Invicti vs OWASP Zap vs Veracode comparison

Invicti and OWASP are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #14 with an average rating of 8.7, while OWASP is ranked #11 with an average rating of 8.0. Invicti holds a 1.5% mindshare in SAST, compared to OWASP’s 4.6% mindshare. Additionally, 96% of Invicti users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.

Invicti

Read 30 Invicti reviews

2,834 Views
2,154 Comparison Views

96% willing to recommend

OWASP Zap

Read 41 OWASP Zap reviews

8,461 Views
7,700 Comparison Views

88% willing to recommend

Veracode

Read 204 Veracode reviews

19,783 Views
13,650 Comparison Views

90% willing to recommend

Invicti

OWASP Zap

Veracode

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Invicti, OWASP Zap, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: September 2025).

Buyer's Guide

Static Application Security Testing (SAST)

September 2025

Download the complete report

Helped 867,826 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of September 2025, in the Static Application Security Testing (SAST) category, the mindshare of Invicti is 1.5%, up from 1.1% compared to the previous year. The mindshare of OWASP Zap is 4.6%, up from 4.6% compared to the previous year. The mindshare of Veracode is 7.1%, down from 10.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST) Market Share Distribution
Product	Market Share (%)
Veracode	7.1%
OWASP Zap	4.6%
Invicti	1.5%
Other	86.8%

Static Application Security Testing (SAST)

Featured Reviews

Kunal M

Capability Center Leader, ETRM Platforms at Shell

Proactive scanning measures and realistic audit recommendations enhance development focus

Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment. This feature helps us focus on priorities and prioritize the development team's effort, integrating seamlessly with DevOps to facilitate proactive scans of environments. Invicti also provides audit recommendations that are quite realistic, making it easy to discuss plans with developers.

Read full review

Amit Beniwal

Project Manager at Al Hassan LLC

Simplifies vulnerability discovery and has high quality support

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Kv Rao

Site Leader (India) at Industrial Scientific

Integrates pipelines smoothly and fortifies code against vulnerabilities

I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us…

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"Scan, proxify the application, and then detailed report along with evidence and remediations to problems."

"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."

"High level of accuracy and quick scanning."

"Netsparker has valuable features, including the ability to scan our website, an interactive approach, and security data integration."

"The scanner and the result generator are valuable features for us."

"The platform is stable."

"Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment."

"The scanner is light on the network and does not impact the network when scans are running."

More Invicti pros

"The API is exceptional."

"The community edition updates services regularly. They add new vulnerabilities into the scanning list."

"OWASP is quite matured in identifying the vulnerabilities."

"Simple and easy to learn and master."

"Automatic scanning is a valuable feature and very easy to use."

"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."

"The interface is easy to use."

"The product discovers more vulnerabilities compared to other tools."

More OWASP Zap pros

"Wide range of platforms and technology assessments."

"Vericode's policy reporting for ensuring compliance with industry standards and regulations is great. I"

"The feature I like most in Veracode is that it clearly specifies the line in the entire file where a vulnerability is found."

"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."

"The time savings has been tremendous. We saw ROI in the first six months."

"There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."

"The static analysis gives you deep insights into problems."

"Code scanning is the most valuable feature."

More Veracode pros

Cons

"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."

"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."

"The scannings are not sufficiently updated."

"Reporting should be improved. The reporting options should be made better for end-users. Currently, it is possible, but it's not the best. Being able to choose what I want to see in my reports rather than being given prefixed information would make my life easier. I had to depend on the API for getting the content that I wanted. If they could fix the reporting feature to make it more comprehensive and user-friendly, it would help a lot of end-users. Everything else was good about this product."

"Invicti's reporting capabilities need enhancement. We need enterprise-level information instead of repo-level details. Unlike Appiro, Invicti does not provide portfolio-level insights into vulnerability remediation over time."

"The solution needs to make a more specific report."

"Netsparker doesn't provide the source code of the static application security testing."

"The custom attack preparation screen might be improved."

More Invicti cons

"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores."

"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."

"The solution is unable to customize reports."

"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."

"There are too many false positives."

