We just raised a $30M Series A: Read our story

Acunetix by Invicti OverviewUNIXBusinessApplication

Acunetix by Invicti is the #8 ranked solution in our list of AST tools. It is most often compared to OWASP Zap: Acunetix by Invicti vs OWASP Zap

What is Acunetix by Invicti?

Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.

Acunetix by Invicti is also known as AcuSensor.

Acunetix by Invicti Buyer's Guide

Download the Acunetix by Invicti Buyer's Guide including reviews and more. Updated: October 2021

Acunetix by Invicti Customers

Joomla!, Digicure, Team Random, Credit Suisse, Samsung, Air New Zealand

Acunetix by Invicti Video

Archived Acunetix by Invicti Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
BK
Manager for Technology Services at a non-tech company with 10,001+ employees
Real User
Offers good vulnerability scanning options for analyzing the security loopholes on the website

Pros and Cons

  • "The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution."
  • "In terms of what needs improvement, the way the licensing model is currently is not very convenient for us because initially, when we bought it, the licensing model was very flexible, but now it restricts us."

What is our primary use case?

Our primary use case of this solution is to scan web vulnerabilities.

What is most valuable?

The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution. 

What needs improvement?

In terms of what needs improvement, the way the licensing model is currently is not very convenient for us because initially, when we bought it, the licensing model was very flexible, but now it restricts us.

For how long have I used the solution?

I have been using this solution for four years now.

What do I think about the stability of the solution?

The stability is very good. 

What do I think about the scalability of the solution?

We currently have two users using this solution in my company. Their roles are in IT security. We only require one staff member for the deployment and maintenance of this solution. 

How are customer service and technical support?

I haven't needed to contact their technical support. 

How was the initial setup?

The initial setup of this solution was very straightforward. The implementation didn't take much time. 

What about the implementation team?

We did the implementation ourselves. 

What was our ROI?

We have absolutely seen ROI. 

What's my experience with pricing, setup cost, and licensing?

Licensing is on a yearly basis. don't remember the exact cost, it's not about the cost, it's about the flexibility. We have a lot of websites to scan and we are looking for fewer instances and to scan more websites.

The costs aren't very expensive. It costs around $3000 or $4000. There aren't additional costs.

Which other solutions did I evaluate?

We are in the process of evaluating other solutions. We are looking to switch because of the complex licensing. 

What other advice do I have?

It's a very easy deployment and easy application. I don't think you need some kind of training or expertise to manage the solution. For us it just works, so we are happy about that. 

I would rate it an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
reviewer1155117
User
Real User
Testing websites is fast and efficient, but the executive summary reports need improvement

Pros and Cons

  • "The automated approach to these repetitive discovery attempts would take days to do manually and therefore it helps reduce the time needed to do an assessment."
  • "It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched."

What is our primary use case?

I am a freelance consultant and I use this product to scan customer's web sites.

Most of the time, I use it to perform black-box analysis. The automated approach to these repetitive discovery attempts would take days to do manually and therefore it helps reduce the time needed to do an assessment.

How has it helped my organization?

It has helped me to discover some vulnerabilities in the web applications (like Cross-site scripting or SQL injection) and it helps to reduce the time it takes to perform a vulnerability assessment or a penetration test against a customer's web application.

What is most valuable?

This solution is easy and quick to set up and use. Most of the time, all it takes is entering a website's URL and clicking on the scan button.

Obviously, this is not usually the recommended way to use it, but to get an initial picture of the target's possible vulnerabilities it is a very comfortable starting point.

In fact, often a proper penetration test requires emulating a real user of the target application and logging in.

The vulnerabilities that can be discovered when logged in normally outnumber the ones that can be discovered by a "simple" black-box approach.

Acunetix allows recording a login session and replying it during its attack phase and this is quite convenient.

What needs improvement?

It would be interesting to do differential scans. Normally, after the initial scan, the customer will start patching the discovered vulnerabilities. It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched.

