WAFPlanet

Invicti

by Invicti Security

3.8
WAFPlanet Rating

Application security testing platform offering DAST and IAST scanning. Formerly Netsparker. Products include Invicti (enterprise DAST) and Acunetix (SMB DAST). Not a WAF, but a vulnerability scanner that finds the vulnerabilities WAFs protect against. OWASP Gold sponsor. Proof-based scanning reduces false positives. Custom enterprise pricing.

Visit Website Documentation View Pricing

Overview

Invicti Security is an application security testing company headquartered in Austin, Texas, with engineering roots in Istanbul. The company was formerly known as Netsparker, a name that remains well-known in the application security community. Invicti operates two product lines: Invicti (the enterprise-grade DAST platform) and Acunetix (the SMB-focused DAST scanner acquired separately).

DAST stands for Dynamic Application Security Testing. Instead of examining source code (which is SAST), DAST tools test running applications by sending crafted requests and analyzing responses. This is conceptually similar to what a WAF does in reverse: a WAF blocks malicious requests, while a DAST scanner sends them to find vulnerabilities. This makes Invicti complementary to WAF products rather than competitive with them.

Invicti is included on WAFplanet because understanding what vulnerabilities exist in your applications is essential context for evaluating WAF effectiveness. A WAF that blocks 99% of SQL injection attacks is less impressive if your application has no SQL injection vulnerabilities. Conversely, knowing your specific vulnerabilities helps you configure WAF rules that matter for your threat surface.

The core differentiator of Invicti is Proof-Based Scanning. When Invicti finds a vulnerability, it does not just flag it as a potential issue, it attempts to safely exploit it and provides concrete proof that the vulnerability is real and exploitable. For SQL injection, it might extract a specific database value. For LFI, it might read a specific file. This dramatically reduces false positives, which is the bane of security scanning tools.

Invicti also supports IAST (Interactive Application Security Testing), which combines elements of DAST and SAST by instrumenting the application at runtime. This provides deeper visibility into how the application processes requests internally, finding vulnerabilities that pure external scanning might miss.

The Invicti platform integrates with CI/CD pipelines, issue trackers (Jira, Azure DevOps, GitHub), and WAF products. The WAF integration is noteworthy: Invicti can export its findings as WAF rules, allowing you to create targeted virtual patches for discovered vulnerabilities. This bridges the gap between vulnerability discovery and mitigation.

As an OWASP Gold sponsor, Invicti contributes to the OWASP community that defines the standards (like the OWASP Top 10 and OWASP CRS) that most WAFs use as their baseline protection criteria.

Pricing is enterprise-only with no published prices. The Invicti product targets enterprises with large application portfolios. Acunetix is positioned as the more affordable option for SMBs, though even Acunetix does not publish transparent pricing. Expect annual contracts in the five to six figure range for Invicti, and lower four to five figures for Acunetix.

The main limitation for WAFplanet readers is that Invicti is not a WAF. It does not block attacks, filter traffic, or provide any runtime protection. It finds vulnerabilities that you then need to fix (through code changes) or mitigate (through WAF rules). It is a testing tool, not a protection tool.

Ratings Breakdown

Ease of Use 3.5/5
Value for Money 3.3/5
Customer Support 4.0/5
Features 4.3/5

Key Features

Proof-Based Scanning

When a vulnerability is found, Invicti attempts to safely exploit it and provides concrete proof. For SQL injection, it extracts actual data. For file inclusion, it reads a specific file. This eliminates the false positive problem that plagues most security scanners.

DAST (Dynamic Application Security Testing)

Tests running web applications by sending crafted HTTP requests and analyzing responses. Finds SQL injection, XSS, CSRF, file inclusion, authentication flaws, and other OWASP Top 10 vulnerabilities in production or staging environments.

IAST (Interactive Application Security Testing)

Instruments the application at runtime to provide deeper vulnerability detection. Combines external scanning with internal application visibility. Finds vulnerabilities that pure DAST scanning might miss, such as insecure deserialization or business logic flaws.

API Security Testing

Scans REST APIs, GraphQL endpoints, and SOAP services. Imports API definitions (OpenAPI/Swagger, WSDL, GraphQL schemas) and tests all endpoints for vulnerabilities. Critical for modern applications where APIs are the primary attack surface.

CI/CD Pipeline Integration

Integrates with Jenkins, Azure DevOps, GitHub Actions, GitLab CI, and other CI/CD platforms. Automatically scans applications as part of the deployment pipeline. Fails builds if critical vulnerabilities are found.

WAF Rule Export

Exports discovered vulnerabilities as WAF rules that can be imported into WAF products. Creates targeted virtual patches for specific vulnerabilities found during scanning. Bridges the gap between vulnerability discovery and runtime mitigation.

