We just raised a $30M Series A: Read our story

Acunetix by Invicti OverviewUNIXBusinessApplication

Acunetix by Invicti is the #8 ranked solution in our list of AST tools. It is most often compared to OWASP Zap: Acunetix by Invicti vs OWASP Zap

What is Acunetix by Invicti?

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Acunetix by Invicti is also known as AcuSensor.

Acunetix by Invicti Buyer's Guide

Download the Acunetix by Invicti Buyer's Guide including reviews and more. Updated: October 2021

Acunetix by Invicti Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand

Acunetix by Invicti Video

Pricing Advice

What users are saying about Acunetix by Invicti pricing:
  • "When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay."
  • "The pricing is a little high, and moreover, it's kind of domain-based."
  • "Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future."
  • "I would say that Acunetix is expensive because there are products on the market with similar features that are equally or better-priced."

Acunetix by Invicti Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Saminda Jayawardene
Compliance Manager at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
We are getting notably fewer false positives than previously, but reporting output needs to be simplified

Pros and Cons

  • "It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
  • "The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."

What is our primary use case?

Our company has more than 300 employees and we have regional offices in Japan and Malaysia. We are in the FinTech industry. We do banking solutions, mobile, branch-based, and agent banking. We are also into government projects.

We have two lines of application testing. One is for internal application deployments. Before all these deployments, we conduct testing with Acunetix and, based on the report generated, we do remediation. Once the remediation is done we will do more testing. Only once all the vulnerabilities have been fixed is it allowed to be deployed in the organization's environment. 

The second use case is that we do application development for banks. Whenever we develop backend applications or web applications, they are all tested for vulnerability. In addition, the mobile application code is tested using Acunetix.

We didn't have much in the way of exposure to this kind of information when I joined the organization. I introduced this system to test all the applications that were going to be released to customers, as well as for our internal vulnerability assessment and penetration testing purposes.

How has it helped my organization?

The number of "high" and "medium" vulnerabilities found using this solution will depend on the development process. But when we started using Acunetix, and other testing tools as well, we had a lot of vulnerabilities. We had to invest a lot of time in fixing vulnerabilities in those days, about two years back. Now, we don't get that many vulnerabilities because the developers and the application testers have improved a lot. They code in a way that results in fewer vulnerabilities.

Most of the vulnerability standards we've used give a fair number of false positives. But with the latest version of Acunetix, we have seen a good standard of false positive rates. Sometimes, customers actually want to have a list of false positives, but the number of false positives we now get is much less than earlier.

What is most valuable?

It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities. For anyone who does development, Acunetix is going to be a very powerful tool, and very easy to use. It gives all the required information for fixing your vulnerabilities.

What needs improvement?

The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified.

For how long have I used the solution?

We've been using Acunetix Vulnerability Scanner for the last three years and we don't have a reason to change to a different solution.

What do I think about the stability of the solution?

We haven't come across unexpected downtime or unexpected issues.

What do I think about the scalability of the solution?

We don't scan more than 35 solutions, but we are always working on improving them and, whenever an improvement comes up, we scan it.

We initially decided that it was going to be deployed on a central server and we didn't look into the scalability. We set up the environment and we have been using it for some time. We haven't come across the need for scalability.

We have five usernames for Acunetix, but most of the time only two of them are being used. Generally, in a week, we may conduct five or six tests. We don't have much load on it. We do intend to expand the number of users in another six months' time with an additional three or four users, as we are expecting more application testing in that time.

How are customer service and technical support?

We had to contact technical support some ago but not since then. Sometimes the blog provides support very well, and we have also attended certain webinars.

We would really appreciate it if they would provide training on advanced usage or technical knowhow. That would help us to attend to things and sort them out.

Which solution did I use previously and why did I switch?

The company had been using InMap and was using manual vulnerability assessment practices, using Kali Linux and some open source applications. But once I joined the company, we changed to a different level because we are an ISO 27000 certified company as well as being PCI DSS application certified with a PCI DSS certified data center. We host payment applications on behalf of Sri Lankan and Malaysian banks. Because of that we introduced these automation systems. We use Acunetix and we use PortSwigger and some other tools.

