Invicti Reviews

We use Invicti for web application security, web application ping test, API testing, and endpoint testing like SoapUI testing.

Invicti is a good product, and its API testing is also good. The product is really good and gets into false positive checks and proof of concept checks.

The scanning time, complexity, and authentication features of Invicti could be improved.

We have been using Invicti for the last five years as a customer.

Invicti is a very stable product, and we don’t have any issues.

Invicti is a scalable solution.

We have a different model where our security team manages the solution, and we don't give it to developers. We are a small to medium enterprise.

We don't have any issues because Invicti's support was really good.

Positive

Depending on the use cases I've used, HCL AppScan and Burp Suite. It depends on the use case and the user's knowledge. All these products are based on the user's knowledge.

I usually use Invicti for official purposes, but in certain cases, we use Burp Suite for doing a ping test-related activity.

From my end, it was easy to install the solution. I haven't seen any problems with installing Invicti.

The installation depends on the scans we perform. A typical scan will take only a day. I am talking about configuration and not about the scans.

Maintenance is not a major issue. We have good support from Invicti to help us maintain the solution.

If you use a good VAS solution, you can go for a lighter web application test. Invicti is a really good product when the web solution is SaaS-oriented and complex in nature. For any false positives, they do a proof of concept and then share the records with us, and that true positive summary would be really good.

Overall, I rate Invicti an eight out of ten.

• Simple, easy and straightforward to start.
• eader information is displayed in an easy to ready way which can be interpreted separately.
• Vulnerabilities categorization, along with the suggestions, is pretty helpful.
• Command line tool did seem interesting, but I couldn’t do much with it. It was a bit hard to learn its usage.
• Crawling websites is one of its best features.

NetSparker is a very easy to use and understand product. Its web crawler feature has benefitted us the most. And introduced us to many security vulnerabilities and information we had not known before. I really like how we can tune the number of concurrent sessions as well, which allows us to do some performance testing as well.

It covers basic-intermediate web attacks and presents the information in a very descriptive way. This enhances knowledge and also helps to identify which areas are lacking attention.

Other than that, it helps you start looking for the attack vectors and points of weakness.

Login functionality: Netsparker does not integrate single-sign-on functionality, which makes it very difficult to use for such websites. SSO has become an essential part of web security testing over the last few years. I would love to see this feature in new releases.

I have been using it for ~6 months.

It is a resource-intensive program, and while it is running, other processes get very slow.

I did not encounter any scalability issues.

This was the starting point. We chose this because Troy Hunt (security advisor) had provided a positive and thorough review of this product on his blog.

We used this product along with some others (SkipFish, NMap, etc.) to fully test the security of our products.

As I mentioned before, installing and using Netsparker is pretty easy compared to other products available.

It is a good tool, as we found out with the Community Edition trial. But the price point is quite expensive for a startup or average-sized company.

Other than what I’ve written, it is a fine product but it cannot be used alone. It covers most of the basic-intermediate level attacks, which is really good as a starting point. But for the high-level and advanced analysis, other (similar) tools are needed, which is why I think its price point is very high.

I like that it's stable and technical support is great.

Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses.

I have been working with Invicti for less than six months.

Invicti is a stable solution. 

On a scale from one to ten, I would give stability an eight.

I think Invicti is a scalable solution.

On a scale from one to ten, I would give scalability an eight.

Technical support was great.

Positive

The initial setup was straightforward. I deployed this solution in about two hours.

I implemented this solution. 

Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great.

On a scale from one to ten, I would give Invicti a six.

We're primarily used the solution as a proof of concept using it for assessing the security of one of our web applications.

The most attractive feature was the reporting review tool. The reporting review was very impressive and produced very fruitful reports.

The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them.

The solution is very stable.

As I was only working on the demo version of the solution, I can't speak to how scalable it would be.

The technical support team was very helpful. They offered me a demo before I started using the tool, and the demo was very impressive.

We previously used a different tool, but it was also a demo, like Netsparker. We wanted to try Netsparker, so we moved to their demo.

The initial setup was straightforward.

I handled the implementation myself.

I tried some different tools. Some of them were full versions whereas others were demo versions like Netsparker.

We're using a demo of the latest version for a POC. We used the on-premises deployment model.

I'd recommend Netsparker for anyone who wants to make a security assessment for web applications.

I'd rate the solution nine out of ten. The tool is full of useful features. However, the intercepting reviews in terms of web requests need some enhancements to be more usable.

Scan, proxify the application, and then detailed report along with evidence and remediations to problems.

We are trying to integrate this product fully into our CI/CD Pipeline. Right now, the basic scan is done. More is being done currently.

I think that it freezes without any specific reason at times. This needs to be looked into.

The UI is a bit cluttered, but it's ok since the Application Security does look at many facets of the Application.

No. Not so far with the upgrades. It updates itself given it is network access and it has plugins too.

We haven't scaled it up so I can't comment. But, we have plans.

