Invicti Reviews

I have worked on a couple of products, specifically in web application security. I have worked on Invicti, and with respect to PAM, I have worked with BeyondTrust.

I have not worked specifically for AWS cloud environments. However, I did work with web application protection with respect to SAST and DAST offerings of Invicti. Additionally, there is one more product within Invicti's portfolio, which is the software composition analysis, SCA.

I have been working with Invicti for three years overall.

Basically, any web applications which work under the port number 8080 or the HTTPS links are web applications, and all of them can be protected from a dynamic or a static environment through Invicti.

I have worked on firewalls, threat intelligence, and multiple cybersecurity products.

A good scanning engine is what I appreciate about Invicti. When you want to find out the vulnerabilities within your web applications, Invicti has done a thorough job with respect to filtering out the vulnerabilities and identifying the risk factors with respect to the security modules within the solution.

Invicti does have a segment of the solution which works on the automated scanning engine. As long as the license is active, the scanners that work within the solution are pretty effective.

With respect to SAST and DAST, being a real-time scanning engine is one of the portfolios and one of the selling factors of the solution.

Invicti is known to be a solution that works within the hybrid environment, be it cloud, on-premises, or a mix and match across multiple marketplaces. It does a thorough job.

Most importantly, Invicti is a very good SAST and DAST solution that is very competitive in the market with respect to competitors. Invicti is a part of the Magic Quadrant with respect to Gartner's Magic Quadrant and has made a very good customer database and pipeline within the marketplace locally.

With respect to security impacts in terms of support, Invicti is pretty much supportive. With respect to use cases or the POCs I have run on the solution, we have identified a couple of vulnerabilities and Invicti was able to trace them, detect, and quarantine the attacks.

At this time, there is nothing that comes to mind. However, most of the products in the market are pretty much neck-to-neck competitors. Speaking about it, there are a couple of factors which they can work on by identifying features from one another.

Invicti does have a feature where it scans the source code of the applications before they hit the production environment, and that is where the software composition analysis comes into place.

I have been working with Invicti for three years overall.

Invicti is scalable, and you can integrate your web application firewall to the solution. I did not find any limitation.

The tech support is decent enough. Moreover, the local support of the distributors and the partners cover up most of the work. However, at times, you would need tech support from the manufacturer or the vendor themselves. We just open up a ticket and they respond within 24 hours, depending on the severity of the case.

I have not worked with the competition unfortunately. However, I have worked with Cyble.

I did deploy Invicti on a couple of accounts. Mostly it needs a virtual setup. Depending on the license activation and configuration of a couple of policies at the customer's side, you do not have to do much. It is mostly a virtual deployment and very easy.

Local distributors handled the implementation.

Invicti has done a commendable job with respect to ROI. We have had a couple of conversions of recurring business from multiple end users. With respect to being a cost-effective solution and one of the market leaders as an effective solution for SAST and DAST, Invicti has performed very well.

The setup cost is pretty competitive. For example, if you want to talk about the SAST license, it comes to about $150 or sometimes less than $100, depending on the conversion or the number of licenses that the customer requests. It is pretty competitive to the market. Since it is affordable, a lot of SMBs prefer Invicti.

I did not find any difference in features, but the market reach of Qualys with respect to the enterprise segment is huge compared to Invicti. Invicti is pretty much prominent within the SMB marketplace. In terms of features, they are pretty much neck to neck.

I would rate Invicti as a product and solution as an eight out of ten.

I would suggest starting off immediately because, as I mentioned, all the web applications that work under the port number 8080 and follow the HTTPS protocol can be protected. If they want security with respect to web applications, then Invicti is the answer. It is pretty easy to deploy and manage. It is not a very heavy solution to monitor or to manage by the IT teams, and it is pretty easy and scalable as well. I have assigned an overall rating of eight to this product.

I use Invicti for web application testing and API testing. I want to confirm that I am still using Invicti and SonarQube.

It has good false positive confirmations, confirmed issues identification, and proof of exploit-related features as part of it. We use Invicti for these things in our portfolios.

The solution includes Proof-Based Scanning technology.

Invicti is part of our SSDLC portfolio, and DAST dynamic testing is very important for our web applications and portfolios. For both the API endpoints and web applications, we do regular testing on a monthly basis for all our releases. Invicti does a good job. The only concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities.