The executive summary reports could be improved with some graphs and a very short description of what has been discovered in a way that can be understood by C-level people.

For how long have I used the solution?

Two years.

What do I think about the stability of the solution?

So far I did not have any critical stability issue.

What do I think about the scalability of the solution?

I have not yet used the product to test extremely huge and complex web sites. For "normal" ones the performance is acceptable, even if sometimes it seems "stuck" at a certain scan percentage. In this case, normally I just wait and later it will advance again.

How are customer service and technical support?

The customer service is quite helpful. The time to fix issues is not too quick, so in the case of time-restricted projects for some customers, this might become a problem. Sometimes, identifying the exact issue to fix is not easy.

Which solution did I use previously and why did I switch?

Previously I was using IBM Rational AppScan, Burp Suite, and some other open-source tools.

I switched from AppScan to Acunetix mainly because of a better price/value ratio when I had purchased my perpetual license (which now, unfortunately, is not available anymore).

How was the initial setup?

The initial setup is very easy and straightforward.

What about the implementation team?

I implemented it myself.

What was our ROI?

After two years it's about 300%.

What's my experience with pricing, setup cost, and licensing?

When I first purchased my license the price/value was very good because I purchased a perpetual license and the annual maintenance fee was extremely competitive. Now, unfortunately, my perpetual license does not exist anymore and my maintenance costs will increase in the next years.

All things considered, I think it has a good price/value ratio.

Which other solutions did I evaluate?

I tried some of the other commercial web vulnerability scanners such as Burp Professional embedded and IBM Rational AppScan.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Acunetix by Invicti. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,823 professionals have used our research since 2012.
ZB
Security Engineer at a tech services company with 51-200 employees
Real User
It provides quite a lot information about vulnerabilities, but we are also receiving false positives around cross site scripting vulnerabilities

Pros and Cons

  • "Their technical support has been very active. If I have an issue, I can reach out to them and get an answer pretty quick."
  • "You can't actually change your password after you've set it unless you go back into the administration account and you change it there. Thus, if you're locked out and don't remember your password, that's a thing."

What is our primary use case?

We use it as a dynamic scanner for testing our websites. We also adjust it into another tool that we use which allows us to share our report with our developers.

How has it helped my organization?

It has been able to find some vulnerabilities, and we've been able to remediate our websites and vulnerabilities, thanks to Acunetix. We can go back in and have them retested, which is kind of nice, because we can click on the vulnerabilities which it has found. It will also give us quite a bit of information, along with responses, so we can go back and manually test it to make sure it's not a false positive. So, it has been especially useful in that way.

What is most valuable?

The crawl only scan for trying to figure out at which points of the site that you'll actually be able to reach within the full scan. That's pretty useful. If you're just trying to test your login sequence, it is nice. It'll tell you which parts of your website it will initially scan, and you can actually go through and disable parts if you know you're not going to have to scan those parts. Then, later on, you go back and do a full scan for deep penetration of the site.

What needs improvement?

There are quite a few false positives that come out. It's mostly based upon finding XSS vulnerabilities, even though we know that XSS vulnerabilities do not exist within some of the web applications because of some frameworks we're using. So, we're not entirely sure why it finds a bunch of these cross site scripting vulnerabilities, but these are main false positives that we have come across.

You can't actually change your password after you've set it unless you go back into the administration account and you change it there. Thus, if you're locked out and don't remember your password, that's a thing.

If you're exporting vulnerabilities to view so you can ingest them into another viewer, the ability to select all the vulnerabilities would be nice. Because as of right now, you have to manually go through and click on every single vulnerability that you want to export.

With the implementation, when we started, there were a lot of issues. They've actually fixed a lot of the issues in the past (almost) year now. Initially, when you were creating a login sequence, when you wanted to edit it, you actually had to go back, open it in a text document, then edit the request that way because you weren't able to edit it through the GUI. Now, they've updated that, so you can actually go back and edit it, which is very nice.

