Try our new research platform with insights from 80,000+ expert users

Invicti vs Veracode comparison

Invicti and Veracode are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #14 with an average rating of 8.7, while Veracode is ranked #2 with an average rating of 8.0. Invicti holds a 1.5% mindshare in SAST, compared to Veracode’s 7.1% mindshare. Additionally, 96% of Invicti users are willing to recommend the solution, compared to 90% of Veracode users who would recommend it.
Invicti
Read 30 Invicti reviews
  • 2,834 Views
  • 2,154 Comparison Views
96% willing to recommend
Veracode
Read 204 Veracode reviews
  • 19,783 Views
  • 13,650 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Oct 8, 2024

Veracode and Invicti are leading contenders in the application security market. Invicti is often seen as superior due to its comprehensive feature set and automation capabilities, making it a preferred choice for those seeking a feature-rich solution.

Features: Veracode offers standout static analysis capabilities and strong third-party tool integration. It provides effective vulnerability detection and remediation guidance. Invicti’s key features include dynamic scanning, real-time issue identification, and automation for detailed web vulnerability analysis, offering a thorough approach to security management.

Room for Improvement: Veracode users express a desire for faster scan times and enhanced reporting capabilities. They find limitations in its analytics precision that could be improved. Invicti needs better documentation and support for complex configurations. Users also wish for improved interface responsiveness in larger environments.

Ease of Deployment and Customer Service: Veracode is recognized for its simple cloud deployment and seamless integration into workflows, coupled with proactive customer support. Although Invicti offers comprehensive deployment guides, users find its setup process challenging in larger environments, with diverse feedback on support team responsiveness.

Pricing and ROI: Veracode’s pricing strategy is attractive to small enterprises, providing a cost-effective option with compelling ROI metrics for long-term utilization. In contrast, Invicti demands a higher initial investment but justifies this with robust security features and efficiency, delivering a high ROI that appeals to enterprises ready to spend upfront for extensive capabilities.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Invicti vs. Veracode Report (Updated: July 2025).
Buyer's Guide
Invicti vs. Veracode
July 2025
Download the complete report
Helped 866,483 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Invicti
Ranking in Static Application Security Testing (SAST)
14th
Average Rating
8.2
Reviews Sentiment
6.7
Number of Reviews
30
Ranking in other categories
API Security (7th), Dynamic Application Security Testing (DAST) (5th)
Veracode
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
8.0
Reviews Sentiment
7.0
Number of Reviews
204
Ranking in other categories
Application Security Tools (2nd), Container Security (8th), Software Composition Analysis (SCA) (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of September 2025, in the Static Application Security Testing (SAST) category, the mindshare of Invicti is 1.5%, up from 1.1% compared to the previous year. The mindshare of Veracode is 7.1%, down from 10.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Market Share Distribution
ProductMarket Share (%)
Veracode7.1%
Invicti1.5%
Other91.4%
Static Application Security Testing (SAST)
 

Featured Reviews

Kunal M - PeerSpot reviewer
Proactive scanning measures and realistic audit recommendations enhance development focus
Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment. This feature helps us focus on priorities and prioritize the development team's effort, integrating seamlessly with DevOps to facilitate proactive scans of environments. Invicti also provides audit recommendations that are quite realistic, making it easy to discuss plans with developers.
Read full review
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"One of the features I like about this program is the low number of false positives and the support it offers."
"The solution generates reports automatically and quickly."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool. It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy."
"The scanner is light on the network and does not impact the network when scans are running."
"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."
"Netsparker provides a more interactive interface that is more appealing."
"The most valuable feature of Invicti is getting baseline scanning and incremental scan."
More Invicti pros
"Developer Sandboxes help move scanning earlier within the SDLC."
"It makes it very easy to track and monitor activity."
"The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
"The integration capabilities with our existing development tools are very good."
"I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes."
"We used Veracode to improve our security posture and speed up the time to market by streamlining the development process, which enhanced collaboration between developers, operations, and security teams."
More Veracode pros
 