A full scan takes more time based on your website and other factors, but for us, it takes more than two to three days. The scan performance can be improved upon. When we check with them, they discuss proof-based scanning and related aspects. However, there could be intermittent results that could help us.

The main concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities.

A full scan takes more time based on your website and other factors, but for us, it takes more than two to three days. The scan performance can be improved upon.

I have been dealing with Invicti for almost three to four years now, more than three years in general.

The installation and initial setup of Invicti are very straightforward.

I did not see any glitches with the product. When it comes to scanning, sometimes network issues or other factors kill the scan. I cannot point out that it is the product's fault, but otherwise, it was good.

I do not have specific information on scalability, but it should not be an issue because we run many processes across our enterprise using it. We have not found any issues with that.

The technical support from Invicti is good.

If I were to rate support from one to ten, I would give eight to nine points.

Positive

The installation and initial setup of Invicti are very straightforward.

I have used Burp Suite for web application testing for the use cases I mentioned, apart from Invicti.

Those products are different from different perspectives, as per our requirements. If I want to do a manual inspection, I use Burp. I run the scans on Invicti, and then for analysis purposes, I use Burp.

We are a customer, not a consultant, integrator, or reseller.

We have not integrated it into our process. It is good, but we have not done that as part of our process. We run our manual scans, which are scheduled with our schedulers.

The compatibility with various web technologies and frameworks is good. We use many technologies, and it is being managed as part of it.

We did not do that validation. We looked into it feature-wise and based on our requirements, and I find Invicti is good for us.

I do not see anything that they could add, because Invicti caters to my requirements. We need to check out options for AI-related activities and making dynamic testing for users. It is a scan tool that runs the scans, but it is not integrated with a developer-centric model. We need to move more towards that. I have not explored that route with the product. That is one of the things which I feel. Shift-left, moving web application testing towards the developers.

On a scale of one to ten, I rate Invicti an eight.

I primarily use Invicti for code scans to identify open vulnerabilities and secrets in the code. Different development teams working on various technology stacks rigorously use it to understand areas for improvement, focusing mainly on top critical or high-level vulnerabilities and their remediation suggestions. Invicti helps us prioritize the development team's efforts.

Invicti's proactive scanning measures vulnerabilities each time we deploy or push code to a new environment. This feature helps us focus on priorities and prioritize the development team's effort, integrating seamlessly with DevOps to facilitate proactive scans of environments. Invicti also provides audit recommendations that are quite realistic, making it easy to discuss plans with developers.

Invicti's reporting capabilities need enhancement. We need enterprise-level information instead of repo-level details. Unlike Appiro, Invicti does not provide portfolio-level insights into vulnerability remediation over time.

Personally, I have used Invicti for around five months in a limited capacity, as I'm not an active user. However, the company has been using it longer.

I would rate the stability as ten out of ten. 

I haven't encountered any downtime or slow performance.

In terms of scalability, I rate Invicti as eight out of ten. 

If it had integrated reporting capability, I would rate it higher.

I haven't had the opportunity to use customer support, so I'm unsure about its quality.

Positive

Before Invicti, I did not use a different solution. It was my first experience with such a tool.

We had a designated team focused on onboarding the tool and looking into scan reports, however, I was not part of this setup.

Overall, I rate Invicti as eight out of ten. 

There is room for improvement in terms of integrated reporting capabilities. Identifying vulnerabilities and offering management insights would greatly benefit senior management for timely decision-making. 

We primarily use Invicti to scan and secure our website against vulnerabilities, ensuring compliance and reducing potential risks.

Invicti(Netsparker) has streamlined our security efforts by allowing seamless integration with tools like Jira, which improves team visibility, accountability, and collaboration. It has significantly improved how we identify, track, and remediate vulnerabilities.

Currently, there is nothing I would like to improve.

We have been using it for approximately three years now.

From my experience, Invicti is an exceptionally stable solution for web application security. Here's what stands out:

• 
  Consistent Performance: Over the three years we’ve used it, the solution has demonstrated reliable and consistent performance, even during large-scale scanning operations.


• 
  Minimal Downtime: I have not encountered significant downtime or disruptions while using Invicti, which is critical for security tools that organizations rely on continuously.


