Try our new research platform with insights from 80,000+ expert users
LeadInfo77fb - PeerSpot reviewer
Lead Information Security Engineer at a financial services firm with 1,001-5,000 employees
Real User
Web-based GUI and the ability to schedule scans are great, but findings are hard to manually replicate
Pros and Cons
  • "The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
  • "It should be easier to recreate something manually, with the manual tool, because Acunetix is an automatic tool. If it finds something, it should be easier to manually replicate it. Sometimes you don't get the raw data from the input and output, so that could be improved."

What is our primary use case?

We use it for internal penetration testing, for security reviews.

Acunetix is just one tool of many that we use. We try to cover as much as possible during assessments. We do security assessments of all the code and everything we develop internally. When we do a security assessment, we do a manual code review and we use different kinds of tools, as well as manual testing against the application, etc. It's just one tool within many that we use. It has been very useful in that it's found things that we otherwise might have missed.

How has it helped my organization?

As a team, it's helped us to deliver better security assessments. There are only two of us here who do the penetration testing, and we've been providing better results from our testing.

What is most valuable?

The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great.

The speed of Acunetix has been pretty good. It's been the same as most other tools that we use, but it's been good.

What needs improvement?

It should be easier to recreate something manually, with the manual tool, because Acunetix is an automatic tool. If it finds something, it should be easier to manually replicate it. Sometimes you don't get the raw data from the input and output, so that could be improved. That's the main concern for me.

I would like to see some more advanced settings when it comes to authentication and authorization, and other fine-grain adjustments you could do to the scan engine. The advanced functionality could be a little bit better.

Buyer's Guide
Acunetix
December 2024
Learn what your peers think about Acunetix. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We haven't had any issues with the stability. It's been very good.

What do I think about the scalability of the solution?

Since we only have two small licenses, I cannot judge the scalability. I haven't tried out how it scales.

How are customer service and support?

Technical support has been good. We had some issues or comments, mostly, on the features. We have asked for features and support has been pretty good. They've been very responsive.

Which solution did I use previously and why did I switch?

The speed of Acunetix would be about the same as previous solutions we've used. Most of the time I just kick it off, walk away, come back later, and check it out. The speed is not the most important thing for us. Of course, we don't want it to drag on too long.

The false-positive rate has also been comparable to most other tools we use. I wouldn't say that it's best-in-class. One of the biggest problems I've had with Acunetix is that it's hard to replicate things manually because you don't get the raw packet. Its debugging functionality hasn't been the best.

How was the initial setup?

The initial setup was very straightforward. The deployment took a couple of minutes. It didn't take long at all. There wasn't really an implementation strategy. We just installed it - nothing special - on our work station.

There are just the two of us who take care of the deployment and maintenance.

What about the implementation team?

We did it ourselves.

What was our ROI?

I can't share data points, but we have seen ROI. Otherwise, we wouldn't have renewed the license. Every year we evaluate if we're going to keep a vendor or not. Since we have renewed our license, we think it has ROI value.

It's impossible to answer whether it has saved us money in the long-term, but of course, since we use automatic tools, we don't need as many personal testers. However, personal testers also find a lot of bugs that automatic tools don't find. You need a combination of both.

What's my experience with pricing, setup cost, and licensing?

Acunetix was around the same price as all the other vendors we looked at, nothing special.

Which other solutions did I evaluate?

We just did a PoC with a couple of different vendors, and we liked Acunetix the most.

What other advice do I have?

Think about the usage of the product. What are you going to use it for? Try to see the whole picture. It's very important to see the whole picture: This is one component in web application security testing. It's not only the security scanner.

If you ask how long it takes to complete a scan using this solution, it's like asking, "How long is a rope?" It's very dependent on the applications. It can be anything from 20 minutes to many hours, even 12 to 18 hours.

We use it for ten or 15 websites or locations. We just do a test and then we come back. We have many applications that we test yearly, but we don't do continuous scanning with Acunetix. We just use it for our security assessments. In terms of increasing usage of Acunetix, I think we're happy where we are now. It's being used all the time during assessments, every week, almost daily.

Because we don't do continuous scanning of production environments, we can't say how long it takes to remediate problems. We only do scanning when we do code development. Remediation could be anything from hours to weeks, depending on the developers. And it's nothing that's in production, so it doesn't matter if it's one or two or five days or hours.

We haven't found many high-level vulnerabilities, more mediums, and a lot of lows.

