IT Central Station is now PeerSpot: Here's why
Buyer's Guide
Application Security Tools
July 2022
Get our free report covering OWASP, Micro Focus, Invicti, and other competitors of PortSwigger Burp Suite Professional. Updated: July 2022.
621,548 professionals have used our research since 2012.

Read reviews of PortSwigger Burp Suite Professional alternatives and competitors

Security Engineer at Secure Network
Real User
Top 5Leaderboard
Very easy to set up because they give you an installer that does everything
Pros and Cons
  • "Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
  • "I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."

What is our primary use case?

We needed it to scan our internal network and web applications. 

Our security team of five people used it. We scheduled some monthly scans for web applications, which were not being used, to check for vulnerabilities and also vulnerabilities on new features.

How has it helped my organization?

Where I worked was a big group where there were many agencies under it, and we did the security for all other agencies. With Acunetix, we cut the time to make infrastructures and web applications (for our colleagues) more secure.

For one application with two or three critical vulnerabilities and some other vulnerabilities, it took like a week to remediate issues because the scan and findings were really fast. 

What is most valuable?

What I found to be valuable was the fully automated scanner because it is really fast. 

Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden.

Acunetix saves on the cost of time because it is fast.

When Acunetix finds a vulnerability, it also checks for a false positive so it can be a 100 percent sure about the issue that it found. The false positives are really low, maybe one percent.

What needs improvement?

I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection. 

They need more customized scans along with a way to edit their default payloads. While you can select which check to do, you can't add which payload to use.

For how long have I used the solution?

I used Acunetix 20 months ago at the last agency where I worked.

What do I think about the scalability of the solution?

The scalability was okay. We didn't need to do much work to implement it into the network or some web applications, so I think it's really easy to scale. We didn't need to do work on it because the solution is adaptable to every environment.

There were about 20 websites and other web applications.

How are customer service and technical support?

I never needed to talk to the Acunetix technical support.

Which solution did I use previously and why did I switch?

They were previously using Fortify WebInspect, which was good, but very costly.

How was the initial setup?

It was very easy to set up Acunetix, as they give you an installer that does everything. You just need to click: "Install".

It takes a maximum of 10 minutes to deploy, if you want to read everything.

We did other configurations to enable the IP address to talk to all the networks.

We also used Acunetix on a Linux server. The deployment process was the same as Windows. It was just another installer, but for Linux.

What was our ROI?

It saved us many weeks of work.

We didn't sell anything with Acunetix, so it was just an improvement for ourselves.

If someone would have hacked us, they probably would have caused much damage. However, now with Acunetix, they shouldn't be able to cause to damage.

What's my experience with pricing, setup cost, and licensing?

I think all the scanners, except Burp Suite, are a bit costly.

Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future.

Which other solutions did I evaluate?

Acunetix is the fastest scanner available compared to applications like Netsparker and Fortify WebInspect. The longest scan with Acunetix, and it was for a huge web application, took only four hours. Other scanners did the job in six to eight hours. 

While I like Netsparker, it is really slow compared to other scanners.

What other advice do I have?

We found 50 unexpected, high vulnerabilities for three web applications. This made our principal a bit mad.

We found three or four DOM-based XSS vulnerabilities using this solution.

It did not require maintenance on our part. We just needed to give it some credentials.

I would rate it as a nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AnkithKumar - PeerSpot reviewer
Application Security Consultant at a tech services company with 10,001+ employees
Real User
Top 10Leaderboard
Great for automating and testing and has tightened our security
Pros and Cons
  • "The solution has tightened our security."
  • "Lacks resources where users can internally access a learning module from the tool."

What is our primary use case?

I use this solution to test applications; web applications, web APIs, and infrastructure. For the web APIs and applications, I use OWASP Zap for interpreting requests and responses, and to see how the application behaves to resist payloads. This is one of the basic applications for us to automate and test. We are customers of OWASP Zap and I'm an application security consultant.

How has it helped my organization?

The solution has tightened our security and that of our clients who depend on it. If you identify a weakness or a limitation in an application, and the tool identifies it, we can highlight it to the developer, who secures it and gives it back to us and we can test it back through the tool. 

What is most valuable?

The most beneficial thing is that the solution is open-source, so there is no cost involved. It's useful for beginners who are looking to learn about penetration testing.

What needs improvement?

I'd like to see more regular updates with new features and I'd like to see resources where users can internally access a learning module from the tool. It would be helpful for any user interested in developing their skills. They have all the built-ins but it's not user-friendly in the sense that the UI is not as easy as you'd find in a solution such as the Burp Suite.

For how long have I used the solution?

I've been using this solution for nearly three years. 

What do I think about the stability of the solution?

Stability is pretty reliable. Sometimes when we're testing a broader application, it can get stuck. We have more than 30 users which include managers and testers. 

How are customer service and support?

We haven't needed to reach out for any technical support but I've heard they are quite responsive.

Which solution did I use previously and why did I switch?

We're currently moving away from OWASP to PortSwigger Burp Suite Professional. It's more user-friendly with a better interface. It also comes with professional licensing. I've reached out to the support team, and the quantity of content and resources is significantly greater than Zap offers.

How was the initial setup?

The initial setup is very simple, you just need to have a Java file. Deployment takes a maximum of 10 minutes and is carried out in-house. There's no real maintenance involved. 

What other advice do I have?

If you're a smaller organization, this tool is a great first choice as a starting point. It's quite usable. 

I rate this solution eight out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PrashantPatil - PeerSpot reviewer
Senior Security Consultant at Verve Square Technologies
Consultant
Top 20
Great active and passive scanning, and reports are generated automatically
Pros and Cons
  • "The solution generates reports automatically and quickly."
  • "The scannings are not sufficiently updated."

What is our primary use case?

We use this product for vulnerability assessment and penetration testing of any web application in addition to API testing. The solution generates reports for us. I'm a security consultant and we are end-users. 

What is most valuable?

The solution generates reports automatically and quickly and it's a very user-friendly product. I like the active and passive scanning, which is a good feature from my perspective.

What needs improvement?

I find that the scannings are not sufficiently updated. 

For how long have I used the solution?

I've been using this solution for four years. 

What do I think about the stability of the solution?

The stability is good, up to the mark. 

What do I think about the scalability of the solution?

The scalability is good and we're likely going to increase usage of Netsparker. 

How are customer service and support?

We contact technical support all the time and they are great. They resolve issues quickly and efficiently. 

Which solution did I use previously and why did I switch?

We also use Burp Suite which is a UI-based tool that I also find to be user-friendly. We use both products so that in the case of false positives we can compare and verify. 

How was the initial setup?

The initial setup is straightforward and the solution doesn't require any maintenance. We currently have 15 users and that number is likely to expand to around 20 in the near future. 

What's my experience with pricing, setup cost, and licensing?

The pricing of the license is compatible with our budget. 

What other advice do I have?

I highly recommend Netsparker and rate it eight out of 10. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Application Security Tools
July 2022
Get our free report covering OWASP, Micro Focus, Invicti, and other competitors of PortSwigger Burp Suite Professional. Updated: July 2022.
621,548 professionals have used our research since 2012.