• 
  Robust Architecture: Its ability to handle complex scanning tasks without crashes or lag reflects its well-engineered platform.


• 
  Regular Updates: Invicti frequently releases updates and patches, which enhance functionality and address any stability concerns proactively.

Rating :

I would confidently rate Invicti’s stability at 9.5 out of 10. It ensures uninterrupted operations and supports high-performance demands, which are essential for enterprise environments.

Invicti’s scalability is exceptional, earning a rating of 9 to 9.5 out of 10. It effectively handles large-scale web applications and supports rapid deployments, making it ideal for growing organizations.

Positive

We previously used Tenable.io WAS but switched to Invicti because its interactive and user-friendly interface provided a more engaging experience. Invicti's focus on web application security also aligned better with our needs.

The initial setup of Invicti (Netsparker) was relatively straightforward, especially with the help of the well-organized and detailed documentation provided.

Straightforward Aspects

1. 
   User-Friendly Installer: The installation process is streamlined with a clear step-by-step guide that minimizes guesswork.


2. 
   Sufficient Documentation: Invicti provides comprehensive documentation, covering everything from installation to advanced configuration. This includes guides for integrating with other tools like Jira and setting up automated scans.


3. 
   Quick Configuration: Basic configurations, such as setting up scanning profiles and scheduling scans, are intuitive and require minimal effort.


4. 
   Integration Assistance: The documentation also offers detailed steps for integrating with CI/CD pipelines and security tools, simplifying the process.

Complex Aspects

1. 
   Enterprise Environments: For organizations with more complex infrastructures (e.g., hybrid clouds or custom APIs), the configuration required additional customization.


2. 
   Access Management: Setting up role-based access controls and multi-user configurations took some extra time but was manageable with the provided documentation.


3. 
   Proxy and Authentication Setup: Configuring proxy servers and authentication mechanisms (e.g., SSO) involved some additional steps but was well-explained in the guides.

Implemented using inhouse team.

1. Time Savings

• 
  Reduced False Positives: Invicti's proof-based scanning validates vulnerabilities, reducing time spent investigating false positives. This saves significant hours for the security team.


• 
  Efficient Remediation: The actionable insights and integration with tools like Jira streamline vulnerability tracking and resolution, shortening the time-to-remediate.

2. Improved Security Posture

• 
  Comprehensive Scans: Invicti helps identify vulnerabilities that could lead to major breaches, preventing potentially costly incidents.


• 
  Enterprise Scalability: Its ability to scan large-scale applications quickly ensures we can keep up with the growing number of assets requiring security checks.

3. Cost Efficiency

• 
  Prevention over Reaction: Investing in Invicti reduces the likelihood of data breaches, which can cost millions in fines, downtime, and reputational damage.


• 
  Team Productivity: By automating vulnerability detection and offering detailed reports, Invicti minimizes manual effort, allowing the team to focus on higher-value tasks.

4. Intangible Benefits

• 
  Compliance: Invicti simplifies meeting regulatory requirements like GDPR or PCI DSS, saving costs associated with audits or penalties.


• 
  Customer Trust: Demonstrating proactive web application security enhances client confidence and business credibility.

As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing models based on organizational needs.

Before selecting Invicti, our evaluation was limited to Tenable.io. Invicti stood out due to its superior interface and focus on web application security.

I strongly recommend Invicti for enterprise users due to its robust features, scalability, and ease of integration. However, it might not be the best choice for smaller companies because of its licensing model. For organizations managing extensive web applications, Invicti delivers exceptional results. I confidently rate the solution a 10 out of 10.

We use the solution for vulnerability testing. Our customers are in different industries, but we mainly focus on fintech companies, such as those in the financial sector.

It provides robust features. Invicti stands out in the future in proof-based scanning technology. They have built their own engine, which provides proof of their plight for identified vulnerabilities. They identify vulnerabilities and exploit them. The tool is capable of producing very few false positives.

It indicates the accuracy of the proof-based scanning. It detects a wide range of vulnerabilities.

The third one is integration and automation. It has very good integration with the CI/CD pipeline.

It is a perfect scalable tool for smaller companies and enterprises. The ease of use and reporting are both very good. Five to six features make Invictus stand out from other tools in the market.

