporting features
The improvement that has to be done for APIs focuses on manual activities where the feature exists, but it is not at the same level as what Burp Suite does with intercepting and tools such as Postman, so it needs improvement. There are limitations with authentication levels, particularly with form-based and cookie-based authentication. However, overall, we are satisfied with OWASP Zap as there are no major issues, and improving the scan engine could be beneficial. When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking.
Read full review
reviewer2703864 - PeerSpot reviewer
reviewer2703864
Head of Security Architecture at a healthcare company with 5,001-10,000 employees
Onboarding developers successfully while improving code security through IDE integration
Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"If an organization has 100 plus applications and wants to use an automated scanner, they should definitely go ahead with Acunetix because it is very cost-effective and will save time compared to focusing on other solutions and performing manual security assessments."
"Overall, the tool is efficient enough to identify and track your vulnerabilities and it's good for intelligence scanning purposes."
"Segregation of reports is really, really good with Acunetix; it provides us with a lot of in-depth details."
"As a team, it's helped us to deliver better security assessments."
"I appreciate the features that Acunetix has for the speed and the fact that it is in the cloud, which does not put any resources in my network, so I can set up a scan, go to bed, come back, and see the reports in my email."
"The scalability is more than good; it can operate both as a standalone and it can be integrated with other applications, which makes it a very versatile solution to have, and this solution is simple enough, especially with the cloud."
"The centralized dashboard of Acunetix gives visibility into the security aspects of mass applications; for instance, with more than 200 applications, it provides a valuable overview of findings and necessary fixes, along with a high-level summary that helps us achieve compliance through monthly and sometimes weekly scanning."
"The solution is excellent at detecting SQL injection and cross-site scripting vulnerabilities."
More Acunetix pros
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"The scalability of this product is very good."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The community support that ZAP provides me, as an open source, provides me flexibility and is convenient to use."
"It's great that we can use it with Portswigger Burp."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"We use OWASP Zap for web application security scanning."
More OWASP Zap pros
"Veracode impacts the overall security posture by maintaining data integrity, ensuring we are not exposed to threats from third-party libraries with known vulnerabilities."
"The most valuable features of the solution are its extensive reporting capabilities and user-friendly interface."
"Provides the ability to understand the black zones in our system."
"One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."
"Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes."
"I would recommend Veracode."
"I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more."
"I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities."
More Veracode pros
 

Cons

"I believe Acunetix can improve customer support, as the dedicated support staff are often unfamiliar with problems and troubleshooting, leading to communication gaps that delay issue resolution."
"The solution should work on dealing with the number of false positives it delivers."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA."
"The solution limits the number of scans. It would be much better if we could have unlimited scans."
"There are some versions of the solution that are not as stable as others."
"I rate its stability six out of ten."
"The only problem that they have is the price. It is a bit expensive, and you cannot change the number of applications for the whole year."
More Acunetix cons
"The solution is unable to customize reports."
"OWASP should work on reducing false positives by using AI and ML algorithms."
"The product reporting could be improved."
"Deployment is somewhat complicated."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
More OWASP Zap cons
"I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."
"The negative that I found is that it has a subscription-based model."
"Veracode could be improved in terms of the UI platform as it could be more seamless, and if they allow different sessions in different browsers at the same time or in different tabs that would help tremendously."
"There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it."
"We use Ruby on Rails and we still don't have any support for that from Veracode."
"Going through the mitigation is probably the hardest thing to do and that's still an ongoing process."
"Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis."
"However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done."
More Veracode cons
 

