Invicti Reviews

I use this solution for automated web application testing, and upon the first sight of the web app. I work alone in my company, so a helping hand is always useful. Netsparker did the job.

I use it principally for mapping the web application attack surface using its really good crawler.

Netsparker has done an awesome job with its crawler, as it has found all of the links (also thanks to its good DOM parser).

It has helped me a great deal on a first try over websites.

Netsparker made my work a lot easier in mapping web applications.

The most valuable feature is the crawler because it can found many links and generate close to a full sitemap.

It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites.

It also parses web services like SOAP, REST API, WSDL, and more.

Another thing I really like about Netsparker is the payload list that covers, including every type of vulnerability.

Netsparker Hawk is another good "tool", as it helped me locate some easy-to-find SSRF and XXE vulnerabilities in production websites. Its technology is really good and works well. OOB (Out Of Band) payloads work well.

The scanner itself should be improved because it is a little bit slow.

CPU usage should be improved due to my PC's fan going mad.

RAM usage also should be improved as well.

The attacker part of the scanner should be more fluid and faster.

There should be some option to tune up the scan, like throttling requests or using some WAF/IDS/IPS bypass technique. It needs more than what is currently in the Advanced Options.

The passive analyzer for some vulnerabilities should be improved, as it doesn't get all vulnerabilities. It should also be more efficient.

The scanner should also use some cool techniques to inject payloads, like replacing the entire body and Content-Type header (like for XML input).

The customer service is good.

There are some problems with languages (like for Italian they send you people who can speak Italian just a bit, but it's ok).

I have used Burp Suite Professional and Acunetix.

I switched to Netsparker just to try it and understand how it works.

The setup is really easy and straightforward.

For the trial, Netsparker itself contacted me by phone. Their support is really nice and helpful.

I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on.

I did not evaluate other options.

You can use Netsparker but use it carefully as some payloads can be dangerous in production. This is the same as Acunetix, WebInspect, and others.

Every scanner should have an option like Burp Suite to use dangerless payloads (with Distribute Damage extension).

I used Netsparker in my company to apply continuous penetration testing. The company has 1000-plus web applications.

Because the company has many web applications, we had to automate scans. I wrote a batch script with the Netsparker API. This made it easy for my jobs.

Netsparker offers some pretty features:

• Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface.
• Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner.
• A very useful API for automating the scans.

Perhaps the custom attack preparation screen might be improved. Also, they can implement mobile penetration testing support for manual and automated tests.

The new version of Netsparker is better than the older versions for scalability.

I rate it at nine out of 10 because, although I have used many web application scanners by now, Netsparker gives the fewest false-positives. That's the most important property for a web application scanner. When you buy a web application scanner, you actually pay for two features: non false-positive detection, and attack diversity. Other features affect the quality of a product. So, Netsparker deserves a nine.

• It has a very user-friendly page.
• Creating custom policies is very easy.
• It searches for a lot of updated vulnerabilities.

Before Netsparker, we were opening internal web pages to the outside for manual tests. Health tests were limited by a system admin’s capabilities. After Netsparker, a lot of the security tests became automated. We added a step in our policy document to scan pages with Netsparker before opening a site to the outside.

Maybe supported clients can be improved. It still does not search vulnerabilities in DB2 databases, for example. In NetSparker you can modify your scan for specifik target database type, programming language and web server type. And there isn’t DB2 database option for database target in scan Editor.

I have been using it for about two years.

On early versions, scanning for vulnerabilities didn’t complete. But now it takes an acceptable amount of time.

I did not encounter any scalability issues. With a licence, you can install and run multiple instances of Netsparker at the same time, of course on different targets. Also, you can restrict network access or requests to the page.

Technical support is very professional, 10/10. They know what they are doing.

We did not previously use a different solution. We started with Netsparker.

Setting up and updating Netsparker is very easy; only one click.

Actually, I am a technical guy; I don’t know exactly the price, but I do know that if the product was expensive, our manager wouldn’t have bought it. J

We tried Acunetix, but Netsparker has one up on it.

You must work on your environment first. List the web applications’ background: the systems they are using, web server type, database type, programming language. Netsparker supports lots of them, but there are still some restrictions. If they know their environment, the decision is easier.

This product is mainly required for Automated Web Application Security Testing. We used the product over a shared directory.

It was very effective to highlight the low and medium level vulnerabilities which are generally easy to miss out.In certain cases we observed that high-level vulnerabilities could be pointed out with ease.

The scanner is light on the network and does not impact the network when scans are running. It is very efficient in highlighting medium-low vulnerabilities. These vulnerabilities during in-depth testing may find a miss but Netsparker can figure these very easily.

The higher level vulnerabilities like Cross-Site Scripting, SQL Injection, and other higher level injection attacks are difficult to highlight using Netsparker.

