We performed a comparison between Invicti and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner."
"The platform is stable."
"High level of accuracy and quick scanning."
"The solution generates reports automatically and quickly."
"Invicti is a good product, and its API testing is also good."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"This tool is really fast and the information that they provide on vulnerabilities is pretty good."
"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."
"Automatic updates and pull request analysis."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"Fuzzer and Java APIs help a lot with our custom needs."
"It has improved my organization with faster security tests."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The solution has tightened our security."
"The application scanning feature is the most valuable feature."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"The solution needs to make a more specific report."
"The licensing model should be improved to be more cost-effective. There are URL restrictions that consume our license. Compared to other DAST solutions and task tools like WebInspect and Burp Enterprise, Invicti is very expensive. The solution’s scanning time is also very long compared to other DAST tools. It might be due to proof-based scanning."
"The scanning time, complexity, and authentication features of Invicti could be improved."
"I think that it freezes without any specific reason at times. This needs to be looked into."
"The support's response time could be faster since we are in different time zones."
"Invicti takes too long with big applications, and there are issues with the login portal."
"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."
"Maybe the ability to make a good reporting format is needed."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"Reporting format has no output, is cluttered and very long."
"The solution is unable to customize reports."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"Lacks resources where users can internally access a learning module from the tool."
Invicti is ranked 15th in Static Application Security Testing (SAST) with 26 reviews while OWASP Zap is ranked 8th in Static Application Security Testing (SAST) with 37 reviews. Invicti is rated 8.2, while OWASP Zap is rated 7.6. The top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Invicti is most compared with Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Fortify WebInspect and Rapid7 AppSpider, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, Veracode and HCL AppScan. See our Invicti vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.