Cons

"Reporting should be improved. The reporting options should be made better for end-users. Currently, it is possible, but it's not the best. Being able to choose what I want to see in my reports rather than being given prefixed information would make my life easier. I had to depend on the API for getting the content that I wanted. If they could fix the reporting feature to make it more comprehensive and user-friendly, it would help a lot of end-users. Everything else was good about this product."
"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"The support's response time could be faster since we are in different time zones."
"The solution's false positive analysis and vulnerability analysis libraries could be improved."
"Invicti takes too long with big applications, and there are issues with the login portal."
"Invicti's reporting capabilities need enhancement. We need enterprise-level information instead of repo-level details. Unlike Appiro, Invicti does not provide portfolio-level insights into vulnerability remediation over time."
"Maybe the ability to make a good reporting format is needed."
"The scannings are not sufficiently updated."
More Invicti cons
"Some important languages are not supported."
"It could be improved with support for more programming languages, like SQL."
"It is not as fast as Snyk."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws."
"Veracode's false positives have room for improvement."
"There should be more APIs, especially in SCA, to get some results or automate some things."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
More Veracode cons
 

Pricing and Cost Advice

"We never had any issues with the licensing; the price was within our assigned limits."
"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."
"The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers."
"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."
"It is competitive in the security market."
"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."
"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."
"The price should be 20% lower"
More Invicti pricing and cost advice
"Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies."
"Depending on the number of users, my company makes payments toward the solution's licensing costs."
"The pricing for Veracode is high, making it difficult for beginners to afford."
"Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need."
"Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code."
"Aside from the standard licensing fees, we also have to pay for a competent Success Manager."
"I believe the price is fair according to market standards."
"The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
866,483 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
14%
Manufacturing Company
9%
Government
8%
Financial Services Firm
16%
Computer Software Company
16%
Manufacturing Company
9%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business13
Midsize Enterprise4
Large Enterprise13
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise43
Large Enterprise112
 

Questions from the Community

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?
As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing models based on organizational needs.
See all answers
What do you like most about Invicti?
The most valuable feature of Invicti is getting baseline scanning and incremental scan.
See all answers
What needs improvement with Invicti?
The main concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities. A full scan takes more time based on your website and other factors, ...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
See all answers
 

Comparisons

Acunetix vs Invicti Logo
Acunetix vs Invicti
Compared 19% of the time
OWASP Zap vs Invicti Logo
OWASP Zap vs Invicti
Compared 10% of the time
SonarQube Server (formerly SonarQube) vs Invicti Logo
SonarQube Server (formerly SonarQube) vs Invicti
Compared 7% of the time
OpenText Dynamic Application Security Testing vs Invicti Logo
OpenText Dynamic Application Security Testing vs Invicti
Compared 6% of the time
Snyk vs Invicti Logo
Snyk vs Invicti
Compared 5% of the time
More Invicti Competitors
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Compared 17% of the time
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Compared 9% of the time
GitHub Advanced Security vs Veracode Logo
GitHub Advanced Security vs Veracode
Compared 7% of the time
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
Compared 4% of the time
OpenText Core Application Security vs Veracode Logo
OpenText Core Application Security vs Veracode
Compared 4% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Invicti
August 2025
Invicti reportDownload Invicti product report
Buyer's Guide
Veracode
August 2025
Veracode reportDownload Veracode product report
 

Also Known As

Netsparker
Crashtest Security , Veracode Detect
 

Overview

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

Invicti

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

  • Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
  • Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
  • Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
  • Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
  • Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

  • Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
  • Scalability - Supports organizations with large-scale application portfolios.
  • Compliance support - Ensures applications meet various security standards and regulations.
  • Developer training - Provides tools for educating developers on secure coding practices.
  • Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.


Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode
 

Sample Customers

Samsung, The Walt Disney Company, T-Systems, ING Bank
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Invicti vs. Veracode
July 2025
Free Report: Invicti vs. Veracode
Find out what your peers are saying about Invicti vs. Veracode and other solutions. Updated: July 2025.
DOWNLOAD NOW
866,483 professionals have used our research since 2012.
See our Invicti vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.