"The product should allow users to customize the report based on their needs."

"It needs more robust reporting tools."

"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."

More OWASP Zap cons

"It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback."

"The scanning process could be more streamlined as it has certain limitations when performing manual scans. It has some checks when the content is in ZIP format or other formats, which takes two or three more steps than Fortify does."

"The runtime code analysis could be improved so that we can see every element in one place."

"It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack."

"I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."

"Veracode's ability to fix flaws is less sophisticated than that of its competitors."

"There is room for improvement in documentation."

"The scanning takes a lot of time to complete."

More Veracode cons

Pricing and Cost Advice

"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."

"OWASP Zap is free and it has live updates, so that's a big plus."

"We never had any issues with the licensing; the price was within our assigned limits."

"It is competitive in the security market."

"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."

"The price should be 20% lower"

"The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers."

"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."

More Invicti pricing and cost advice

"The tool is open source."

"The solution’s pricing is high."

"It is highly recommended as it is an open source tool."

"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."

"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."

"We have used the freeware version. I believe Zap only has freeware."

"This solution is open source and free."

"The tool is open-source."

More OWASP Zap pricing and cost advice

"Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier."

"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"

"Veracode is fairly priced."

"We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach. So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily."

"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."

"The price of Veracode Static Analysis is on the higher side."

"I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform."

"The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

867,826 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

17%

Computer Software Company

15%

Manufacturing Company

Government

Computer Software Company

16%

Financial Services Firm

11%

Manufacturing Company

University

Financial Services Firm

16%

Computer Software Company

15%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	13
Midsize Enterprise	4
Large Enterprise	13

By reviewers
Company Size	Count
Small Business	10
Midsize Enterprise	11
Large Enterprise	21

By reviewers
Company Size	Count
Small Business	69
Midsize Enterprise	43
Large Enterprise	112

Questions from the Community

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?

As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing mode...

See all answers

What do you like most about Invicti?

The most valuable feature of Invicti is getting baseline scanning and incremental scan.

See all answers

What needs improvement with Invicti?

The main concern is on the performance side, but other than that, we find it really helpful in identifying web vulner...

See all answers

Is OWASP Zap better than PortSwigger Burp Suite Pro?

OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...

See all answers

What do you like most about OWASP Zap?

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...

See all answers

What is your experience regarding pricing and costs for OWASP Zap?

OWASP might be cost-effective, however, people prefer to use the free edition available as open source.

See all answers

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

See all answers

What do you like most about Veracode?

The SAST and DAST modules are great.

See all answers

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...

See all answers

Comparisons

Acunetix vs Invicti

Compared 19% of the time

SonarQube Server (formerly SonarQube) vs Invicti

Compared 7% of the time

OpenText Dynamic Application Security Testing vs Invicti

Compared 6% of the time

Snyk vs Invicti

Compared 5% of the time

Rapid7 InsightAppSec vs Invicti

Compared 5% of the time

More Invicti Competitors

SonarQube Server (formerly SonarQube) vs OWASP Zap

Compared 19% of the time

Acunetix vs OWASP Zap

Compared 14% of the time

Checkmarx One vs OWASP Zap

Compared 11% of the time

Qualys Web Application Scanning vs OWASP Zap

Compared 9% of the time

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Compared 3% of the time

More OWASP Zap Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 16% of the time

Checkmarx One vs Veracode

Compared 9% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

OpenText Core Application Security vs Veracode

Compared 4% of the time

JFrog Xray vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Buyer's Guide

Invicti

September 2025

Download Invicti product report

Buyer's Guide

OWASP Zap

September 2025

Download OWASP Zap product report

Buyer's Guide

Veracode

August 2025

Download Veracode product report

Also Known As

Netsparker

No data available

Crashtest Security , Veracode Detect

Overview

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

Invicti

OWASP Zap is a free and open-source web application security scanner.

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode

Sample Customers

Samsung, The Walt Disney Company, T-Systems, ING Bank

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Buyer's Guide

Static Application Security Testing (SAST)

September 2025

Download Free Report

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: September 2025.

DOWNLOAD NOW

867,826 professionals have used our research since 2012.