We used Nessus and we have experience with QualysGuard as well, but Acunetix gives us code-level identification of vulnerabilities and a good understanding of the code-level vulnerability fixes. It is much more helpful for us because we can understand how to fix the vulnerabilities at the code level. The vulnerability identification is much more powerful in Acunetix than in any other tool.

How was the initial setup?

The initial setup is very simple. 

We use this application for testing in different environments, such as production and DR, and implementing of scanning in those environments can sometimes be a little bit tough. But that is not due to the complexity of the application but more because of the complexity of the environments that we maintain, to keep our compliance level high.

The way we set it up is that once development is over, we push it to a single location. For that, it's not a very complex environment, it's a single PC. We do the scanning on that PC so that development is actually on a single server. The setup for that didn't take much time. Within two to three days, the complete setup was finished and the initial testing was run.

What was our ROI?

We have seen ROI with Acunetix. That's the most convincing point I have to prove to my management when it comes to the next budgeting cycle. The ROI is seen in the fact that, at the time of application releases, we hold off the risk. When we do the assessment, we see that the distributed cost of Acunetix, across all our releases reduces our risk. It's a very convincing point.

What's my experience with pricing, setup cost, and licensing?

When compared with other products, the pricing is a little bit high. But it gives value for the price. It serves the purpose and is worthwhile for the price we pay. Other than the licensing, we haven't come across any other costs.

Which other solutions did I evaluate?

We are very comfortable with the granularity of tests. Sometimes, for certain specific areas, we use different tools, but we feel that Acunetix is much more helpful for all the development teams in understanding the output of the system. In certain cases, the scope of the application and the exposure of the application is varied and then, for additional security measures, we use different tools to evaluate these applications. That makes us much more comfortable in explaining to our customers that we don't only rely on a single tool, that we use multiple tools to identify things in complex environments. Customers want to have different views, not only a single view, of application testing. 

Acunetix provides the primary vulnerability assessment. Once we believe we can rely on Acunetix, we will be able to save money on other licenses. The most interesting part is that the application security vulnerability reports of Acunetix are much more explainable in simple terms, for developers.

Also, the jargon that some of the applications that I have looked at—certain open source applications—use and the setup required are highly technical. You have to do a lot of maintenance to keep the environment up and running. Acunetix is a lot more comfortable. Newly recruited people and project managers can easily understand it. This is one of the winning points of Acunetix.

In our tests of Acunetix, we didn't find much difference, performance-wise, when comparing it with other applications. It's lightweight but it doesn't matter if it is a little bit heavy, since it provides a much broader spectrum of vulnerabilities. Acunetix is much more customizable for granular levels of testing.

In terms of the amount of time it takes to complete a scan using Acunetix, a web application, for example, with two or three endpoints takes between half an hour and 40 minutes. If I use the Kali Linux, it will take more time, and then you have to do much more customization which requires heavy technical knowledge. Other solutions take time to scan and may give a much more broader spectrum, but they do not identify vulnerabilities for the purpose of fixing them. They identify them to explore them. Acunetix scans for most commonly identified issues. The problem with other solutions is that, while we may be able to see a lot of vulnerabilities, if the solution has not been identified we end up with questions as to whether we are able to release it or not. We don't come up against that issue with Acunetix.

What other advice do I have?

I would definitely recommend Acunetix to anyone who wants to do one vulnerability assessment from an application development perspective.

The amount of time it takes to remediate something will depend on the developer's knowledge and ability to fix vulnerabilities. That doesn't depend on the solution, on Acunetix, but rather on the technical knowhow of the people who engage in that.

But that particular jargon and the technical explanations we have for fixing vulnerabilities need to be improved, so that managers who don't have technical knowhow, can easily understand what needs to be done to fix the vulnerabilities.