We had some issues, not particularly bugs, like with the user interface, e.g., "Why isn't this here?" Just specific tools that we were looking for initially, which they ended up implementing later on.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

We have not recently had any stability issues. We were having some issue with the speed of the login initially, but ever since they updated that, it has gotten a lot better.

Only one person is needed for maintenance. It's pretty low maintenance. They'll send you an email update when there's a physical update to the application. You just go and download the new application, then install it the same way you would have originally. It keeps all your scans and targets, so it is very easy for maintenance.

What do I think about the scalability of the solution?

The scalability has moved along nicely and been able to keep up with the expansion of our website and the added targets. However, with a dynamic scanner, the scans take longer as the site gets larger. So, there is more tweaking here and there about what would be best in how to speed up the scans and what we really need to include when we are scanning. This is quite easy to adjust: How we are going to be scanning and what we are going to be scanning.

We have 15 plus targets. We set them up on a schedule, so we can get the most scans here and there on a continuous line. We have eight people currently using it.

How are customer service and technical support?

Their technical support has been very active. If I have an issue, I can reach out to them and get an answer pretty quick.

I had a one-on-one meeting with a support analyst at Acunetix and gave them a bunch of feedback on what we thought. We saw some of those ideas trickling out into the next release, and some releases after that. While I don't know if they're responding directly to requests, or some other person had these suggestions ahead of us, but they definitely are putting in more positive changes.

Which solution did I use previously and why did I switch?

I'm still learning how to use this solution. We were using the Burp Suite and its scan before this, which is very similar. I would actually say that the Burp Suite finds quite a bit more vulnerabilities than Acunetix does.

How was the initial setup?

It was very easy to set up. It was just almost plug and play. Initially, it was not Linux compatible, but after a little while they actually came out with compatibility for Linux, which was nice.

We use it on Windows now. Initially, I wanted to set it up on a Linux box, and it didn't have compatibility for that, but they added the compatibility over the past several months, I just never really got around to installing it onto the Linux boxes. Now that we have everything already set up here, we don't really want to migrate a bunch of our scans.

The deployment took me a week to a week and a half to do, get everything set up, and all our first scans tested. However, this was from a very inexperienced point of view. I'm sure somebody who was more experienced and didn't come fresh out of college would've been able to set it up in a day.

Everything is web-based and relatively intuitive, which is very nice. Knowing what I know now versus back then, the first thing I would've done is set up a certification for a web portal. However, I installed it as it was correctly, but I was very cautious about what I was doing because I wasn't very experienced. It was a very easy install and set up.

What about the implementation team?

I did the implementation with another security engineer. There is a lot of documentation to help, with a lot of forums on the Acunetix website and off of the Acunetix website.

What's my experience with pricing, setup cost, and licensing?

Our license is good through June. We're really trying to ramp up here to see if it is a viable option to renew it.

Which other solutions did I evaluate?

We still do use Burp suite on the side. We use it a lot for manual testing and still use it for dynamic testing.

We decided to try Acunetix to see if it would find any different vulnerabilities, etc.

What other advice do I have?

While there has not been any real reduction in remediation time, there has been a reduction in scan time. Because when you're doing a Burp scan, it can take a long time. Whereas, with Acunetix, you can basically just set it, then it will scan throughout the night.

On bigger sites, the speed can be a little tricky unless you are narrowing it down to smaller sections of the site. On small sites, half a million lines of code or less, it has gotten pretty nice and quick, down to a couple hours now for a whole scan. So, it's getting there. They are pushing out quite a few updates, every now and then.

There is something called AcuSensor, and you can install that on local servers for a deeper scan. This has worked for us, but we haven't installed it on all of our boxes yet, but I think we will pretty soon.

It's been used quite extensively here within our company. Every website is using this along with other scanners.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
DD
Senior Security Engineer at a insurance company with 10,001+ employees
Real User
Our apps are more secure because the solution improves our processes and findings

Pros and Cons

  • "We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why."
  • "We have had issues during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version."

What is our primary use case?

We are doing dynamic code testing with some of our different websites and other applications that we've developed in-house.

