Invicti Reviews

We use Invicti for web application security, web application ping test, API testing, and endpoint testing like SoapUI testing.

Invicti is a good product, and its API testing is also good. The product is really good and gets into false positive checks and proof of concept checks.

The scanning time, complexity, and authentication features of Invicti could be improved.

We have been using Invicti for the last five years as a customer.

Invicti is a very stable product, and we don’t have any issues.

Invicti is a scalable solution.

We have a different model where our security team manages the solution, and we don't give it to developers. We are a small to medium enterprise.

We don't have any issues because Invicti's support was really good.

Positive

Depending on the use cases I've used, HCL AppScan and Burp Suite. It depends on the use case and the user's knowledge. All these products are based on the user's knowledge.

I usually use Invicti for official purposes, but in certain cases, we use Burp Suite for doing a ping test-related activity.

From my end, it was easy to install the solution. I haven't seen any problems with installing Invicti.

The installation depends on the scans we perform. A typical scan will take only a day. I am talking about configuration and not about the scans.

Maintenance is not a major issue. We have good support from Invicti to help us maintain the solution.

If you use a good VAS solution, you can go for a lighter web application test. Invicti is a really good product when the web solution is SaaS-oriented and complex in nature. For any false positives, they do a proof of concept and then share the records with us, and that true positive summary would be really good.

Overall, I rate Invicti an eight out of ten.

I primarily use Invicti for onboarding on the performance side.

Invicti's best feature is the ability to identify vulnerabilities and manually verify them.

Invicti takes too long with big applications, and there are issues with the login portal.

I've been using Invicti for four to five years.

Invicti sometimes stops working when dealing with large applications.

The initial setup was easy.

I would give Invicti a rating of nine out of ten.

We use this product for vulnerability assessment and penetration testing of any web application in addition to API testing. The solution generates reports for us. I'm a security consultant and we are end-users. 

The solution generates reports automatically and quickly and it's a very user-friendly product. I like the active and passive scanning, which is a good feature from my perspective.

I find that the scannings are not sufficiently updated. 

I've been using this solution for four years. 

The stability is good, up to the mark. 

The scalability is good and we're likely going to increase usage of Netsparker. 

We contact technical support all the time and they are great. They resolve issues quickly and efficiently. 

We also use Burp Suite which is a UI-based tool that I also find to be user-friendly. We use both products so that in the case of false positives we can compare and verify. 

The initial setup is straightforward and the solution doesn't require any maintenance. We currently have 15 users and that number is likely to expand to around 20 in the near future. 

The pricing of the license is compatible with our budget. 

I highly recommend Netsparker and rate it eight out of 10. 

• Simple, easy and straightforward to start.
• eader information is displayed in an easy to ready way which can be interpreted separately.
• Vulnerabilities categorization, along with the suggestions, is pretty helpful.
• Command line tool did seem interesting, but I couldn’t do much with it. It was a bit hard to learn its usage.
• Crawling websites is one of its best features.

NetSparker is a very easy to use and understand product. Its web crawler feature has benefitted us the most. And introduced us to many security vulnerabilities and information we had not known before. I really like how we can tune the number of concurrent sessions as well, which allows us to do some performance testing as well.

It covers basic-intermediate web attacks and presents the information in a very descriptive way. This enhances knowledge and also helps to identify which areas are lacking attention.

Other than that, it helps you start looking for the attack vectors and points of weakness.

Login functionality: Netsparker does not integrate single-sign-on functionality, which makes it very difficult to use for such websites. SSO has become an essential part of web security testing over the last few years. I would love to see this feature in new releases.

I have been using it for ~6 months.

It is a resource-intensive program, and while it is running, other processes get very slow.

I did not encounter any scalability issues.

This was the starting point. We chose this because Troy Hunt (security advisor) had provided a positive and thorough review of this product on his blog.

We used this product along with some others (SkipFish, NMap, etc.) to fully test the security of our products.

As I mentioned before, installing and using Netsparker is pretty easy compared to other products available.

It is a good tool, as we found out with the Community Edition trial. But the price point is quite expensive for a startup or average-sized company.

Other than what I’ve written, it is a fine product but it cannot be used alone. It covers most of the basic-intermediate level attacks, which is really good as a starting point. But for the high-level and advanced analysis, other (similar) tools are needed, which is why I think its price point is very high.

I like that it's stable and technical support is great.

Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses.

I have been working with Invicti for less than six months.

Invicti is a stable solution. 

On a scale from one to ten, I would give stability an eight.