Invicti has provided a roadmap outlining the improvements they're focusing on. Given the competition, with tools like Qualys and many others in the market, the interface needs to be enhanced, integration with other tools increased, and scalability improved. Invicti also plans to offer more support for API tools and provide greater flexibility in pricing. They can add real-time threat intelligence.

They need to improve their support in the documentation. Their support mechanism is missing. Their responsiveness, technical staff, and these types of things need to be improved, and comprehensive documentation is required. They should have good self-service portal enhancement

I have been using Invicti as a reseller and service provider for over four years.

It doesn't crash. It has a proven tech record,consistent performance, and regular updates and patches. So it is stable.

I rate the solution’s stability an eight out of ten.

It is a very scalable tool. I rate the solution’s scalability a nine out of ten.

Customer support is big. It depends on region to region.

It is easier to install, there are no issues, and it's very straightforward. It's a cloud-based installation, and there is an option for an on-premises installation. 

You sign into the cloud, go to the web platform, configure your settings, and start scanning the process. For on-premises installation, you can have the required technical knowledge. You must ensure that the hardware is there. You configure it, follow the wizard to configure it, and start scanning it.

We give them complete end-to-end deployment installation and whatever it will be. It takes two to three days for end-to-end deployment.

I rate the initial setup an eight out of ten, where one is difficult, and ten is easy.

The inventory prices are very competitive. The competitors are more expensive, but the estimated cost of Invicti is more competitive than that of other tools. They had very good pricing. We have different tools on the Internet, but this tool is very promising in the future. It has a subscription-based pricing tool. You can start with 5000 to 10,000 as a small business. For enterprise solutions, you can go from 15,000.

They use some AI-based technologies in their latest tool, but it’s not a specific type of AI. The AI they’ve incorporated improves vulnerability detection, reduces false positives, and enables adaptive learning. These are a few areas where AI has enhanced its tools. Normally, vulnerability detection doesn’t improve without additional coding, but AI is helping them achieve this automatically. False positives are particularly problematic for these tools, as they can indicate a vulnerability that doesn’t exist, and AI is helping to reduce these errors. Additionally, in dynamic testing, AI uncovers different scenarios, aiding in behavior analysis and adaptive learning. They are still in the process of further integrating AI into their product.

Keep using Invicti. The advice for Invicti is to improve their customer service and product.

Overall, I rate the solution a seven out of ten.

We use Invicti for web application security, web application ping test, API testing, and endpoint testing like SoapUI testing.

Invicti is a good product, and its API testing is also good. The product is really good and gets into false positive checks and proof of concept checks.

The scanning time, complexity, and authentication features of Invicti could be improved.

We have been using Invicti for the last five years as a customer.

Invicti is a very stable product, and we don’t have any issues.

Invicti is a scalable solution.

We have a different model where our security team manages the solution, and we don't give it to developers. We are a small to medium enterprise.

We don't have any issues because Invicti's support was really good.

Positive

Depending on the use cases I've used, HCL AppScan and Burp Suite. It depends on the use case and the user's knowledge. All these products are based on the user's knowledge.

I usually use Invicti for official purposes, but in certain cases, we use Burp Suite for doing a ping test-related activity.

From my end, it was easy to install the solution. I haven't seen any problems with installing Invicti.

The installation depends on the scans we perform. A typical scan will take only a day. I am talking about configuration and not about the scans.

Maintenance is not a major issue. We have good support from Invicti to help us maintain the solution.

If you use a good VAS solution, you can go for a lighter web application test. Invicti is a really good product when the web solution is SaaS-oriented and complex in nature. For any false positives, they do a proof of concept and then share the records with us, and that true positive summary would be really good.

Overall, I rate Invicti an eight out of ten.

We use this solution to initialize our applications before releasing them to our clients. The first step is deploying our application and scanning it using Invicti. We configure the scanner for our application’s specific server issues, types, and language. After the scan is complete, Invicti will identify any vulnerabilities. Once we have the scan results, we manually test them on-premises.

The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools.

The solution needs to make a more specific report.

I have been using Invicti for two years. 

The solution is very stable but uses very high resources. When using the normal scan for work applications, it could have six to eight GB of RAM. There were no crashes or issues with it.