Compliance Reporting

Generates compliance reports mapped to PCI DSS, HIPAA, ISO 27001, and OWASP Top 10 requirements. Useful for demonstrating due diligence during audits and regulatory reviews.

Single-Page Application Support

Full support for scanning modern JavaScript applications built with React, Angular, or Vue. Invicti executes JavaScript, interacts with dynamic page elements, and discovers application states that traditional crawlers miss.

Pros & Cons

Pros

  • Proof-Based Scanning eliminates false positives

    The most significant differentiator. By proving vulnerabilities are real and exploitable, Invicti saves teams from wasting time investigating false positives. Security teams trust the results, which increases adoption and fix rates.

  • Complements WAF deployments

    Finding vulnerabilities that your WAF should be blocking is extremely valuable. If Invicti finds a SQL injection that your WAF misses, you know your WAF configuration needs work. The WAF rule export feature directly bridges scanning and mitigation.

  • Deep JavaScript application support

    Excellent at scanning modern SPAs built with React, Angular, or Vue. Many competing DAST scanners struggle with JavaScript-heavy applications. Invicti's browser-based crawling handles dynamic content well.

  • IAST provides deeper insight

    Runtime instrumentation finds vulnerabilities that external-only scanning misses. Particularly valuable for complex enterprise applications with intricate business logic.

  • Strong CI/CD integration

    Fits naturally into DevSecOps workflows. Automated scanning in the deployment pipeline catches vulnerabilities before they reach production, reducing the need for WAF rules as compensating controls.

  • OWASP community contribution

    As an OWASP Gold sponsor, Invicti contributes to the standards that define WAF protection criteria. This ensures their scanning covers what WAFs are designed to protect against, making comparisons meaningful.

Cons

  • Not a WAF or runtime protection

    Invicti does not block attacks, filter traffic, or provide any runtime protection. It finds vulnerabilities that you then need to fix or mitigate through other tools. It is a testing tool, not a protection tool.

  • Expensive

    Enterprise pricing with annual contracts. Invicti targets organizations with budgets for dedicated application security testing. Not accessible for small businesses or individual developers. Even Acunetix, the SMB option, starts around $4,500/year.

  • No public pricing

    Both Invicti and Acunetix require a sales conversation for pricing. No transparent pricing page with actual numbers. This makes budget planning and comparison shopping difficult.

  • Scanning can be disruptive

    DAST scanning sends potentially malicious requests to your application. Running scans against production can trigger alerts, create test data, or in rare cases cause issues. Scanning should be done against staging environments when possible.

  • Learning curve for enterprise features

    The enterprise platform has extensive configuration options, scan policies, and integrations. Getting the most out of Invicti requires application security expertise. It is not a plug-and-play tool.

  • Separate products create confusion

    Having both Invicti and Acunetix as separate products with different feature sets and pricing creates confusion about which product is appropriate. The distinction between SMB and enterprise is not always clear-cut.

Pricing

Pricing model: Custom (enterprise, annual contract)

Acunetix (SMB)

Custom (starts ~$4,500/year)

SMB-focused DAST scanner. Scans web applications and APIs for vulnerabilities. Proof-based scanning for reduced false positives. Suitable for development teams with smaller application portfolios.

  • DAST scanning
  • Proof-Based Scanning
  • OWASP Top 10 detection
  • API security testing
  • CI/CD integration
  • Compliance reporting (PCI DSS, HIPAA, ISO 27001)
  • Up to 5 targets (base plan)

Invicti (Enterprise)

Custom (annual contract)

Enterprise DAST and IAST platform for large application portfolios. Unlimited scanning targets, advanced integrations, and enterprise management features. Contact sales for pricing.

  • Everything in Acunetix
  • IAST (Interactive Application Security Testing)
  • Unlimited scanning targets
  • WAF integration (export findings as rules)
  • Enterprise SSO (SAML, LDAP)
  • Role-based access control
  • Advanced API scanning
  • Custom scan policies
  • Dedicated customer success manager

Our Verdict

Invicti is not a WAF, and including it on WAFplanet requires explanation. The reason is simple: understanding your application vulnerabilities is essential context for evaluating and configuring your WAF. A WAF protects against attacks. Invicti finds the vulnerabilities those attacks target. Together, they provide a more complete security picture than either alone.

The Proof-Based Scanning approach is genuinely innovative and solves the biggest problem with vulnerability scanners: false positives. When Invicti reports a SQL injection, it has actually extracted data from your database to prove it. This level of confidence makes findings actionable in a way that probabilistic scanners cannot match.

