We performed a comparison between Invicti and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support."
"It has a comprehensive resulting mechanism. It is a one-stop solution for all your security testing mechanisms."
"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."
"Its ability to crawl a web application is quite different than another similar scanner."
"One of the features I like about this program is the low number of false positives and the support it offers."
"The most attractive feature was the reporting review tool. The reporting review was very impressive and produced very fruitful reports."
"It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"Veracode is a valuable tool in our secure SDLC process."
"This is a great tool for learning about potential vulnerabilities in code."
"It is a good product for creating secure software. The static code analysis is pretty good and useful."
"The SAST and DAST modules are great."
"Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us."
"The product provides guidance to develop secure software."
"It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
"The higher level vulnerabilities like Cross-Site Scripting, SQL Injection, and other higher level injection attacks are difficult to highlight using Netsparker."
"Asset scanning could be better. Once, it couldn't scan assets, and the issue was strange. The price doesn't fit the budget of small and medium-sized businesses."
"The custom attack preparation screen might be improved."
"The solution's false positive analysis and vulnerability analysis libraries could be improved."
"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."
"Invicti takes too long with big applications, and there are issues with the login portal."
"Maybe the ability to make a good reporting format is needed."
"The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today."
"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."
"Because our application is large, it takes a long time to upload and scan."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"It needs better APIs, reporting that I can easily query through the APIs and, preferably, a license model that I can predict."
"It can be a bit complex because it takes a lot of time to have it complete the task."
"Some features could be improved in terms of user-friendliness."
Invicti is ranked 15th in Application Security Testing (AST) with 25 reviews while Veracode is ranked 2nd in Application Security Testing (AST) with 194 reviews. Invicti is rated 8.2, while Veracode is rated 8.2. The top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Invicti is most compared with OWASP Zap, Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning and Rapid7 AppSpider, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and OWASP Zap. See our Invicti vs. Veracode report.
See our list of best Application Security Testing (AST) vendors and best Application Security Tools vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.