The solution is very scalable. You have to get more resources on your device. My machine uses 70% of the processor one scan in the same configuration.

The Invicti is the scope application tool. The solution is installed on-premise but could be installed as a web version. Starting from the latest version, the web version could be used. They have a web application server.

The deployment of the solution involves installing the EXE and configuring your machine.

The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers.

I advise having more resources on your device. The solution is better to use and sell for the workstations. It is not for a personal laptop.

Overall, I rate the solution a nine out of ten.

We used Invicti to find vulnerabilities and ensure compliance with regulations like PCI DSS and GDPR. We also use it to fix vulnerabilities in web applications, prioritize our risks and get executive and detailed developer reports.

I am impressed with Invictus’ proof-based scanning. The solution has reduced the incidence of false positive vulnerabilities. It has helped us reduce our time and focus on vulnerabilities.

The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning.

I would like to see more integrations for the solutions in the future. They need to integrate swarm technology that bypasses CAPTCHA. They also need to integrate FA solutions with other multifactor authentication tools.

I have been using the solution for five years.

Invictus is a very stable solution.

I would give a ten out of ten for the solution’s scalability. The solution is scalable on every server and agent since the architecture is modular-based. Our Ankara site has 15 customers. There is also a bigger site in Istanbul which has around 20-30 customers. Our biggest customers are in Turkey and they use the solution to scan web applications.

The setup is easy and basic. It takes about three to five hours for the deployment to happen. The deployment is dependent on the environment, the number of agents, and the authentication of the servers.

We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars.

From the technology perspective, I would rate the solution a ten on ten. However, I would give it an eight out of ten due to the pricing factor. We are an integrator cybersecurity company based in Turkey. We offer advisory and technical support consulting services to the government and Telco finance sectors. We have many customers. Invictus is a cost-effective solution if your FQDN is less and lies in the range of zero to ten or even 20. 

However, if you have over 50 FQDN then Invictus will be an expensive solution to scan web applications. In such cases, we would be recommending other DAST tools like WebInspect. Before providing consultation services, our company evaluates the number of FQDNs of the customers. If their budget fits with the requirements of Invictus, we would definitely recommend the solution. However, if their budget is limited and scanning requirements are only basic, then we would suggest other DAST tools.

We use Netsparker by Invicti to run tests for application security based on OWASP Top 10.

The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support.

The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it.

Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. 

It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support.

I have been using Netsparker by Invicti for about five years.

We haven't had any problems with stability.

Scalability is simple because we are using it as a standalone application at the moment. It's installed in one of our testing environments. So, I cannot really comment about scalability. We have about three to five people using it at the moment.

Tech support is really wonderful, and they are very helpful and prompt with responses as well. If we have some queries regarding macros, regarding the APIs, the customer support is really good, and they have good recommendations as well.

The initial setup is straightforward. 

Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license.

There are different products in the market for DAST like Micro Focus, IBM AppScan, Acunetix, and Burp Suite. All these products have their pros and cons. Netsparker is really good, and it has a vast variety for security checks, plugins, that could be used for finding vulnerabilities.

I would tell potential users that it's really one of the best products in the market for web application security or Dynamic Application Security Testing (DAST). The licensing part is challenging, but they might get a good deal out of the Netsparker team.

On a scale from one to ten, I would give Netsparker by Invicti a seven.

My primary use of Invicti revolves around supporting my vulnerability testing efforts. As part of my role in overseeing security for various companies, Invicti aids in generating reports to bolster security measures.

I find the product's zero false positive feature quite valuable, as does its array of authentication options, which provide flexibility in testing various web applications.

They could enhance the support for data swap testing for the platform. 

I've been utilizing Invicti for approximately three years now.

The platform is stable.

The technical support services are good. 

Invicti's robust authentication options stand out as a significant advantage compared to other solutions.

The product plays a crucial role in our organization's security posture by identifying vulnerabilities. Once I deliver my reports, the identified issues are promptly addressed, significantly improving our overall security stance.

The automation capabilities streamline our security testing processes, especially concerning web application authentication. It ensures compatibility with different authentication solutions, facilitating automatic testing.

I value the robust reporting capabilities. The diverse range of report options allows for detailed insights, which assists in effectively addressing security issues.

I would recommend Invicti to others and rate it a nine.