Overall, I would rate the solution as a seven out of 10. While we use this tool for application testing, we need another tool to test application traffic interception. Acunetix doesn't have that ability. If it did, I would definitely rate it as nine or 9.5. After using Acunetix for application and code-level testing, the same application will be tested again for application traffic interception. With the results of the traffic interception, we again go back to the code level and then identify where the issues are. If Acunetix had that capability, I would be able to raise it as a nine or 9.5.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SivaPrakash
Senior Test Engineer II at a financial services firm with 201-500 employees
Real User
Top 5Leaderboard
Fantastic reporting features hindered by slow scanning

Pros and Cons

  • "I haven't seen reporting of that level in any other tool."
  • "The vulnerability identification speed should be improved."

What is our primary use case?

We use Acunetix for POC.

We have a scanner site website. We have two web applications, related to banking, that primarily serve our customers. We use Acunetix Vulnerability Scanner to ensure that the APAs that have been exposed to the customers are well-protected and don't have any major vulnerabilities.

We wanted to have some kind of vulnerability scanner which could evaluate our requests and tell us where any vulnerabilities may reside. For that purpose, we use Acunetix scanner.

Originally, we used version 3.12, but they provided us with different products including Acunetix premium and Acunetix 360. We figured Acunetix 360 would be much better suited for our solutions; that's why we are currently using the trial version of Acunetix 360 at the moment.

Within our company, there are around five to ten people using this solution. Some from DevOps, IT Security, and a few penetration testers use it.

What is most valuable?

The reporting is pretty good. I haven't seen reporting of that level in any other tool. It also allows for segregation. If I want to generate a report regarding vulnerabilities, I can simply select that particularly vulnerable section and it will generate a report with all the work in the web application. 

Similarly, for PCAD assisting, I can also generate a report — in multiple formats, including PDF, HTML, and doc files. 

Segregation of reports is really, really good with Acunetix; it provides us with a lot of in-depth details. This feature stood out when comparing Acunetix with other tools.

It provides me with a list of vulnerabilities that we weren't able to identify when doing manual penetration testing. It located and picked out some hidden vulnerabilities as well, which are hard to spot with the naked eye.

What needs improvement?

The scanning speed could be faster. It digs really deep, so that could be one of the reasons why it takes a while. If I want to scan an application, it's going to take over three to four hours. That's something I think they could improve.

Instead of posting hundreds of requests to find the vulnerability, if it simply had the capability to find that particular vulnerability in the payload itself, that would make a big impact.

The vulnerability identification speed should be improved. It takes more time compared to other tools I have used. 

Simply put, Acunetix passes too many payloads in order to identify one part of the ratio. That's probably why it can take a while to identify a particular issue. Other tools are able to identify vulnerabilities with just a few requests. Acunetix takes more time to make certain if a vulnerability exists. That's one of the areas which they can improve on.

The scan configuration could be improved. The first thing that we need to do is set up a site policy and a scan policy. By site policy, I mean we have to choose what kind of technology our site is developed with so that it will only pass payloads related to that technology.

For example, if I'm using MySQL or Python as my backend database, it will only check payloads related to MySQL or Python; it won't check Java or other programming languages.

We have to define the scanning configuration as well as the site configuration each and every time. This has to be done whenever we are adding a new set of sites or domains.

Other tools provide a list of predefined scan policies, but with Acunetix, we have to create our own every time. We have to spend a lot of time setting up these configurations, rather than just picking them from a vast variety of predefined sets of configurations, which is much easier.

For how long have I used the solution?

We have been using a trial version of Acunetix for about a month.

What do I think about the stability of the solution?

The stability is good. The scans always produce consistent and reliable results.

We used Acunetix to scan three of our web applications.

What do I think about the scalability of the solution?

I think it needs to expand to other operating systems because most organizations use a Linux- based environment, which it currently doesn't support. I think that's a big problem.

How are customer service and technical support?

The technical support is really good. Whenever we experienced an issue, we just scheduled a call. It's not directly with Acunetix, their providers in India got in touch with us. 

They are the ones who told us about the product, its features, and its specifications. They are who we speak with if we have any issues or need support. They act as a middle-man between Acunetix and us — they are resellers.