Pricing and Cost Advice

"The cost is based on two types of licenses, ConsultLite, and ConsultPlus, as well as the number of domains that are scanned."
"I would say that Acunetix is expensive because there are products on the market with similar features that are equally or better-priced."
"Acunetix was around the same price as all the other vendors we looked at, nothing special."
"The costs aren't very expensive. It costs around $3000 or $4000."
"It is a bit expensive. If you need to check five applications, you have to pay almost 14,000. It is an agreement for two years at 7,000 per year for only five applications. You cannot change the applications in the license. So, you are stuck with the same license for the five applications for one full year."
"When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay."
"All things considered, I think it has a good price/value ratio."
"The pricing is a little high, and moreover, it's kind of domain-based."
More Acunetix pricing and cost advice
"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."
"The tool is open source."
"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."
"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."
"This app is completely free and open source. So there is no question about any pricing."
"The solution’s pricing is high."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"It is open source, and we can scan freely."
More OWASP Zap pricing and cost advice
"Veracode is expensive. But the solution is worth it."
"I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features."
"We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach. So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily."
"The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available."
"Its pricing is fair."
"The cost of Veracode is high."
"I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others."
"I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
885,444 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
12%
Computer Software Company
11%
Manufacturing Company
10%
Government
7%
Computer Software Company
11%
University
9%
Financial Services Firm
9%
Manufacturing Company
8%
Financial Services Firm
15%
Computer Software Company
12%
Manufacturing Company
10%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business15
Midsize Enterprise7
Large Enterprise18
By reviewers
Company SizeCount
Small Business11
Midsize Enterprise11
Large Enterprise21
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise45
Large Enterprise114
 

Questions from the Community

What is your primary use case for Acunetix Vulnerability Scanner?
My main use of Acunetix is to scan my web application. I mostly deal with web applications and with Acunetix Network ...
See all answers
What advice do you have for others considering Acunetix Vulnerability Scanner?
I am still working with Acunetix, and we have even moved to their new platform, Invicti. I have requested a demo for ...
See all answers
What is your experience regarding pricing and costs for Acunetix?
I would say the pricing is average, but still, it is higher than low.
See all answers
Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...
See all answers
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...
See all answers
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...
See all answers
What do you like most about Veracode Static Analysis?
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...
See all answers
What is your experience regarding pricing and costs for Veracode Static Analysis?
My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.
See all answers
 

Comparisons

PortSwigger Burp Suite Professional vs Acunetix Logo
PortSwigger Burp Suite Professional vs Acunetix
Compared 8% of the time
Invicti vs Acunetix Logo
Invicti vs Acunetix
Compared 6% of the time
SonarQube vs Acunetix Logo
SonarQube vs Acunetix
Compared 4% of the time
HCL AppScan vs Acunetix Logo
HCL AppScan vs Acunetix
Compared 4% of the time
Checkmarx One vs Acunetix Logo
Checkmarx One vs Acunetix
Compared 4% of the time
More Acunetix Competitors
SonarQube vs OWASP Zap Logo
SonarQube vs OWASP Zap
Compared 12% of the time
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
Compared 8% of the time
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Compared 8% of the time
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Compared 6% of the time
Snyk vs OWASP Zap Logo
Snyk vs OWASP Zap
Compared 6% of the time
More OWASP Zap Competitors
SonarQube vs Veracode Logo
SonarQube vs Veracode
Compared 8% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 7% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 3% of the time
Coverity Static vs Veracode Logo
Coverity Static vs Veracode
Compared 3% of the time
Black Duck SCA vs Veracode Logo
Black Duck SCA vs Veracode
Compared 2% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Acunetix
March 2026
Acunetix reportDownload Acunetix product report
Buyer's Guide
OWASP Zap
March 2026
OWASP Zap reportDownload OWASP Zap product report
Buyer's Guide
Veracode
March 2026
Veracode reportDownload Veracode product report
 

Also Known As

AcuSensor
No data available
Crashtest Security , Veracode Detect
 

Overview

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Invicti

OWASP Zap is a free and open-source web application security scanner. 

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Static Application Security Testing (SAST)
March 2026
Download Free Report
Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: March 2026.
DOWNLOAD NOW
885,444 professionals have used our research since 2012.