Right now, we are doing the basic kick-off the target, control, and see what it comes up with in the report. We haven't done any importing yet.

We are using the Windows onsite solution.

How has it helped my organization?

We have had more success with this particular product being able to control our different applications better than some of the other applications that we have used in the past, as far as checking for vulnerabilities. We know our apps are more secure.

It takes a few weeks just to look at the entire process. We take the reports, send it to the business team, who give it the analysts, and then come up with the remediation plan. Afterwards, we scan it again unless there are critical issues, which are done in less time.

What is most valuable?

The ability to be on the website and test for different vulnerabilities. 

We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why.

I can have a scan set up within five to ten minutes by double checking the login script works, so it doesn't take long at all.

We have found a few cross-site scripting vulnerabilities.

What needs improvement?

On the vulnerabilities screen, where you put your target on the drop down, it would be nice to have more choices, not have such limited options.

One thing that we used to be able to do in other applications with a macro was step-by-step filing in the fields of the app and being able to test certain forms. I haven't seen this in Acunetix. This would be a longer macro instead of doing a login, i.e., we are looking for a workflow process.

We have experienced few false positives. Though, it does depend on the application because sometimes it will identify false positives on one application, but not on another.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

The solution is stable.

We have had issues/hiccups during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version. This has been frustrating, because there have been some tweaks that hurt us from this perspective. This hasn't happened on every release, just a couple.

I am the main user for the product. We also have a couple of other people on staff who run scans.

What do I think about the scalability of the solution?

It seems to be scalable. Right now, we are just using it at our primary locations and and are scanning about 25 different apps. We are looking at the process of being able to scan more than one app simultaneously. It should fit our needs going forward.

How are customer service and technical support?

The technical support has been very helpful, and pretty quick to respond to emails or when I call in. 

Which solution did I use previously and why did I switch?

The speed is phenomenal. Some of our applications can do a scan in less ten minutes, even some of our bigger scans. We were using Micro Focus Fortify WebInspect when it is was owned by HPE, and it would take two or three days for it to scan everything. Acunetix can scan everything within 13 hours, which is sort of long time, but still much shorter than the other apps that we were using. So, it seems to be pretty quick and pretty thorough.

We switched solutions because of cost and the timing of the scans was taking too long. 

How was the initial setup?

The setup is very straightforward with the database and the way that we use it. 

They have a very good support website, so you can find out answers to questions and reach out to the support team. 

Downloading and updating the software took ten to 15 minutes (deployment). I am the person who does the deployments and upgrades.

What about the implementation team?

We did the deployment in-house. We did use the Acunetix support when dealing with the install or any type of setup piece. It was seamless, which was good.

What was our ROI?

We found it to improve our processes and findings. 

The solution is paying for itself, as our applications are more secure.

We have found several hundred medium to high level vulnerabilities in our applications. In just one application, we were able to identify 75 of these vulnerabilities.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing are reasonable to a point. In order to run multiple scans at a time, we are going to have to purchase a 100 count license, which is overkill. Though, compared to what we were paying for, the cost seems reasonable.

Which other solutions did I evaluate?

We went with the recommendations of our parent company. This was one of the approved solutions.

What other advice do I have?

It is a pretty good product.

Do a demo and test whatever application that you are using right now. If you have a site where it is more difficult to identify vulnerabilities, or you have issues scanning, use this to check your particular software. If it can handle your more challenging apps, then it will definitely handle the easier, less technical sites. 

We view it on a very traditional PC. Aesthetically, you can see what you are looking for. Unfortunately, we don't utilize the dashboard as much as we should and take full advantage of it. Right now, we're pretty much in the infancy of building the solution. It's nice to be able to look at the dashboard and see the vulnerabilities which are there. However, at this time, we not doing the retesting with the scans to clear them out. So, we are not taking advantage of this feature.

