We performed a comparison between Invicti and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites."
"It has a comprehensive resulting mechanism. It is a one-stop solution for all your security testing mechanisms."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"This tool is really fast and the information that they provide on vulnerabilities is pretty good."
"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."
"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."
"I am impressed with Invictus’ proof-based scanning. The solution has reduced the incidence of false positive vulnerabilities. It has helped us reduce our time and focus on vulnerabilities."
"Its ability to crawl a web application is quite different than another similar scanner."
"It updates repositories and libraries quickly."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"Simple to use, good user interface."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"It's great that we can use it with Portswigger Burp."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The interface is easy to use."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"Invicti takes too long with big applications, and there are issues with the login portal."
"The scanning time, complexity, and authentication features of Invicti could be improved."
"The scanner itself should be improved because it is a little bit slow."
"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"The support's response time could be faster since we are in different time zones."
"Reporting should be improved. The reporting options should be made better for end-users. Currently, it is possible, but it's not the best. Being able to choose what I want to see in my reports rather than being given prefixed information would make my life easier. I had to depend on the API for getting the content that I wanted. If they could fix the reporting feature to make it more comprehensive and user-friendly, it would help a lot of end-users. Everything else was good about this product."
"Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses."
"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"The documentation is lacking and out-of-date, it really needs more love."
"The forced browse has been incorporated into the program and it is resource-intensive."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"It needs more robust reporting tools."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
Invicti is ranked 15th in Application Security Testing (AST) with 25 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews. Invicti is rated 8.2, while OWASP Zap is rated 7.6. The top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Invicti is most compared with Acunetix, PortSwigger Burp Suite Professional, Tenable.io Web Application Scanning, Qualys Web Application Scanning and Fortify WebInspect, whereas OWASP Zap is most compared with SonarQube, Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning and Fortify on Demand. See our Invicti vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.