How was the initial setup?

Initially, I believe Acunetix provided us with two solutions. One was a SaaS, which means that they host it on their cloud. They also provide the option to host Acunetix on our internal servers, behind our firewalls, with an on-premise version.

The problem with the on-premise version is that it works only on Windows Servers. I can't install it on a Mac or a Linux-based machine. That was quite challenging for us because all of our cloud infrastructure has been AWS instance, which is of a Linux-based operating system. 

As far as security testing is concerned, we would prefer to host Acunetix, on-premise, because everything would be within our firewall. If we wanted to host it on the cloud, then we would have to sign a non-disclosure, because they know what vulnerabilities exist on our site.

For this reason, we generally prefer to host it on-premise so that they will have a restriction within our firewall, so no one can gain access from the outer wall. Setting up the on-premise version of Acunetix is quite challenging and it's not that straightforward because it only supports one operating system.

However, we found it so difficult to host on-premise that we actually had to stop. Instead, we have decided to go for the cloud version. All we have to do is send them our application to scan in their cloud.

What about the implementation team?

We followed an implementation strategy. With our compliance and security team, we followed a procedure with Acunetix so that any vulnerable information that exists on our site remains safe and secure.

We didn't deploy it ourselves because we used their SaaS model. There is no deployment from our side. Initially, we thought of hosting it on our own server; if we did, we would have required a dedicated person to look after the deployment and setup.

Since we don't have a Windows Server, we opted for the SaaS model because the on-premise version is only compatible with a Windows Server. We don't have a license for a Windows Server so instead of purchasing all of the licensing, we just opted for the SaaS solution. 

What's my experience with pricing, setup cost, and licensing?

The pricing is a little high, and moreover, it's kind of domain-based. For example, if I have one site that has a lot of sub-domains, they will register all of the sub-domains as individual sites. That caused problems for us.

We have three sites with 10 sub-domains each — so technically 30. We ended up having to purchase 30 licenses, which costs a lot. Instead of paying per site, I think it would be better if they proposed some other kind of pricing and licensing model, like Burp's model. That's why we preferred Burp over Acunetix.

With Burp,10 agents can scan 10 sites. Even if we scale our application, we don't have to purchase a new license. We can reshuffle the agents to scan multiple websites. One agent can scan our site today, and the same agent can scan another site tomorrow. This is the pricing model of Burp, which was perfect for us.

The Acunetix licensing and pricing model is somewhat complicated. If we calculated all of our domains and sub-domains, the sum would be huge. That's why we thought of leaving Acunetix.

Which other solutions did I evaluate?

I believe we also evaluated Zap and Portswigger Burp suite.

What other advice do I have?

The false-positive rate is not that high, but it's not very low either. There were a few false-positive cases that were triggered when we scanned both of our web applications. So, they're not minimal, but they're not high either, they occur somewhere in between.

The time it takes to remediate issues with Acunetix depends on the type of issue. Minor issues can be resolved within a day. Bigger issues, involving debugging from scratch can take around a week.

In total, we experienced about five high-level vulnerabilities, three mid-level, and 17 low-level vulnerabilities. We also found a few DOM-based, cross-site scripting vulnerabilities.

If you're interested in this solution, you have to consider the pricing model, because when your application is scaling, the cost of Acunetix also spikes up. If you want to scale, you need to look into the cost of Acunetix as well.

Also, the on-premise version takes a lot of effort. Maintaining a Linux-based system is a lot easier; it's difficult for some engineers to maintain a Windows-based operating system. 

On a scale from one to ten, I would give this solution a rating of five.

On the positive side, they have a good reporting module and scanner, which is capable of identifying most vulnerabilities. On the negative side, I think the on-premise version needs to be improved. Rather than sticking to one operating system, it needs to support multiple operating systems.