We are looking to increase the usage of the product to do multiple scans. We will potentially be increasing the number of applications that we are scanning. We are also looking to add the AcuSensor piece with our Jenkins Pipeline, but we haven't gotten there yet.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Fantastic reporting output but vulnerable requests currently need to be picked from the report and repeated with other tools

What is our primary use case?

Assessing top OWASP in applications.

How has it helped my organization?

Greater confidence in go-live for multiple application releases over their release cycles.

What is most valuable?

  • Login Sequence Recorder
  • Scan throttling
  • Fantastic reporting output.

What needs improvement?

Acunetix runs the automated vulnerablity check scan and provides a report. testers/developers need to copy these vulnerable http/https request from the report, use other external tools like postman to resend the request observe the vulnerability and exploit them. If this was available within the Acunetix tool would have been a great feature.


For how long have I used the solution?

One to three years.

How was the initial setup?

Installation was quite simple.

What about the implementation team?

I was the vendor who utilized this tool for the customer.

What's my experience with pricing, setup cost, and licensing?

Tool is quite expensive though compared to other tools. We tried with a term license.

Which other solutions did I evaluate?

Zap, BurpSuite where other tools evaluated.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JW
Senior Security Engineer at a media company with 1,001-5,000 employees
Real User
Interactive Application Security Testing provides more in-depth, granular findings, but integration with other tools is very limited

Pros and Cons

  • "One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."
  • "Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA."

What is our primary use case?

Dynamic application security testing is our primary use case. I don't know if it would be used as a primary solution, but as a supplemental solution, Acunetix is very good for scanning applications and finding vulnerabilities.

We're a global organization. We're a large book publisher around the world. We use it globally: China, Australia, Europe, Asia, India, South America, Canada, and the USA. It's a global solution.

How has it helped my organization?

It has been instrumental in supplementing services that we already have. 

What is most valuable?

Scheduling of testing cuts down on the manual, tedious activities that go into setting up a test site.

One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that.

What needs improvement?

I would like to see them build up that IAS tool, the Interactive Application Security Testing module that is embedded with PHC. That's a very cool function.

I would also like to see them enhance the database. I don't know what version of OWASP Top Ten vulnerabilities they actually employ for Acunetix, but there are some versions of OWASP Top Ten vulnerabilities out there and I would like to see some PCI included as well within Acunetix. That would be great.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability is great. We have never had any service drops. Whether we have run a web service where we allow our security professionals to access Acunetix over a URL, we have never had any problems with someone signing into the actual server and running Acunetix from a platform; or from an application perspective, where they're launching applications from the desktop of the server. Both have been pretty great. 

What do I think about the scalability of the solution?

We are only using Acunetix as a secondary solution. We already employ Qualys as our primary solution but that was getting overworked. We needed to relieve it of some of the workload that we were sending it. What we did was look at a solution like Acunetix to help supplement some of the work that Qualys is doing for us. But since it is a secondary tool, scalability was never really an issue because we weren't asking the solution to scale at all.

How are customer service and technical support?

Tech support is not a 24-hour. It's more of a ticketing-type of solution where you e-mail the support team. We always go through our reseller for support. Response time is average, about a day or so until they respond.

How was the initial setup?

The setup and upgrades could be easier. I would like to see a wizard to take you step-by-step.

Upgrading v7 to v8, we had to do a fresh reinstall. We had to uninstall it and reinstall it rather than just reaching out, grabbing an update and have it fix itself. We had to go into some files and re-input a key and we actually needed to call support to help us with upgrading from 7 to 8. We had to create a support ticket, call one of the resellers of Acunetix, and get some assistance with that.

So a wizard would be great, a step-by-step instructional program that guides administrators or security professionals along the way, especially with upgrades from version to version or initial installs.

They should make it a little easier for security professionals or system administrators to get the software into the actual infrastructure. Without that, people are running around, searching for Wikis and documentation that supports deployment on multiple devices. I know when I was first working with Acunetix and getting it deployed into our environment, we ran across those issues. I would like them to make it a little easier, where automation plays a key in driving deployment of Acunetix, versus a manual installation process.

