Acunetix Vulnerability Scanner Review

Testing websites is fast and efficient, but the executive summary reports need improvement


What is our primary use case?

I am a freelance consultant and I use this product to scan customer's web sites.

Most of the time, I use it to perform black-box analysis. The automated approach to these repetitive discovery attempts would take days to do manually and therefore it helps reduce the time needed to do an assessment.

How has it helped my organization?

It has helped me to discover some vulnerabilities in the web applications (like Cross-site scripting or SQL injection) and it helps to reduce the time it takes to perform a vulnerability assessment or a penetration test against a customer's web application.

What is most valuable?

This solution is easy and quick to set up and use. Most of the time, all it takes is entering a website's URL and clicking on the scan button.

Obviously, this is not usually the recommended way to use it, but to get an initial picture of the target's possible vulnerabilities it is a very comfortable starting point.

In fact, often a proper penetration test requires emulating a real user of the target application and logging in.

The vulnerabilities that can be discovered when logged in normally outnumber the ones that can be discovered by a "simple" black-box approach.

Acunetix allows recording a login session and replying it during its attack phase and this is quite convenient.

What needs improvement?

It would be interesting to do differential scans. Normally, after the initial scan, the customer will start patching the discovered vulnerabilities. It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched.

The executive summary reports could be improved with some graphs and a very short description of what has been discovered in a way that can be understood by C-level people.

For how long have I used the solution?

Two years.

What do I think about the stability of the solution?

So far I did not have any critical stability issue.

What do I think about the scalability of the solution?

I have not yet used the product to test extremely huge and complex web sites. For "normal" ones the performance is acceptable, even if sometimes it seems "stuck" at a certain scan percentage. In this case, normally I just wait and later it will advance again.

How are customer service and technical support?

The customer service is quite helpful. The time to fix issues is not too quick, so in the case of time-restricted projects for some customers, this might become a problem. Sometimes, identifying the exact issue to fix is not easy.

If you previously used a different solution, which one did you use and why did you switch?

Previously I was using IBM Rational AppScan, Burp Suite, and some other open-source tools.

I switched from AppScan to Acunetix mainly because of a better price/value ratio when I had purchased my perpetual license (which now, unfortunately, is not available anymore).

How was the initial setup?

The initial setup is very easy and straightforward.

What about the implementation team?

I implemented it myself.

What was our ROI?

After two years it's about 300%.

What's my experience with pricing, setup cost, and licensing?

When I first purchased my license the price/value was very good because I purchased a perpetual license and the annual maintenance fee was extremely competitive. Now, unfortunately, my perpetual license does not exist anymore and my maintenance costs will increase in the next years.

All things considered, I think it has a good price/value ratio.

Which other solutions did I evaluate?

I tried some of the other commercial web vulnerability scanners such as Burp Professional embedded and IBM Rational AppScan.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email