The product is highly stable and does not create any issues.

It is available across different platforms and is highly scalable.

The technical support team was highly responsive and we used to get regular emails from their side, i.e., whenever there were any issues or new releases. In fact, the customer service is the best when compared to other competitor products.

Since the time I am associated to this company, we have constantly used Netsparker as one of our tools.

The setup is very straightforward and as it is connected to the network, it is very easy to update the product on a regular basis.

In our organization, we had a separate team which looked after the pricing and licensing policies. However, we never had any issues with the licensing; the price was within our assigned limits.

We do use other different products to confirm our results namely Burp Suite, Nessus, Qualys Inc. etc. Each product is used for the different stages of testing.

It is a highly scalable and multi-user platform. You need to ensure that you have a virtual machine connected over to the internet for most of the system, as there are weekly and monthly updates.

Its ability to crawl a web application is quite different than another similar scanner.

Sometimes, it can find more vulnerabilities that another scanner can’t. Usually, I have used both the scanners so I can get more results.

I’m not sure about the improvement part for our organization since I have only used this product for three months.

Maybe the ability to make a good reporting format is needed.

I got the trial license for about three months.

There were no stability issues.

There were no scalability issues.

I have never contacted technical support.

We did not switch solutions, just tried different tools to see the results.

The setup is easy and straightforward, because I was using Windows.

My office gave me the trial license and told me to try out these products. That’s it. Just compared it to other similar tools such as NeXpose and Acunetix.

The product’s most valuable features are its security scanning features.

It has improved the security of our code by scanning it and finding security defects.

Speed: It spends about one hour on scanning; I would like it to be less than 30 minutes. Because our solution is large, NetSparker spends about one hour on scanning our code. It also depends on network speed, and just like anti-virus software, the scan time is a key performance requirement for NetSparker. The less the better. Thank you.

I have used it for two years.

I did not encounter any stability issues.

I did not encounter any scalability issues.

Technical support is good.

Initial setup is not complex. Just follow the instructions.

Price is not the key point.

Our primary use case of this solution is to assess the security of our web application security.

One of the features I like about this program is the low number of false positives and the support it offers. 

The program uses technology that is different from application scanners. It's not an incremental solution. It could be a new product, but I'm not that knowledgeable to know which products are part of a suite. Netsparker doesn't provide the source code of the static application security testing. I would love to see a completion of the offering with statistical analysis. 

Every customer has its own nuance, so I don't think it's really an issue when it comes to the user interface. Every customer has something that they would like different because they're used to something different. In my opinion, there is not very much to mention besides changing as little as possible. Something that Microsoft often does, is to change things with every release and users don't like that. 

I would also see the price being at least 20% cheaper because the market is currently very crowded and there are many vendors and clients. A lower price will get more sales. 

The solution is quite stable.

When it comes to scalability, we tend to do one test at a time. It could be faster but there is always a trade-off between speed and accuracy. Accuracy is more important than speed.

I rate the technical support seven out of ten, which is average to me. I don't have special requests that would stress a support team and so far my issues were resolved in a reasonable time. Should I have an emergency, I believe they will be very responsive.

The initial setup is quite straightforward.

There are many average products on the market, but I prefer Netsparker because to me wasting time after false positives is the worst thing that can happen. Accuracy is the most important thing to me. I rate Netsparker eight out of ten.

The primary use case of this solution is to Check the major vulnerabilities of the product such as SQL injection, XSS Exploitation, Broken Authentication,  Upload File Inclusion, CSRF, etc.

When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done.

With this wonderful tool, we can easily point out the outstanding reports of "Important", "Medium", "Low", and "Information" cases of vulnerabilities. Apart from that, it also visualizes what's wrong with the server, such as an outdated version, authorization, version disclosure, etc.

I like the way it provides the comprehensive result explaining the vulnerabilities which have been found along with how we can exploit those vulnerabilities with an example.

When scanning a large web-based application, it tends to process slow and takes a long time especially on crawling and attacking part. Would be better if that part would not take much time.

Apart from that, it would be better for listing and attacking Java-based web applications to exploit vulnerabilities.

Till now, no.

Yes, sometimes it hangs up when running large web-based applications.

9 out of 10.

Yes, I have used Acunetix, and the reason I switched to Netsparker would be:

The performance I found on Acunetix was very slow. It would take like a day if I had to scan our web based application product. That is not reliable when you are working with those clients who want a quick response.

I found it's straightforward and anyone can setup this solution. However naive or rookie, you may have obstacles setting up with LDAP login or Browser Authentication.

I would definitely recommend to those who really want to know in-depth details of their applications/products regarding the security of their web system.

No, I haven't.

Like I wrote earlier, I would highly recommend implementing this product to those who really care about the vulnerabilities and security of their products/applications.