If you know what you're doing, the deployment of Acunetix can take less than 30 minutes.

What about the implementation team?

Everything was done internally.

What was our ROI?

Return on investment is hard to track because it really depends on the criticality of the vulnerabilities and what the business costs or impact could be if those vulnerabilities were actually exploited. We have a vigorous application security program so testing activities like SAST and DAST must take place. I know if we were to remove our DAST program and not test our websites, we could see an immediate cost-effect as a result. But since Acunetix is used as a secondary tool, we don't know if it actually provided any real cost metrics where we could say: "Okay, because of our use, we have saved X amount of dollars because it found Y amount of vulnerabilities that saved us Z amount of time remediating." Those metrics are not known.

What's my experience with pricing, setup cost, and licensing?

We have a corporate deal and we're almost at the end of that contract. We are looking to renew Acunetix, but we were told that the price was increasing greatly because of some advanced capabilities, or miscalculations of value. It's increasing by 3.5-fold from what the initial quote was. Because of that, we have to go back to the drawing board and figure out cost-to-capability value, versus features that we could get for that same amount.

At the current pricing structure, it doesn't save us money. It winds up costing the program money due to the fact that it's increasing in cost. At the time when we signed up initially, it was very beneficial because of its cost. When we looked at all other vendors and what they were asking, to provide a third of what Acunetix was capable of doing, it was an easy decision. With the IAS modules and everything else that we got as an add-on, it made it a real value compared to all the other competitors out there. But now that it's coming to a cost where it's line with market value, it becomes more of a competition.

Which other solutions did I evaluate?

There were other tools in the running, although I don't remember off the top of my head which ones. At the time, Acunetix was the winner mainly based on pricing and capability. 

As I said, Acunetix is a secondary tool for us. We use Qualys as our primary DAST solution and when that gets overloaded we turn to Acunetix to supplement some of the load that we're putting on our prime solution.

Compared to other vendors in the field, the speed of Acunetix is just about average. Something like Micro Focus WebInspect scans about ten percent faster. If you're looking at IBM AppScan it might be five percent faster. We're not looking at a huge percentage difference in the time Acunetix takes to scan versus others.

The false-positive rate of Acunetix is definitely not perfect. No tool is going to avoid all false-positives. The false-positive rate of Acunetix falls - I don't want to say below average - but it's almost the same as everyone else. What I have to say, honestly, is that I do find myself correcting a lot of the false-positives that show up in Acunetix right now. We don't get a 50 percent margin, but I estimate that 25 percent of the reported vulnerabilities are false-positives in Acunetix.

What other advice do I have?

At the current pricing structure, I would tell people to do their research. If you have X amount of dollars to spend in the budget, and you're looking for a good solution, definitely consider Acunetix, but also consider other tools for similar features and functionalities where you may get a little bit more bang for your dollar, frankly, versus a tool that's still maturing as it's starting to take market share. Acunetix is a very intermediate tool. It's not an advanced DAST solution. It's still in its infancy. There's a lot of the solution to still build out, a lot of features to still work on, but it is definitely a tool that's worth looking into. Keep in mind, for that same price structure, you can get more established, more brand-name solutions.

The speed of the solution is about average. I use a lot of DAST solutions and I can't say that I'm blown away by the amount of time it takes to complete a security assessment, but I do like that it's not slow. It's not the fastest tool I've ever seen, but it's not the slowest tool I've ever seen, so it meets my expectations. It is a fast application but I'm not blown out of the water by it.

It definitely meets the benchmark. Like I said, it doesn't fall below expectations. When you're running Acunetix against a site, looking for security vulnerabilities, you're not blown away by the speed, but you're not sitting there for a day-and-a-half waiting for results or waiting for a scan to complete. It really depends on the size of the application and the granularity of that application. Acunetix performs just as expected. It's not a bad thing. 

We have very large applications, so it could be less about the solution and more about the depth of our applications. A lot of our applications have special prerequisites that Acunetix just can't expect or predict. A lot of it is giving Acunetix the proper permissions and things of that nature to go in-depth with DAST scans. On average, depending on the application, it can take anywhere from six to eight hours.