For WAF users specifically, the WAF rule export feature is noteworthy. Invicti can discover a vulnerability and generate a WAF rule to mitigate it, creating a virtual patch while you work on a code-level fix. This workflow bridges the gap between application security testing and runtime protection in a practical way.

The cost is the main barrier. Invicti targets enterprises with dedicated application security budgets. If you are evaluating WAFs for a small business website, Invicti is irrelevant. If you are a security team managing a portfolio of web applications behind Cloudflare, Imperva, or Qualys WAF, Invicti helps you validate that your WAF configuration actually protects against the vulnerabilities in your specific applications.

For teams that want free vulnerability scanning, OWASP ZAP provides DAST capability at no cost, though without the proof-based scanning and enterprise features that justify Invicti pricing.

CVE Coverage

Invicti can detect and block attacks matching 81K+ known CVEs based on its supported rule sets.

13K+
Critical
17K+
High
33K+
Medium
411
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
36K+ CVEs
SQL Injection High
14K+ CVEs
Improper Input Validation Medium
8.4K+ CVEs
Path Traversal High
6.5K+ CVEs
OS Command Injection High
5.2K+ CVEs
Unrestricted File Upload Medium
3.9K+ CVEs
Code Injection Medium
3.8K+ CVEs
Command Injection High
3K+ CVEs
Open Redirect Medium
1.4K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-4510 MEDIUM
CVE-2026-4161 MEDIUM
CVE-2026-4087 MEDIUM
CVE-2026-4086 MEDIUM
CVE-2026-4084 MEDIUM
CVE-2026-4077 MEDIUM
CVE-2026-4072 MEDIUM
CVE-2026-4069 MEDIUM
CVE-2026-4067 MEDIUM
CVE-2026-4022 MEDIUM
Browse all CVEs →

Frequently Asked Questions

Is Invicti a WAF?

No. Invicti is a DAST (Dynamic Application Security Testing) platform. It finds vulnerabilities in web applications by scanning them. It does not block attacks or filter traffic. Think of it as the complement to a WAF, the WAF blocks attacks, and Invicti finds the vulnerabilities those attacks target. Use both for comprehensive security.

What is the difference between Invicti and Acunetix?

Both are owned by Invicti Security. Invicti is the enterprise DAST/IAST platform with unlimited targets, advanced integrations, and enterprise management. Acunetix is the SMB-focused DAST scanner with simpler pricing (starting around $4,500/year) and fewer enterprise features. Both use the same core scanning engine with Proof-Based Scanning.

Was Invicti previously called Netsparker?

Yes. The Invicti DAST product was previously branded as Netsparker. The company rebranded to Invicti Security when it acquired Acunetix and consolidated both products under one company. Many security professionals still know the product by its Netsparker name.

How does Invicti complement a WAF?

Invicti finds vulnerabilities in your applications. Your WAF (e.g., Cloudflare, Imperva, or Qualys WAF) blocks attacks targeting those vulnerabilities. Together, you know what vulnerabilities exist and can verify your WAF blocks them. Invicti can also export findings as WAF rules to create virtual patches for discovered vulnerabilities.

What is Proof-Based Scanning?

When Invicti finds a potential vulnerability, it attempts to safely exploit it and provides proof. For SQL injection, it extracts actual data. For Local File Inclusion, it reads a specific file. This eliminates false positives because the vulnerability is proven, not just suspected. This is Invicti's core differentiator.

Can Invicti scan APIs?

Yes. Invicti supports REST API, GraphQL, and SOAP service scanning. It can import OpenAPI/Swagger definitions, WSDL files, and GraphQL schemas to discover and test all API endpoints. API security testing is increasingly important as modern applications expose more functionality through APIs rather than traditional web pages.

Is there a free alternative to Invicti?

OWASP ZAP is a free, open-source DAST scanner that provides basic vulnerability scanning capability. It does not have Proof-Based Scanning, enterprise management features, or the same depth of JavaScript application support. For budget-conscious teams, ZAP is a reasonable starting point. For enterprise needs, Invicti provides significantly more capability. Some WAFs like open-appsec include built-in vulnerability assessment.

Does Invicti support compliance scanning?

Yes. Invicti generates compliance reports mapped to PCI DSS, HIPAA, ISO 27001, OWASP Top 10, and other frameworks. These reports demonstrate that you have tested your applications for vulnerabilities, which is a requirement in most compliance frameworks. However, running Invicti alone does not make you compliant. It is one component of a broader compliance program that should also include WAF protection from providers like Cloudflare or Patchstack.

Ready to try Invicti?

Visit the website to learn more or request a demo.

Visit Website View Pricing