Apart from that, the pricing model also needs to be revisited. If you want to scale an application, you have to spend more money with Acunetix because it uses a domain-based pricing model, which is not something I like using. For these reasons, I am giving Acunetix Vulnerability Scanner a rating of five. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Acunetix by Invicti. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
543,089 professionals have used our research since 2012.
IB
Security Engineer at Secure Network
Real User
Top 5
Very easy to set up because they give you an installer that does everything

Pros and Cons

  • "Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
  • "I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."

What is our primary use case?

We needed it to scan our internal network and web applications. 

Our security team of five people used it. We scheduled some monthly scans for web applications, which were not being used, to check for vulnerabilities and also vulnerabilities on new features.

How has it helped my organization?

Where I worked was a big group where there were many agencies under it, and we did the security for all other agencies. With Acunetix, we cut the time to make infrastructures and web applications (for our colleagues) more secure.

For one application with two or three critical vulnerabilities and some other vulnerabilities, it took like a week to remediate issues because the scan and findings were really fast. 

What is most valuable?

What I found to be valuable was the fully automated scanner because it is really fast. 

Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden.

Acunetix saves on the cost of time because it is fast.

When Acunetix finds a vulnerability, it also checks for a false positive so it can be a 100 percent sure about the issue that it found. The false positives are really low, maybe one percent.

What needs improvement?

I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection. 

They need more customized scans along with a way to edit their default payloads. While you can select which check to do, you can't add which payload to use.

For how long have I used the solution?

I used Acunetix 20 months ago at the last agency where I worked.

What do I think about the scalability of the solution?

The scalability was okay. We didn't need to do much work to implement it into the network or some web applications, so I think it's really easy to scale. We didn't need to do work on it because the solution is adaptable to every environment.

There were about 20 websites and other web applications.

How are customer service and technical support?

I never needed to talk to the Acunetix technical support.

Which solution did I use previously and why did I switch?

They were previously using Fortify WebInspect, which was good, but very costly.

How was the initial setup?

It was very easy to set up Acunetix, as they give you an installer that does everything. You just need to click: "Install".

It takes a maximum of 10 minutes to deploy, if you want to read everything.

We did other configurations to enable the IP address to talk to all the networks.

We also used Acunetix on a Linux server. The deployment process was the same as Windows. It was just another installer, but for Linux.

What was our ROI?

It saved us many weeks of work.

We didn't sell anything with Acunetix, so it was just an improvement for ourselves.

If someone would have hacked us, they probably would have caused much damage. However, now with Acunetix, they shouldn't be able to cause to damage.

What's my experience with pricing, setup cost, and licensing?

I think all the scanners, except Burp Suite, are a bit costly.

Implementing Acunetix needs a medium or larger business agency, because you need some money to get Acunetix. It is costly, but if you care about your agency's security, then maybe it's a cost that might help you in the future.

Which other solutions did I evaluate?

Acunetix is the fastest scanner available compared to applications like Netsparker and Fortify WebInspect. The longest scan with Acunetix, and it was for a huge web application, took only four hours. Other scanners did the job in six to eight hours. 

While I like Netsparker, it is really slow compared to other scanners.

What other advice do I have?

We found 50 unexpected, high vulnerabilities for three web applications. This made our principal a bit mad.

We found three or four DOM-based XSS vulnerabilities using this solution.

It did not require maintenance on our part. We just needed to give it some credentials.

I would rate it as a nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Anubhav Goswami
Security Specialist at a tech services company with 11-50 employees
Real User
Top 20
User-friendly and easy to set up but is a bit expensive

Pros and Cons

  • "There is a lot of documentation on their website which makes setting it up and using it quite simple."
  • "The pricing is a bit on the higher side."

What is our primary use case?

The solution is mostly used for vulnerability scanning purposes. 

What is most valuable?

I'm drawn to Information Security. I immediately look for security threats vulnerabilities. Therefore, the report generation, the reports that are being monitored are great in that they were very easy to read and understand. 

It's user-friendly and the language that they use is pretty good. 

Overall, the tool is very good in context. It's definitely helpful from a tech intelligence perspective and for identifying vulnerabilities. I like that we can sort the vulnerabilities based on severity levels. 