We host Acunetix on our own environment. I don't think they have a SaaS solution yet. We host it in an in Azure environment where we put it on our own server - a dedicated server - specialized to doing DAST security scans - and we are happy. We're not unhappy with Acunetix, but we're not greatly excited that this is the best tool ever. But we are very impressed by some of the things that it has been doing. It's that middle ground. It's a good tool. I would definitely recommend it.

The remediation rate is based on the maturity of our development team. Acunetix doesn't provide a format that makes remediation easier. It does what every tool does and gives us the vulnerability, explains the vulnerability, and gives us some remediation guidelines or tips, but that's what everyone does. So it really depends on the workload of our development team, and what backlog they have or what their sprints look like going into the next cycle. It has very little to do with the tool and more to do with the capability and workload of the development teams.

Using it on a secondary basis, we have found some medium vulnerabilities but no critical vulnerabilities which required immediate remediation. What I do notice about Acunetix is that there's a lot of "white noise," a lot of "background noise," things that just don't apply. When filtering those out and removing the false-positives that don't apply to the actual application, we may find one cross-site scripting. That may be a medium vulnerability but not a high vulnerability because of business impact. There are different risk ratios that we apply to different findings, but we haven't found anything critical with Acunetix. It could just be that we don't have any critical vulnerabilities in that environment - although I don't think that's the case. In terms of DOM-based cross-site scripting vulnerabilities, it all depends on the application.

We don't have it deployed on any Linux server. It's on our Windows environment. We have it in Azure, in a cloud, so it's a Microsoft framework that we have Acunetix installed on top of.

All of our users of Acunetix are in development and security roles. The number of users is well into the hundreds. I administrate the tool, I set the roles and also manage users and user interface and interaction. We have a dedicated server team that does maintenance and deployment. If we need to deploy another instance of Acunetix, that is usually done by our server team. They handle all server infrastructure activities. I am the senior security engineer, so I handle all security-related activities.

We don't have plans to increase our usage of Acunetix. We may stop usage. Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted. As a secondary solution, we're trying to figure out, is it worth the extra cost just to have it do some supplemental scans for us. We're still evaluating that.

Overall, Acunetix is definitely a seven out of ten. I like the product. It's doing a lot of what its competitors are doing. It's running great DAST scans and it has a rich database of vulnerabilities that it can report and it also provides a web component of its solution where you don't necessarily have to sign on to a physical server or a virtual device to interact. You can, but you can also contact Acunetix through a web interface, which is great. But the interface, in general, is still very simplistic, which may be a good or bad thing. The reporting could be a little bit better. When ending a scan I would like to see more graphical representations, maybe trends from scan to scan, of how the overall maturity is going of the application project that it's scanning or assessing. The reporting is okay. It does give you the option to do PDFs or CSVs. More reporting formats, like an Excel format, maybe an XML format, would be great.

Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA. All findings that Acunetix happens to run across could be sent straight to JIRA. That would increase our remediation rate because it's very seldom that developers read PDFs of security vulnerabilities. One of the things that Qualys does is allow us to integrate into our JIRA environment, into our Jenkins environment, etc. We haven't seen the same capabilities with Acunetix. 

Because of these things, I have to give it a seven. It's ultimately a great tool, a great scanner, and you can really rely on some of its findings once it's tuned.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
JT
Lead Information Security Engineer at a financial services firm with 1,001-5,000 employees
Real User
Web-based GUI and the ability to schedule scans are great, but findings are hard to manually replicate

Pros and Cons

  • "The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
  • "It should be easier to recreate something manually, with the manual tool, because Acunetix is an automatic tool. If it finds something, it should be easier to manually replicate it. Sometimes you don't get the raw data from the input and output, so that could be improved."

What is our primary use case?

We use it for internal penetration testing, for security reviews.