I would give Acunetix a seven out of ten. It's been a great tool for doing dynamic web application security testing, but it's not as versatile as Burp, which is more focused on manual testing. On the other hand, it has a lot more tests than Burp's active scanning has. I think it's a good product and it's being actively developed.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Compliance Manager at a tech services company with 201-500 employees
Real User
We are getting notably fewer false positives than previously, but reporting output needs to be simplified
Pros and Cons
  • "It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
  • "The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."

What is our primary use case?

Our company has more than 300 employees and we have regional offices in Japan and Malaysia. We are in the FinTech industry. We do banking solutions, mobile, branch-based, and agent banking. We are also into government projects.

We have two lines of application testing. One is for internal application deployments. Before all these deployments, we conduct testing with Acunetix and, based on the report generated, we do remediation. Once the remediation is done we will do more testing. Only once all the vulnerabilities have been fixed is it allowed to be deployed in the organization's environment. 

The second use case is that we do application development for banks. Whenever we develop backend applications or web applications, they are all tested for vulnerability. In addition, the mobile application code is tested using Acunetix.

We didn't have much in the way of exposure to this kind of information when I joined the organization. I introduced this system to test all the applications that were going to be released to customers, as well as for our internal vulnerability assessment and penetration testing purposes.

How has it helped my organization?

The number of "high" and "medium" vulnerabilities found using this solution will depend on the development process. But when we started using Acunetix, and other testing tools as well, we had a lot of vulnerabilities. We had to invest a lot of time in fixing vulnerabilities in those days, about two years back. Now, we don't get that many vulnerabilities because the developers and the application testers have improved a lot. They code in a way that results in fewer vulnerabilities.

Most of the vulnerability standards we've used give a fair number of false positives. But with the latest version of Acunetix, we have seen a good standard of false positive rates. Sometimes, customers actually want to have a list of false positives, but the number of false positives we now get is much less than earlier.

What is most valuable?

It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities. For anyone who does development, Acunetix is going to be a very powerful tool, and very easy to use. It gives all the required information for fixing your vulnerabilities.

What needs improvement?

The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified.

For how long have I used the solution?

We've been using Acunetix Vulnerability Scanner for the last three years and we don't have a reason to change to a different solution.

What do I think about the stability of the solution?

We haven't come across unexpected downtime or unexpected issues.

What do I think about the scalability of the solution?

We don't scan more than 35 solutions, but we are always working on improving them and, whenever an improvement comes up, we scan it.

We initially decided that it was going to be deployed on a central server and we didn't look into the scalability. We set up the environment and we have been using it for some time. We haven't come across the need for scalability.

We have five usernames for Acunetix, but most of the time only two of them are being used. Generally, in a week, we may conduct five or six tests. We don't have much load on it. We do intend to expand the number of users in another six months' time with an additional three or four users, as we are expecting more application testing in that time.

How are customer service and technical support?

We had to contact technical support some ago but not since then. Sometimes the blog provides support very well, and we have also attended certain webinars.

We would really appreciate it if they would provide training on advanced usage or technical knowhow. That would help us to attend to things and sort them out.

Which solution did I use previously and why did I switch?

The company had been using InMap and was using manual vulnerability assessment practices, using Kali Linux and some open source applications. But once I joined the company, we changed to a different level because we are an ISO 27000 certified company as well as being PCI DSS application certified with a PCI DSS certified data center. We host payment applications on behalf of Sri Lankan and Malaysian banks. Because of that we introduced these automation systems. We use Acunetix and we use PortSwigger and some other tools.

We used Nessus and we have experience with QualysGuard as well, but Acunetix gives us code-level identification of vulnerabilities and a good understanding of the code-level vulnerability fixes. It is much more helpful for us because we can understand how to fix the vulnerabilities at the code level. The vulnerability identification is much more powerful in Acunetix than in any other tool.

How was the initial setup?

The initial setup is very simple. 

We use this application for testing in different environments, such as production and DR, and implementing of scanning in those environments can sometimes be a little bit tough. But that is not due to the complexity of the application but more because of the complexity of the environments that we maintain, to keep our compliance level high.

The way we set it up is that once development is over, we push it to a single location. For that, it's not a very complex environment, it's a single PC. We do the scanning on that PC so that development is actually on a single server. The setup for that didn't take much time. Within two to three days, the complete setup was finished and the initial testing was run.

What was our ROI?