The initial setup is easy.

There is a lot of documentation on their website which makes setting it up and using it quite simple.

Technical support is available 24/7.

What needs improvement?

Normally, the product asks for the URL address before scanning a certain application. Acunetix is immediately used for web application scanning purposes for vulnerability assessment. However, it doesn't seem very helpful or useful for scanning web services, and that has what I feel that the organization could work better on that.

The pricing is a bit on the higher side.

For how long have I used the solution?

I've been using the solution for about two years at this point.

What do I think about the stability of the solution?

The solution is very stable. There are no bugs or glitches. It doesn't crash or freeze. it's reliable. 

What do I think about the scalability of the solution?

The solution is scalable in the sense that it can be easily migrated.

We have about 50 to 55 users on the solution currently.

How are customer service and technical support?

Technical support is fine. Whenever we have any queries the support is available. We have the paid version. We have paid for it, however, it's great due to the fact that it's available 24/7.

Which solution did I use previously and why did I switch?

Although we are working with Acunetix, we are planning to migrate to Nessus in the future. We used Nessus around seven or so years ago. The current solution is a good one, however, my organization wants to try a new, different product. That is the reason we now moving to Nessus.

How was the initial setup?

The initial setup is not overly complex or difficult. It's very straightforward and very easy. On their website, they have lots of documentation that walks you through the process. 

For deployment or maintenance, you only need a maximum of four or five people.

What's my experience with pricing, setup cost, and licensing?

We do pay extra for technical support, however, it's 24/7 support which means we always have access to them if we need them.

The pricing is on the higher side. That could be okay for certain organizations. That said, if they could lower it, that would be ideal. Yeah. To me, it actually all depends upon the companies. My organization is not too big, and we're using it for managing a small set of people. If I have to spend much more, it wouldn't make any sense. 

What other advice do I have?

We are into telecommunications, we have bought this product from the vendors.

We're using the latest version of the solution. We try to only use the most up-to-date option.

Overall, the tool is efficient enough to identify and track your vulnerabilities and it's good for intelligence scanning purposes. I'd advise users to just be cautious while the installation happens in terms of what logins are included and what are missing. 

The main thing is that users have to define their scope and objectives and only on the basis of that will the tool work. 

That said, you always have choices in the market - if this one does not fit your needs.

I'd rate the solution at a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
MM
IT Manager at a financial services firm with 1,001-5,000 employees
Real User
Top 20
Simple to use and achieves the required results but more efficiency with the mobile environment would be helpful

Pros and Cons

  • "Our developers can run the attacks directly from their environments, desktops."
  • "Tools that would allow us to work more efficiently with the mobile environment, with Android and iOS."

What is our primary use case?

I'm an IT Manager and we're a customer of Acunetix. We use the automatic tool to control the security of our applications. For the time being, we have two or three people in the company working with the solution, setting up all of the parameters, all the attacks. We have 15 separate groups in the company, most are testing the tool and learning how to use it. We will deploy the tool for the rest of the company at the beginning of next year.

What is most valuable?

The most important feature is that we are able to parameterize all of the attacks so that our developers can run the attacks directly from their environments and desktops. They don't need any expertise or to know the difficulties of the attacker; they just run the tool and get the results.

What needs improvement?

In general, this is a good tool to check the security from the attacker's standpoint. However, when thinking about improvements there are still some attacks that we are not able to control with this kind of tool because there are some things you do in the front-end that sometimes launch processes in the application at the back-end. We need to be able to tie all of the front-end activities with all of the back-end activities. That's a missing piece that no one is providing. 

In terms of additional features, we are currently missing some tools that would allow us to work more efficiently with the mobile environment, with Android and iOS. The tools that we evaluated in the past are not really good for mobile applications. You can control the static code, you can control all the dynamic applications, but not within the phone, or within the tablet.

For how long have I used the solution?

We have only been using the product for about three months.

What do I think about the stability of the solution?

We haven't had any problems so far. It's stable. 

What do I think about the scalability of the solution?

