Try our new research platform with insights from 80,000+ expert users

Invicti vs Veracode comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024
 

Categories and Ranking

Invicti
Ranking in Static Application Security Testing (SAST)
14th
Average Rating
8.2
Reviews Sentiment
7.1
Number of Reviews
28
Ranking in other categories
API Security (5th), Dynamic Application Security Testing (DAST) (3rd)
Veracode
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
196
Ranking in other categories
Application Security Tools (2nd), Container Security (4th), Software Composition Analysis (SCA) (2nd), Penetration Testing Services (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of December 2024, in the Static Application Security Testing (SAST) category, the mindshare of Invicti is 1.4%, up from 1.2% compared to the previous year. The mindshare of Veracode is 10.1%, down from 10.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Amr Abdelnaser - PeerSpot reviewer
A safe solution used to detective vulnerabilities for dynamic and complex testing
The Invicti is the scope application tool. The solution is installed on-premise but could be installed as a web version. Starting from the latest version, the web version could be used. They have a web application server. The deployment of the solution involves installing the EXE and configuring your machine.
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"One of the features I like about this program is the low number of false positives and the support it offers."
"High level of accuracy and quick scanning."
"The scanner is light on the network and does not impact the network when scans are running."
"Netsparker provides a more interactive interface that is more appealing."
"The scanner and the result generator are valuable features for us."
"I like that it's stable and technical support is great."
"Invicti is a good product, and its API testing is also good."
"Netsparker has valuable features, including the ability to scan our website, an interactive approach, and security data integration."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"The CI/CD integration is the most valuable feature of Veracode."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
"Code scanning is the most valuable feature."
"In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."
 

Cons

"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"The support's response time could be faster since we are in different time zones."
"The scanner itself should be improved because it is a little bit slow."
"Netsparker doesn't provide the source code of the static application security testing."
"The solution's false positive analysis and vulnerability analysis libraries could be improved."
"Right now, they are missing the static application security part, especially web application security."
"Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses."
"The solution needs to make a more specific report."
"Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode."
"The overall reporting structure is complicated, and it's difficult to understand the report."
"The UI is not user-friendly and can be improved."
"The zip file scanning has room for improvement."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
"Some features could be improved in terms of user-friendliness."
"Mitigation review isn't always super easy."
"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."
 

Pricing and Cost Advice

"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."
"The price should be 20% lower"
"We never had any issues with the licensing; the price was within our assigned limits."
"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."
"OWASP Zap is free and it has live updates, so that's a big plus."
"It is competitive in the security market."
"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."
"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."
"The product’s price is a bit higher compared to other solutions."
"The pricing is fair."
"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."
"Depending on the number of users, my company makes payments toward the solution's licensing costs."
"Negotiate some, but their prices are reasonable."
"The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."
"It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
"I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
824,067 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Educational Organization
56%
Financial Services Firm
8%
Computer Software Company
6%
Manufacturing Company
5%
Financial Services Firm
18%
Computer Software Company
16%
Manufacturing Company
9%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?
As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing models based on organizational needs.
What do you like most about Invicti?
The most valuable feature of Invicti is getting baseline scanning and incremental scan.
What needs improvement with Invicti?
Currently, there is nothing I would like to improve.
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
 

Comparisons

 

Also Known As

Netsparker
Crashtest Security , Veracode Detect
 

Learn More

 

Overview

 

Sample Customers

Samsung, The Walt Disney Company, T-Systems, ING Bank
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about Invicti vs. Veracode and other solutions. Updated: December 2024.
824,067 professionals have used our research since 2012.