We have seen ROI with Acunetix. That's the most convincing point I have to prove to my management when it comes to the next budgeting cycle. The ROI is seen in the fact that, at the time of application releases, we hold off the risk. When we do the assessment, we see that the distributed cost of Acunetix, across all our releases reduces our risk. It's a very convincing point.

What's my experience with pricing, setup cost, and licensing?

When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay. Other than the licensing, we haven't come across any other costs.

Which other solutions did I evaluate?

We are very comfortable with the granularity of tests. Sometimes, for certain specific areas, we use different tools, but we feel that Acunetix is much more helpful for all the development teams in understanding the output of the system. In certain cases, the scope of the application and the exposure of the application is varied and then, for additional security measures, we use different tools to evaluate these applications. That makes us much more comfortable in explaining to our customers that we don't only rely on a single tool, that we use multiple tools to identify things in complex environments. Customers want to have different views, not only a single view, of application testing. 

Acunetix provides the primary vulnerability assessment. Once we believe we can rely on Acunetix, we will be able to save money on other licenses. The most interesting part is that the application security vulnerability reports of Acunetix are much more explainable in simple terms, for developers.

Also, the jargon that some of the applications that I have looked at—certain open source applications—use and the setup required are highly technical. You have to do a lot of maintenance to keep the environment up and running. Acunetix is a lot more comfortable. Newly recruited people and project managers can easily understand it. This is one of the winning points of Acunetix.

In our tests of Acunetix, we didn't find much difference, performance-wise, when comparing it with other applications. It's lightweight but it doesn't matter if it is a little bit heavy, since it provides a much broader spectrum of vulnerabilities. Acunetix is much more customizable for granular levels of testing.

In terms of the amount of time it takes to complete a scan using Acunetix, a web application, for example, with two or three endpoints takes between half an hour and 40 minutes. If I use the Kali Linux, it will take more time, and then you have to do much more customization which requires heavy technical knowledge. Other solutions take time to scan and may give a much more broader spectrum, but they do not identify vulnerabilities for the purpose of fixing them. They identify them to explore them. Acunetix scans for most commonly identified issues. The problem with other solutions is that, while we may be able to see a lot of vulnerabilities, if the solution has not been identified we end up with questions as to whether we are able to release it or not. We don't come up against that issue with Acunetix.

What other advice do I have?

I would definitely recommend Acunetix to anyone who wants to do one vulnerability assessment from an application development perspective.

The amount of time it takes to remediate something will depend on the developer's knowledge and ability to fix vulnerabilities. That doesn't depend on the solution, on Acunetix, but rather on the technical knowhow of the people who engage in that.

But that particular jargon and the technical explanations we have for fixing vulnerabilities need to be improved, so that managers who don't have technical knowhow, can easily understand what needs to be done to fix the vulnerabilities.

Overall, I would rate the solution as a seven out of 10. While we use this tool for application testing, we need another tool to test application traffic interception. Acunetix doesn't have that ability. If it did, I would definitely rate it as nine or 9.5. After using Acunetix for application and code-level testing, the same application will be tested again for application traffic interception. With the results of the traffic interception, we again go back to the code level and then identify where the issues are. If Acunetix had that capability, I would be able to raise it as a nine or 9.5.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Acunetix
December 2024
Learn what your peers think about Acunetix. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
reviewer1218672 - PeerSpot reviewer
IT Manager at a financial services firm with 1,001-5,000 employees
Real User
Simple to use and achieves the required results but more efficiency with the mobile environment would be helpful
Pros and Cons
  • "Our developers can run the attacks directly from their environments, desktops."
  • "Tools that would allow us to work more efficiently with the mobile environment, with Android and iOS."

What is our primary use case?

I'm an IT Manager and we're a customer of Acunetix. We use the automatic tool to control the security of our applications. For the time being, we have two or three people in the company working with the solution, setting up all of the parameters, all the attacks. We have 15 separate groups in the company, most are testing the tool and learning how to use it. We will deploy the tool for the rest of the company at the beginning of next year.

What is most valuable?

The most important feature is that we are able to parameterize all of the attacks so that our developers can run the attacks directly from their environments and desktops. They don't need any expertise or to know the difficulties of the attacker; they just run the tool and get the results.

What needs improvement?