We are still deploying the tool throughout the company, but that hasn't been completed yet. For now, it's just small groups. I hope it is scalable but I can't tell you that now.

How are customer service and technical support?

We have a pretty good team here and we try to be as independent as possible. We needed some help for the initial setup but after that, we've done everything ourselves. 

Which solution did I use previously and why did I switch?

For static analysis, we previously used different tools. 

We carried out an evaluation comparing different tools, and Acunetix was the one that most of us liked. 

How was the initial setup?

Initial setup was quite straightforward, we didn't have any problems with it. 

What about the implementation team?

We carried out the implementation ourselves. 

What's my experience with pricing, setup cost, and licensing?

I'm not involved in the financial negotiations, but I believe it's not an expensive product and cheaper than other similar tools. I understand we bought 100 URLs. It's likely that we'll need to purchase more once we deploy the tool to the rest of the company but I wouldn't know the cost.

What other advice do I have?

I would recommend the product. It's very easy to integrate with Jenkins, with ALM. The most important element for us is that it's very easy for developers to use. They don't need to have any knowledge about security, threats or anything. They just run the tool against their application, and that's it. They get the results.

I would rate this product a seven out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Letsogile-Baloi
CEO at IMART OFFICE CONSULTANTS
Reseller
Top 5Leaderboard
Simple to use and does not report many false positives or false negatives

Pros and Cons

  • "It can operate both as a standalone and it can be integrated with other applications, which makes it a very versatile solution to have."
  • "When monitoring the traffic we always have issues with the bandwidth consumption and the throttling of traffic."

What is our primary use case?

This solution is a WAF (web application firewall). The primary use case of this solution is to secure web applications against cross-site scripting and other forms of malware that occur at the application level.

We last used Acunetix in December and we have switched to Barracuda.

What is most valuable?

The scalability is more than good. It can operate both as a standalone and it can be integrated with other applications, which makes it a very versatile solution to have. 

This solution is simple enough, especially with the cloud. You can download the client onto your machines and then you start filtering your traffic from there.

What needs improvement?

An area that we wanted to test was if it will tie bandwidth and does it throttle traffic?

How much bandwidth usage does it consume when it sorts out the traffic. When monitoring the traffic we always have issues with the bandwidth consumption and the throttling of traffic.

Everything now is moving to the cloud. If they would consider SD1 possibilities, it would give it the longevity that it needs in the market. They may not need it, as they would be able to integrate it with other SD1 platforms as an extra feature.

By definition, they are not next-generation. The next-generation is fully cloud, properly load-balanced, and you would want something that is tailored along those lines from the get-go. It would give you more deployment, less support, and less technical hands looking at the solution.

For how long have I used the solution?

We have been dealing with Acunetix since 2017. 

We provide services to our clients.

What do I think about the stability of the solution?

It's a stable solution. It doesn't report a lot of false positives or false negatives. You can put it on and look at your logs and your reports.

What do I think about the scalability of the solution?

This solution is scalable.

How are customer service and technical support?

I haven't contacted technical support because I am supposed to be the first line of their support. Contacting them would mean that I have problems beyond my scope.

Which solution did I use previously and why did I switch?

We are now doing a profile on Barracuda because we are partners but we don't have clients yet. It is very difficult to profile because we don't have a live environment. The only way we could have a live environment is if we deploy it in-house.

We deployed in-house to test the cloud solution and we are moving to LV1 solutions within our MSP.

We were bringing everything on top of a CASB, a cloud broker for security. We had to look at different solutions to see what could be brought on top of the CASBplatform and what we would be leaving out from the previous partnerships. We wanted to look at a different solution.

How was the initial setup?

The initial setup is straightforward. You just need to download the client from the website or get a license from them, then you can deploy it.

It can take a couple of hours or less to deploy.

What about the implementation team?

We have a team in the company.

What other advice do I have?

This is a solution that I would recommend.