Quite high. They are scattered all over social. They have wikis, a website, YouTube videos. They don't have a blog, or I might not have come across it, but given the option of googling things around, they are documenting many things.

Plus, they have active Google groups, where their response time is around a day.

For application security, we tried Netsparker, Accunetix, but this one has a free option and recommended Software from OWASP.

Quite straightforward. We did have a detailed look at YouTube videos, and read the wiki.

In other words, we did our research thoroughly, as their content was online. So it was finding the right content at the right time.

Being as this software is on an Open Source license, I would advise having a technical person on board, who knows how to handle this product.

OWASP Zap is free and it has live updates, so that's a big plus.

Organizations thinking to implement it need a team of technical personnel onboard.

We did try the commercial ones, but since OWASP is known as an authority in web application security, we opted for this software.

Go right ahead. You need to have a technical person.

I use this solution for automated web application testing, and upon the first sight of the web app. I work alone in my company, so a helping hand is always useful. Netsparker did the job.

I use it principally for mapping the web application attack surface using its really good crawler.

Netsparker has done an awesome job with its crawler, as it has found all of the links (also thanks to its good DOM parser).

It has helped me a great deal on a first try over websites.

Netsparker made my work a lot easier in mapping web applications.

The most valuable feature is the crawler because it can found many links and generate close to a full sitemap.

It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites.

It also parses web services like SOAP, REST API, WSDL, and more.

Another thing I really like about Netsparker is the payload list that covers, including every type of vulnerability.

Netsparker Hawk is another good "tool", as it helped me locate some easy-to-find SSRF and XXE vulnerabilities in production websites. Its technology is really good and works well. OOB (Out Of Band) payloads work well.

The scanner itself should be improved because it is a little bit slow.

CPU usage should be improved due to my PC's fan going mad.

RAM usage also should be improved as well.

The attacker part of the scanner should be more fluid and faster.

There should be some option to tune up the scan, like throttling requests or using some WAF/IDS/IPS bypass technique. It needs more than what is currently in the Advanced Options.

The passive analyzer for some vulnerabilities should be improved, as it doesn't get all vulnerabilities. It should also be more efficient.

The scanner should also use some cool techniques to inject payloads, like replacing the entire body and Content-Type header (like for XML input).

The customer service is good.

There are some problems with languages (like for Italian they send you people who can speak Italian just a bit, but it's ok).

I have used Burp Suite Professional and Acunetix.

I switched to Netsparker just to try it and understand how it works.

The setup is really easy and straightforward.

For the trial, Netsparker itself contacted me by phone. Their support is really nice and helpful.

I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on.

I did not evaluate other options.

You can use Netsparker but use it carefully as some payloads can be dangerous in production. This is the same as Acunetix, WebInspect, and others.

Every scanner should have an option like Burp Suite to use dangerless payloads (with Distribute Damage extension).

I used Netsparker in my company to apply continuous penetration testing. The company has 1000-plus web applications.

Because the company has many web applications, we had to automate scans. I wrote a batch script with the Netsparker API. This made it easy for my jobs.

Netsparker offers some pretty features:

• Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface.
• Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner.
• A very useful API for automating the scans.

Perhaps the custom attack preparation screen might be improved. Also, they can implement mobile penetration testing support for manual and automated tests.

The new version of Netsparker is better than the older versions for scalability.

I rate it at nine out of 10 because, although I have used many web application scanners by now, Netsparker gives the fewest false-positives. That's the most important property for a web application scanner. When you buy a web application scanner, you actually pay for two features: non false-positive detection, and attack diversity. Other features affect the quality of a product. So, Netsparker deserves a nine.

• It has a very user-friendly page.
• Creating custom policies is very easy.
• It searches for a lot of updated vulnerabilities.

Before Netsparker, we were opening internal web pages to the outside for manual tests. Health tests were limited by a system admin’s capabilities. After Netsparker, a lot of the security tests became automated. We added a step in our policy document to scan pages with Netsparker before opening a site to the outside.

Maybe supported clients can be improved. It still does not search vulnerabilities in DB2 databases, for example. In NetSparker you can modify your scan for specifik target database type, programming language and web server type. And there isn’t DB2 database option for database target in scan Editor.

I have been using it for about two years.

On early versions, scanning for vulnerabilities didn’t complete. But now it takes an acceptable amount of time.

I did not encounter any scalability issues. With a licence, you can install and run multiple instances of Netsparker at the same time, of course on different targets. Also, you can restrict network access or requests to the page.

Technical support is very professional, 10/10. They know what they are doing.

We did not previously use a different solution. We started with Netsparker.

Setting up and updating Netsparker is very easy; only one click.

Actually, I am a technical guy; I don’t know exactly the price, but I do know that if the product was expensive, our manager wouldn’t have bought it. J

We tried Acunetix, but Netsparker has one up on it.

You must work on your environment first. List the web applications’ background: the systems they are using, web server type, database type, programming language. Netsparker supports lots of them, but there are still some restrictions. If they know their environment, the decision is easier.