Acunetix by Invicti Room for Improvement
The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified.View full review »
The scanning speed could be faster. It digs really deep, so that could be one of the reasons why it takes a while. If I want to scan an application, it's going to take over three to four hours. That's something I think they could improve.
Instead of posting hundreds of requests to find the vulnerability, if it simply had the capability to find that particular vulnerability in the payload itself, that would make a big impact.
The vulnerability identification speed should be improved. It takes more time compared to other tools I have used.
Simply put, Acunetix passes too many payloads in order to identify one part of the ratio. That's probably why it can take a while to identify a particular issue. Other tools are able to identify vulnerabilities with just a few requests. Acunetix takes more time to make certain if a vulnerability exists. That's one of the areas which they can improve on.
The scan configuration could be improved. The first thing that we need to do is set up a site policy and a scan policy. By site policy, I mean we have to choose what kind of technology our site is developed with so that it will only pass payloads related to that technology.
For example, if I'm using MySQL or Python as my backend database, it will only check payloads related to MySQL or Python; it won't check Java or other programming languages.
We have to define the scanning configuration as well as the site configuration each and every time. This has to be done whenever we are adding a new set of sites or domains.
Other tools provide a list of predefined scan policies, but with Acunetix, we have to create our own every time. We have to spend a lot of time setting up these configurations, rather than just picking them from a vast variety of predefined sets of configurations, which is much easier.
Security Engineer at Secure Network
I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection.
They need more customized scans along with a way to edit their default payloads. While you can select which check to do, you can't add which payload to use.View full review »
Normally, the product asks for the URL address before scanning a certain application. Acunetix is immediately used for web application scanning purposes for vulnerability assessment. However, it doesn't seem very helpful or useful for scanning web services, and that has what I feel that the organization could work better on that.
The pricing is a bit on the higher side.View full review »
IT Manager at a financial services firm with 1,001-5,000 employees
In general, this is a good tool to check the security from the attacker's standpoint. However, when thinking about improvements there are still some attacks that we are not able to control with this kind of tool because there are some things you do in the front-end that sometimes launch processes in the application at the back-end. We need to be able to tie all of the front-end activities with all of the back-end activities. That's a missing piece that no one is providing.
In terms of additional features, we are currently missing some tools that would allow us to work more efficiently with the mobile environment, with Android and iOS. The tools that we evaluated in the past are not really good for mobile applications. You can control the static code, you can control all the dynamic applications, but not within the phone, or within the tablet.
An area that we wanted to test was if it will tie bandwidth and does it throttle traffic?
How much bandwidth usage does it consume when it sorts out the traffic. When monitoring the traffic we always have issues with the bandwidth consumption and the throttling of traffic.
Everything now is moving to the cloud. If they would consider SD1 possibilities, it would give it the longevity that it needs in the market. They may not need it, as they would be able to integrate it with other SD1 platforms as an extra feature.
By definition, they are not next-generation. The next-generation is fully cloud, properly load-balanced, and you would want something that is tailored along those lines from the get-go. It would give you more deployment, less support, and less technical hands looking at the solution.View full review »
Executive Director at a financial services firm with 201-500 employees
The costs for the licensing have changed and it's not in our favor which is why we're now looking at other options. One of our issues is that Acunetix only supports web scanning, no mobile app for now. If they were to include that it would mean not having to work on two separate tools.
Project Manager at a computer software company with 1,001-5,000 employees
The vendor messed up our contract when they changed the licensing scheme and downgraded our license without any notification. It was dropped from a premium license with unlimited scan targets to a professional license with 10 targets per year. This is insufficient for us because we have about 50 public websites, and twice that number between internal and development sites. We ran out of scanning targets after only two months, so we have been evaluating other products since then.
There is room for improvement with respect to technical support.
We were having trouble with our Active Directory Federation Services. They couldn't work out how to authenticate the websites.
There is room for improvement in website authentication because I've seen other products that can do it much better.View full review »
Cyber Security Associate at a financial services firm with 10,001+ employees
The solution limits the number of scans. It would be much better if we could have unlimited scans.View full review »
The solution should work on dealing with the number of false positives it delivers.
While we do have it integrated with other solutions, it could still offer more integrations.View full review »
We want to see how much bandwidth usage it consumes. When we monitor traffic we have issues with the consumption and throttling of the traffic.View full review »