We performed a comparison between Contrast Security Assess and Invicti based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime."
"I am impressed with the product's identification of alerts and vulnerabilities."
"When we access the application, it continuously monitors and detects vulnerabilities."
"By far, the thing that was able to provide value was the immediate response while testing ahead of release, in real-time."
"The accuracy of the solution in identifying vulnerabilities is better than any other product we've used, far and away. In our internal comparisons among different tools, Contrast consistently finds more impactful vulnerabilities, and also identifies vulnerabilities that are nearly guaranteed to be there, meaning that the chance of false positives is very low."
"We use the Contrast OSS feature that allows us to look at third-party, open-source software libraries, because it has a cool interface where you can look at all the different libraries. It has some really cool additional features where it gives us how many instances in which something has been used... It tells us it has been used 10 times out of 20 workloads, for example. Then we know for sure that OSS is being used."
"In our most critical applications, we have a deep dive in the code evaluation, which was something we usually did with periodic vulnerability assessments, code reviews, etc. Now, we have real time access to it. It's something that has greatly enhanced our code's quality. We have actually embedded a KPI in regards to the improvement of our code shell. For example, Contrast provides a baseline where libraries and the usability of the code are evaluated, and they produce a score. We always aim to improve that score. On a quarterly basis, we have added this to our KPIs."
"Assess has an excellent API interface to pull APIs."
"I am impressed with Invictus’ proof-based scanning. The solution has reduced the incidence of false positive vulnerabilities. It has helped us reduce our time and focus on vulnerabilities."
"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."
"Its ability to crawl a web application is quite different than another similar scanner."
"Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner."
"I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool. It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"Invicti is a good product, and its API testing is also good."
"When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done."
"I think there was activity underway to support the centralized configuration control. There are ways to do it, but I think they were productizing more of that."
"To instrument an agent, it has to be running on a type of application technology that the agent recognizes and understands. It's excellent when it works. If we're using an application that is using an unsupported technology, then we can't instrument it at all. We do use PHP and Contrast presently doesn't support that, although it's on their roadmap. My primary hurdle is that it doesn't support all of the technologies that we use."
"The product's retesting part needs improvement. The tool also needs improvement in the suggestions provided for fixing vulnerabilities. It relies more on documentation rather than on quick fixes."
"Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to your servers where your app is hosted. That can be quite cumbersome from a change-management perspective."
"Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side."
"I would like to see them come up with more scanning rules."
"The out-of-the-box reporting could be improved. We need to write our own APIs to make the reporting more robust."
"The solution needs to improve flexibility...The scalability of the product is a problem in the solution, especially from a commercial perspective."
"The solution's false positive analysis and vulnerability analysis libraries could be improved."
"The scanner itself should be improved because it is a little bit slow."
"Invicti takes too long with big applications, and there are issues with the login portal."
"I think that it freezes without any specific reason at times. This needs to be looked into."
"It would be better for listing and attacking Java-based web applications to exploit vulnerabilities."
"The support's response time could be faster since we are in different time zones."
"Netsparker doesn't provide the source code of the static application security testing."
"Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses."
Contrast Security Assess is ranked 30th in Application Security Tools with 11 reviews while Invicti is ranked 20th in Application Security Tools with 25 reviews. Contrast Security Assess is rated 8.8, while Invicti is rated 8.2. The top reviewer of Contrast Security Assess writes "We're gathering vulnerability data from multiple environments in real time, fundamentally changing how we identify issues in applications". On the other hand, the top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". Contrast Security Assess is most compared with Veracode, Fortify WebInspect, Seeker, Checkmarx and OWASP Zap, whereas Invicti is most compared with OWASP Zap, Acunetix, PortSwigger Burp Suite Professional, Tenable.io Web Application Scanning and Qualys Web Application Scanning. See our Contrast Security Assess vs. Invicti report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.