I would rate it an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
JC
Executive Director at a financial services firm with 201-500 employees
Real User
Top 20
Assists greatly with our financial compliance reporting but only supports web scanning

Pros and Cons

  • "Picks up weaknesses in our app setups."
  • "Currently only supports web scanning."

What is our primary use case?

We have quite a few applications that we scan. We have a requirement to meet PCI DSS compliance and we deal with it by producing reports on a quarterly or a part-quarterly evaluation. We are customers of Acunetix and I'm the executive director of our company. 

What is most valuable?

We're happy with Acunetix although we're currently looking for a more cost effective solution. There might be a better product on the market and we're looking for that. What I gather from my colleagues who do the scanning is that this solution picks up any weaknesses in terms of our application setup as well as reading our application and finding the weaknesses. We need that PCI DSS report which is important for us. The solution is comprehensive and easy to use. 

What needs improvement?

The costs for the licensing have changed and it's not in our favor which is why we're now looking at other options. One of our issues is that Acunetix only supports web scanning, no mobile app for now. If they were to include that it would mean not having to work on two separate tools. 

For how long have I used the solution?

I've been using this solution for three years. 

What do I think about the stability of the solution?

We've raised some minor issues with support. There are certain aspects that Acunetix cannot power and we haven't been able to resolve those problems yet. 

What do I think about the scalability of the solution?

I don't believe there are issues with scaling.

How are customer service and technical support?

I think that generally their customer service is quite responsive. Whenever we encounter problems or new external applications, they're willing to guide us through the process. 

Which solution did I use previously and why did I switch?

I think the company previously used Netsparker and that was even more expensive than Acunetix. 

What's my experience with pricing, setup cost, and licensing?

Licensing is on an annual basis and we pay the standard licensing fee directly to Acunetix.

What other advice do I have?

The solution meets our requirements, it's just that we were moved from a perpetual license to an annual license and that has significantly increased our annual fees. Here in Bangladesh, we're trying to check comparable products in the same price range and see what they offer. 

I would rate this solution a seven out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
GT
Project Manager at a computer software company with 1,001-5,000 employees
Real User
Top 20
Good usability and scan results

Pros and Cons

  • "The usability and overall scan results are good."
  • "There is room for improvement in website authentication because I've seen other products that can do it much better."

What is our primary use case?

Our primary use case is scanning our websites for security flaws.

What is most valuable?

The usability and overall scan results are good.

What needs improvement?

The vendor messed up our contract when they changed the licensing scheme and downgraded our license without any notification. It was dropped from a premium license with unlimited scan targets to a professional license with 10 targets per year. This is insufficient for us because we have about 50 public websites, and twice that number between internal and development sites. We ran out of scanning targets after only two months, so we have been evaluating other products since then.

There is room for improvement with respect to technical support.

We were having trouble with our Active Directory Federation Services. They couldn't work out how to authenticate the websites.

There is room for improvement in website authentication because I've seen other products that can do it much better.

For how long have I used the solution?

We have been using the Acunetic Vulnerability Scanner for seven years.

What do I think about the stability of the solution?

We have not had any problems with stability.

What do I think about the scalability of the solution?

Scalability has not been a problem except when it comes to licensing.

How are customer service and technical support?

Technical support was not overwhelmingly good, but it was okay. They couldn't provide solutions to every problem that we encountered, although they helped us from time to time.

What's my experience with pricing, setup cost, and licensing?

The pricing is not as good as we expected. I would say that Acunetix is expensive because there are products on the market with similar features that are equally or better-priced.

When we started with Acunetix seven years ago, it was quite good in terms of being competitively priced. It was up to the task and financially suitable. Now, however, with the change in the licensing scheme, it is a rather large step in terms of price. It has gone up by a factor of 30 in the past two years.

Which other solutions did I evaluate?

Our experience with Acunetix has not been good, so we are in the process of switching solutions.

What other advice do I have?

The product is quite good, but their sales techniques are poor and the sales teams need to be improved. They also should have provided a lot more information about the new licensing scheme when they changed it.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Acunetix by Invicti Report and get advice and tips from experienced pros sharing their opinions.