We performed a comparison between Invicti and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."I am impressed with Invictus’ proof-based scanning. The solution has reduced the incidence of false positive vulnerabilities. It has helped us reduce our time and focus on vulnerabilities."
"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."
"The scanner and the result generator are valuable features for us."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"The best features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools."
"Its ability to crawl a web application is quite different than another similar scanner."
"The most valuable feature of Invicti is getting baseline scanning and incremental scan."
"I like that it's stable and technical support is great."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"It's great that we can use it with Portswigger Burp."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"The application scanning feature is the most valuable feature."
"The stability of the solution is very good."
"The solution has tightened our security."
"We use the solution for security testing."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"Maybe the ability to make a good reporting format is needed."
"The support's response time could be faster since we are in different time zones."
"The solution's false positive analysis and vulnerability analysis libraries could be improved."
"The scannings are not sufficiently updated."
"The higher level vulnerabilities like Cross-Site Scripting, SQL Injection, and other higher level injection attacks are difficult to highlight using Netsparker."
"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."
"It would be better for listing and attacking Java-based web applications to exploit vulnerabilities."
"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"Sometimes, we get some false positives."
"It needs more robust reporting tools."
"Too many false positives; test reports could be improved."
"There are too many false positives."
"The technical support team must be proactive."
"There isn't too much information about it online."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
Invicti is ranked 15th in Static Application Security Testing (SAST) with 26 reviews while OWASP Zap is ranked 8th in Static Application Security Testing (SAST) with 37 reviews. Invicti is rated 8.2, while OWASP Zap is rated 7.6. The top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Invicti is most compared with Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Fortify WebInspect and Rapid7 AppSpider, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, Veracode and Fortify on Demand. See our Invicti vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.