Acunetix is just one tool of many that we use. We try to cover as much as possible during assessments. We do security assessments of all the code and everything we develop internally. When we do a security assessment, we do a manual code review and we use different kinds of tools, as well as manual testing against the application, etc. It's just one tool within many that we use. It has been very useful in that it's found things that we otherwise might have missed.

How has it helped my organization?

As a team, it's helped us to deliver better security assessments. There are only two of us here who do the penetration testing, and we've been providing better results from our testing.

What is most valuable?

The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great.

The speed of Acunetix has been pretty good. It's been the same as most other tools that we use, but it's been good.

What needs improvement?

It should be easier to recreate something manually, with the manual tool, because Acunetix is an automatic tool. If it finds something, it should be easier to manually replicate it. Sometimes you don't get the raw data from the input and output, so that could be improved. That's the main concern for me.

I would like to see some more advanced settings when it comes to authentication and authorization, and other fine-grain adjustments you could do to the scan engine. The advanced functionality could be a little bit better.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We haven't had any issues with the stability. It's been very good.

What do I think about the scalability of the solution?

Since we only have two small licenses, I cannot judge the scalability. I haven't tried out how it scales.

How are customer service and technical support?

Technical support has been good. We had some issues or comments, mostly, on the features. We have asked for features and support has been pretty good. They've been very responsive.

Which solution did I use previously and why did I switch?

The speed of Acunetix would be about the same as previous solutions we've used. Most of the time I just kick it off, walk away, come back later, and check it out. The speed is not the most important thing for us. Of course, we don't want it to drag on too long.

The false-positive rate has also been comparable to most other tools we use. I wouldn't say that it's best-in-class. One of the biggest problems I've had with Acunetix is that it's hard to replicate things manually because you don't get the raw packet. Its debugging functionality hasn't been the best.

How was the initial setup?

The initial setup was very straightforward. The deployment took a couple of minutes. It didn't take long at all. There wasn't really an implementation strategy. We just installed it - nothing special - on our work station.

There are just the two of us who take care of the deployment and maintenance.

What about the implementation team?

We did it ourselves.

What was our ROI?

I can't share data points, but we have seen ROI. Otherwise, we wouldn't have renewed the license. Every year we evaluate if we're going to keep a vendor or not. Since we have renewed our license, we think it has ROI value.

It's impossible to answer whether it has saved us money in the long-term, but of course, since we use automatic tools, we don't need as many personal testers. However, personal testers also find a lot of bugs that automatic tools don't find. You need a combination of both.

What's my experience with pricing, setup cost, and licensing?

Acunetix was around the same price as all the other vendors we looked at, nothing special.

Which other solutions did I evaluate?

We just did a PoC with a couple of different vendors, and we liked Acunetix the most.

What other advice do I have?

Think about the usage of the product. What are you going to use it for? Try to see the whole picture. It's very important to see the whole picture: This is one component in web application security testing. It's not only the security scanner.

If you ask how long it takes to complete a scan using this solution, it's like asking, "How long is a rope?" It's very dependent on the applications. It can be anything from 20 minutes to many hours, even 12 to 18 hours.

We use it for ten or 15 websites or locations. We just do a test and then we come back. We have many applications that we test yearly, but we don't do continuous scanning with Acunetix. We just use it for our security assessments. In terms of increasing usage of Acunetix, I think we're happy where we are now. It's being used all the time during assessments, every week, almost daily.

Because we don't do continuous scanning of production environments, we can't say how long it takes to remediate problems. We only do scanning when we do code development. Remediation could be anything from hours to weeks, depending on the developers. And it's nothing that's in production, so it doesn't matter if it's one or two or five days or hours.

We haven't found many high-level vulnerabilities, more mediums, and a lot of lows.

I would give Acunetix a seven out of ten. It's been a great tool for doing dynamic web application security testing, but it's not as versatile as Burp, which is more focused on manual testing. On the other hand, it has a lot more tests than Burp's active scanning has. I think it's a good product and it's being actively developed.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free Acunetix by Invicti Report and get advice and tips from experienced pros sharing their opinions.