In general, this is a good tool to check the security from the attacker's standpoint. However, when thinking about improvements there are still some attacks that we are not able to control with this kind of tool because there are some things you do in the front-end that sometimes launch processes in the application at the back-end. We need to be able to tie all of the front-end activities with all of the back-end activities. That's a missing piece that no one is providing. 

In terms of additional features, we are currently missing some tools that would allow us to work more efficiently with the mobile environment, with Android and iOS. The tools that we evaluated in the past are not really good for mobile applications. You can control the static code, you can control all the dynamic applications, but not within the phone, or within the tablet.

For how long have I used the solution?

We have only been using the product for about three months.

What do I think about the stability of the solution?

We haven't had any problems so far. It's stable. 

What do I think about the scalability of the solution?

We are still deploying the tool throughout the company, but that hasn't been completed yet. For now, it's just small groups. I hope it is scalable but I can't tell you that now.

How are customer service and technical support?

We have a pretty good team here and we try to be as independent as possible. We needed some help for the initial setup but after that, we've done everything ourselves. 

Which solution did I use previously and why did I switch?

For static analysis, we previously used different tools. 

We carried out an evaluation comparing different tools, and Acunetix was the one that most of us liked. 

How was the initial setup?

Initial setup was quite straightforward, we didn't have any problems with it. 

What about the implementation team?

We carried out the implementation ourselves. 

What's my experience with pricing, setup cost, and licensing?

I'm not involved in the financial negotiations, but I believe it's not an expensive product and cheaper than other similar tools. I understand we bought 100 URLs. It's likely that we'll need to purchase more once we deploy the tool to the rest of the company but I wouldn't know the cost.

What other advice do I have?

I would recommend the product. It's very easy to integrate with Jenkins, with ALM. The most important element for us is that it's very easy for developers to use. They don't need to have any knowledge about security, threats or anything. They just run the tool against their application, and that's it. They get the results.

I would rate this product a seven out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CEO at Xcelliti
Reseller
Top 10
Flexible with fair pricing and good stability
Pros and Cons
  • "Overall, it's a very good tool and a very good engine."
  • "While we do have it integrated with other solutions, it could still offer more integrations."

What is our primary use case?

The solution is primarily used purely as a web-based vulnerability scanning tool.

What is most valuable?

The solution is a very flexible tool.

Overall, it's a very good tool and a very good engine.

The product is very scalable.

We found the solution to be quite stable.

For the number of features on offer, the price point is quite good.

The installation is very straightforward.

What needs improvement?

The solution should work on dealing with the number of false positives it delivers.

While we do have it integrated with other solutions, it could still offer more integrations.

For how long have I used the solution?

I've been dealing with the solution for the past two years.

What do I think about the stability of the solution?

The solution is very stable. There are no bugs or glitches. It does not crash or freeze. It's very good.

What do I think about the scalability of the solution?

The solution is scalable. If a company needs to expand it, it can do so with relative ease.

Right now, we have four or five of our customers using the product.

How are customer service and technical support?

The solution's technical support is okay. We have no complaints. They are helpful and responsive and we are satisfied with their level of service. 

How was the initial setup?

The initial setup is not too complex. It is simple and straightforward. A company should be able to implement it with ease.

What's my experience with pricing, setup cost, and licensing?

The price point is good. It offers very good value for money.

What other advice do I have?

We are resellers.

We deal with various deployment models including on-premises and the cloud.

I'd recommend the solution to other companies. This is a very good tool for vulnerability assessment. Every organization who has their assets over the internet and are exposed to a public website needs to have vulnerability assessment using Acunetix.

In general, I would rate the solution at a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Security Specialist at a tech services company with 11-50 employees
Real User
User-friendly and easy to set up but is a bit expensive
Pros and Cons
  • "There is a lot of documentation on their website which makes setting it up and using it quite simple."
  • "The pricing is a bit on the higher side."

What is our primary use case?

The solution is mostly used for vulnerability scanning purposes. 

What is most valuable?

I'm drawn to Information Security. I immediately look for security threats vulnerabilities. Therefore, the report generation, the reports that are being monitored are great in that they were very easy to read and understand. 

It's user-friendly and the language that they use is pretty good. 

Overall, the tool is very good in context. It's definitely helpful from a tech intelligence perspective and for identifying vulnerabilities. I like that we can sort the vulnerabilities based on severity levels. 

The initial setup is easy.

There is a lot of documentation on their website which makes setting it up and using it quite simple.

Technical support is available 24/7.

What needs improvement?

