We performed a comparison between Invicti and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."One of the features I like about this program is the low number of false positives and the support it offers."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support."
"The solution generates reports automatically and quickly."
"I am impressed with Invictus’ proof-based scanning. The solution has reduced the incidence of false positive vulnerabilities. It has helped us reduce our time and focus on vulnerabilities."
"Invicti is a good product, and its API testing is also good."
"Its ability to crawl a web application is quite different than another similar scanner."
"I like that it's stable and technical support is great."
"It can be used effectively for internal auditing."
"The interface is easy to use."
"You can run it against multiple targets."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"Automatic updates and pull request analysis."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The solution has tightened our security."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"The support's response time could be faster since we are in different time zones."
"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."
"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."
"Netsparker doesn't provide the source code of the static application security testing."
"The solution needs to make a more specific report."
"Maybe the ability to make a good reporting format is needed."
"The scanner itself should be improved because it is a little bit slow."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"Reporting format has no output, is cluttered and very long."
"The solution is unable to customize reports."
"The reporting feature could be more descriptive."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
Invicti is ranked 15th in Static Application Security Testing (SAST) with 25 reviews while OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews. Invicti is rated 8.2, while OWASP Zap is rated 7.6. The top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Invicti is most compared with Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Veracode and Fortify WebInspect, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, PortSwigger Burp Suite Professional and HCL AppScan. See our Invicti vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.