Try our new research platform with insights from 80,000+ expert users

Invicti vs Veracode comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Invicti
Ranking in Static Application Security Testing (SAST)
14th
Average Rating
8.2
Reviews Sentiment
7.3
Number of Reviews
29
Ranking in other categories
API Security (6th), Dynamic Application Security Testing (DAST) (4th)
Veracode
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
201
Ranking in other categories
Application Security Tools (2nd), Container Security (8th), Software Composition Analysis (SCA) (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of July 2025, in the Static Application Security Testing (SAST) category, the mindshare of Invicti is 1.5%, up from 1.1% compared to the previous year. The mindshare of Veracode is 8.1%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Kunal M - PeerSpot reviewer
Proactive scanning measures and realistic audit recommendations enhance development focus
Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment. This feature helps us focus on priorities and prioritize the development team's effort, integrating seamlessly with DevOps to facilitate proactive scans of environments. Invicti also provides audit recommendations that are quite realistic, making it easy to discuss plans with developers.
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Invicti is a good product, and its API testing is also good."
"The scanner is light on the network and does not impact the network when scans are running."
"The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support."
"I would rate the stability as ten out of ten."
"Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment."
"Netsparker provides a more interactive interface that is more appealing."
"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."
"Netsparker has valuable features, including the ability to scan our website, an interactive approach, and security data integration."
"The static scan is the most valuable feature."
"It has an easy-to-use interface."
"I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far."
"The solution can scan old databases and old code written 20 years back."
"One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster."
"The solution is stable. we've never had any issues surrounding its stability."
"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
"The CI/CD integration is the most valuable feature of Veracode."
 

Cons

"Maybe the ability to make a good reporting format is needed."
"The scanning time, complexity, and authentication features of Invicti could be improved."
"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."
"It would be better for listing and attacking Java-based web applications to exploit vulnerabilities."
"The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them."
"They need to improve their support in the documentation. Their support mechanism is missing. Their responsiveness, technical staff, and these types of things need to be improved, and comprehensive documentation is required. They should have good self-service portal enhancement"
"Right now, they are missing the static application security part, especially web application security."
"Invicti takes too long with big applications, and there are issues with the login portal."
"It will be beneficial for developers if Veracode Greenlight includes Python."
"In some cases we use their APIs; they're not as rich as I would like."
"Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."
"Veracode is costly, and there is potential for improvement in its pricing."
"The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer."
"It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period."
"Maybe the boards could be made easier to understand or easier to customize."
"The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it."
 

Pricing and Cost Advice

"The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers."
"The price should be 20% lower"
"OWASP Zap is free and it has live updates, so that's a big plus."
"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."
"It is competitive in the security market."
"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."
"We never had any issues with the licensing; the price was within our assigned limits."
"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."
"If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
"Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig."
"Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money."
"The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."
"It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
"I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others."
"The price of Veracode Static Analysis is on the higher side."
"The cost of Veracode is high."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
861,170 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Educational Organization
19%
Financial Services Firm
15%
Computer Software Company
12%
Manufacturing Company
8%
Computer Software Company
16%
Financial Services Firm
16%
Manufacturing Company
8%
Insurance Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?
As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing models based on organizational needs.
What do you like most about Invicti?
The most valuable feature of Invicti is getting baseline scanning and incremental scan.
What needs improvement with Invicti?
Invicti's reporting capabilities need enhancement. We need enterprise-level information instead of repo-level details. Unlike Appiro, Invicti does not provide portfolio-level insights into vulnerab...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
 

Also Known As

Netsparker
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

Samsung, The Walt Disney Company, T-Systems, ING Bank
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about Invicti vs. Veracode and other solutions. Updated: July 2025.
861,170 professionals have used our research since 2012.