Normally, the product asks for the URL address before scanning a certain application. Acunetix is immediately used for web application scanning purposes for vulnerability assessment. However, it doesn't seem very helpful or useful for scanning web services, and that has what I feel that the organization could work better on that.

The pricing is a bit on the higher side.

For how long have I used the solution?

I've been using the solution for about two years at this point.

What do I think about the stability of the solution?

The solution is very stable. There are no bugs or glitches. It doesn't crash or freeze. it's reliable. 

What do I think about the scalability of the solution?

The solution is scalable in the sense that it can be easily migrated.

We have about 50 to 55 users on the solution currently.

How are customer service and technical support?

Technical support is fine. Whenever we have any queries the support is available. We have the paid version. We have paid for it, however, it's great due to the fact that it's available 24/7.

Which solution did I use previously and why did I switch?

Although we are working with Acunetix, we are planning to migrate to Nessus in the future. We used Nessus around seven or so years ago. The current solution is a good one, however, my organization wants to try a new, different product. That is the reason we now moving to Nessus.

How was the initial setup?

The initial setup is not overly complex or difficult. It's very straightforward and very easy. On their website, they have lots of documentation that walks you through the process. 

For deployment or maintenance, you only need a maximum of four or five people.

What's my experience with pricing, setup cost, and licensing?

We do pay extra for technical support, however, it's 24/7 support which means we always have access to them if we need them.

The pricing is on the higher side. That could be okay for certain organizations. That said, if they could lower it, that would be ideal. Yeah. To me, it actually all depends upon the companies. My organization is not too big, and we're using it for managing a small set of people. If I have to spend much more, it wouldn't make any sense. 

What other advice do I have?

We are into telecommunications, we have bought this product from the vendors.

We're using the latest version of the solution. We try to only use the most up-to-date option.

Overall, the tool is efficient enough to identify and track your vulnerabilities and it's good for intelligence scanning purposes. I'd advise users to just be cautious while the installation happens in terms of what logins are included and what are missing. 

The main thing is that users have to define their scope and objectives and only on the basis of that will the tool work. 

That said, you always have choices in the market - if this one does not fit your needs.

I'd rate the solution at a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Fantastic reporting output but vulnerable requests currently need to be picked from the report and repeated with other tools

What is our primary use case?

Assessing top OWASP in applications.

How has it helped my organization?

Greater confidence in go-live for multiple application releases over their release cycles.

What is most valuable?

  • Login Sequence Recorder
  • Scan throttling
  • Fantastic reporting output.

What needs improvement?

Acunetix runs the automated vulnerablity check scan and provides a report. testers/developers need to copy these vulnerable http/https request from the report, use other external tools like postman to resend the request observe the vulnerability and exploit them. If this was available within the Acunetix tool would have been a great feature.


For how long have I used the solution?

One to three years.

How was the initial setup?

Installation was quite simple.

What about the implementation team?

I was the vendor who utilized this tool for the customer.

What's my experience with pricing, setup cost, and licensing?

Tool is quite expensive though compared to other tools. We tried with a term license.

Which other solutions did I evaluate?

Zap, BurpSuite where other tools evaluated.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Le Viet - PeerSpot reviewer
Security Consultant at VNCS
Real User
Useful user interface, easy to use, and scalable
Pros and Cons
  • "The most valuable feature of Acunetix is the UI and the scan results are simple."
  • "There are some versions of the solution that are not as stable as others."

What is most valuable?

The most valuable feature of Acunetix is the UI and the scan results are simple.

What needs improvement?

There are some versions of the solution that are not as stable as others.

For how long have I used the solution?

I have been using Acunetix for approximately two years.

What do I think about the stability of the solution?

The stability of Acunetix is good.

What do I think about the scalability of the solution?

Acunetix is scalable.

We have approximately 50 engineers using Acunetix.

How are customer service and support?

I have requested support from the vendor regarding our scan results that have false positives. The vendor double checks and adds a patch if needed. However, their response is too slow.

Which solution did I use previously and why did I switch?

I have used previously used other solutions, such as Aspen and Laguna. We chose Acunetix because it is easy to use.

How was the initial setup?

The initial installation of Acunetix was simple.

What about the implementation team?

We did the deployment of the solution ourselves. We have approximately 20 people that do the support and deployment of Acunetix.

What other advice do I have?

I rate Acunetix an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Acunetix Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Acunetix Report and get advice and tips from experienced pros sharing their opinions.