I think Invicti is a scalable solution.

On a scale from one to ten, I would give scalability an eight.

Technical support was great.

Positive

The initial setup was straightforward. I deployed this solution in about two hours.

I implemented this solution. 

Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great.

On a scale from one to ten, I would give Invicti a six.

We're primarily used the solution as a proof of concept using it for assessing the security of one of our web applications.

The most attractive feature was the reporting review tool. The reporting review was very impressive and produced very fruitful reports.

The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them.

The solution is very stable.

As I was only working on the demo version of the solution, I can't speak to how scalable it would be.

The technical support team was very helpful. They offered me a demo before I started using the tool, and the demo was very impressive.

We previously used a different tool, but it was also a demo, like Netsparker. We wanted to try Netsparker, so we moved to their demo.

The initial setup was straightforward.

I handled the implementation myself.

I tried some different tools. Some of them were full versions whereas others were demo versions like Netsparker.

We're using a demo of the latest version for a POC. We used the on-premises deployment model.

I'd recommend Netsparker for anyone who wants to make a security assessment for web applications.

I'd rate the solution nine out of ten. The tool is full of useful features. However, the intercepting reviews in terms of web requests need some enhancements to be more usable.

Scan, proxify the application, and then detailed report along with evidence and remediations to problems.

We are trying to integrate this product fully into our CI/CD Pipeline. Right now, the basic scan is done. More is being done currently.

I think that it freezes without any specific reason at times. This needs to be looked into.

The UI is a bit cluttered, but it's ok since the Application Security does look at many facets of the Application.

No. Not so far with the upgrades. It updates itself given it is network access and it has plugins too.

We haven't scaled it up so I can't comment. But, we have plans.

Quite high. They are scattered all over social. They have wikis, a website, YouTube videos. They don't have a blog, or I might not have come across it, but given the option of googling things around, they are documenting many things.

Plus, they have active Google groups, where their response time is around a day.

For application security, we tried Netsparker, Accunetix, but this one has a free option and recommended Software from OWASP.

Quite straightforward. We did have a detailed look at YouTube videos, and read the wiki.

In other words, we did our research thoroughly, as their content was online. So it was finding the right content at the right time.

Being as this software is on an Open Source license, I would advise having a technical person on board, who knows how to handle this product.

OWASP Zap is free and it has live updates, so that's a big plus.

Organizations thinking to implement it need a team of technical personnel onboard.

We did try the commercial ones, but since OWASP is known as an authority in web application security, we opted for this software.

Go right ahead. You need to have a technical person.

I use this solution for automated web application testing, and upon the first sight of the web app. I work alone in my company, so a helping hand is always useful. Netsparker did the job.

I use it principally for mapping the web application attack surface using its really good crawler.

Netsparker has done an awesome job with its crawler, as it has found all of the links (also thanks to its good DOM parser).

It has helped me a great deal on a first try over websites.

Netsparker made my work a lot easier in mapping web applications.

The most valuable feature is the crawler because it can found many links and generate close to a full sitemap.

It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites.

It also parses web services like SOAP, REST API, WSDL, and more.

Another thing I really like about Netsparker is the payload list that covers, including every type of vulnerability.

Netsparker Hawk is another good "tool", as it helped me locate some easy-to-find SSRF and XXE vulnerabilities in production websites. Its technology is really good and works well. OOB (Out Of Band) payloads work well.

The scanner itself should be improved because it is a little bit slow.

CPU usage should be improved due to my PC's fan going mad.

RAM usage also should be improved as well.

The attacker part of the scanner should be more fluid and faster.

There should be some option to tune up the scan, like throttling requests or using some WAF/IDS/IPS bypass technique. It needs more than what is currently in the Advanced Options.

The passive analyzer for some vulnerabilities should be improved, as it doesn't get all vulnerabilities. It should also be more efficient.

The scanner should also use some cool techniques to inject payloads, like replacing the entire body and Content-Type header (like for XML input).

The customer service is good.

There are some problems with languages (like for Italian they send you people who can speak Italian just a bit, but it's ok).

I have used Burp Suite Professional and Acunetix.

I switched to Netsparker just to try it and understand how it works.

The setup is really easy and straightforward.

For the trial, Netsparker itself contacted me by phone. Their support is really nice and helpful.

I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on.

I did not evaluate other options.

You can use Netsparker but use it carefully as some payloads can be dangerous in production. This is the same as Acunetix, WebInspect, and others.

Every scanner should have an option like Burp Suite to use dangerless payloads (with Distribute Damage extension).