Rapid7 AppSpider provides rapid vulnerability detection and comprehensive reporting, integrating seamlessly with development cycles to enhance web application security. It is widely recognized for its detailed remediation steps and compliance with international standards like ISO27001.
| Product | Mindshare (%) |
|---|---|
| Rapid7 AppSpider | 0.8% |
| SonarQube | 14.5% |
| Checkmarx One | 9.2% |
| Other | 75.5% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Static Application Security Testing (SAST) | Jun 23, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jun 23, 2026 | Download |
| Comparison | Rapid7 AppSpider vs SonarQube | Jun 23, 2026 | Download |
| Comparison | Rapid7 AppSpider vs Checkmarx One | Jun 23, 2026 | Download |
| Comparison | Rapid7 AppSpider vs Veracode | Jun 23, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| SonarQube | 4.0 | 14.5% | 84% | 135 interviewsAdd to research |
| Checkmarx One | 3.9 | 9.2% | 88% | 81 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 4 |
| Midsize Enterprise | 2 |
| Large Enterprise | 1 |
| Company Size | Count |
|---|---|
| Small Business | 69 |
| Midsize Enterprise | 37 |
| Large Enterprise | 93 |
Renowned for its robust security assessment capabilities, Rapid7 AppSpider stands out by offering advanced crawling technology and interactive interface features. Despite its slower performance compared to some competitors, it efficiently manages applications with configurable reporting and a focus on reducing false positives. Users find its automation and extensive integration capabilities valuable, although they indicate a need for improved interface enhancements and better report localization for specific regions like Japan.
What are the key features of Rapid7 AppSpider?In sectors such as finance, healthcare, and technology, companies leverage Rapid7 AppSpider to enhance their security management. It plays an integral role in vulnerability assessment processes, aiding in the compliance with international security standards and reforms in security testing strategies, especially during auditing and routine application scans.
Rapid7 AppSpider was previously known as AppSpider.
Microsoft
| Author info | Rating | Review Summary |
|---|---|---|
| Marketing Expert at J's communication | 3.0 | We use AppSpider primarily for its robust security features and excellent crawling technology, which customizes well for clients. However, localization for Japanese customers is lacking, and the return on investment is considered medium. |
| Executive Manager at B2B-Solutions LLC | 4.0 | I use Rapid7 AppSpider for vulnerability assessments and find its vulnerability reporting data valuable, especially for generating flexible reports. However, the solution's performance is slower compared to others, and we've adopted tricks to enhance its speed. |
| Head Information Security at Akhtar Fuiou Technologies | 3.5 | I use Rapid7 AppSpider for web application scanning to detect vulnerabilities, finding it user-friendly with detailed automated scans. However, it gives many false positives and lacks robust reporting. Stability needs improvement compared to my previous experience with HCL AppScan. |
| Network & Security Engineer at PT. Centrin Online Prima | 4.0 | I primarily use Rapid7 AppSpider for scanning and securing web applications, appreciating its replay attack feature. However, better integration for mobile app scanning would be beneficial, particularly enhancing performance when handling mobile applications like iOS and Android. |
| Executive Manager at B2B-Solutions LLC | 3.5 | I've used AppSpider for five years. Its valuable reporting, analytics, and customization are strong, but high RAM usage during scans and complex configuration with too many options are issues. I rate it 7/10. |
| Network & Security Engineer at PT. Centrin Online Prima | 4.0 | I use AppSpider for web vulnerability scanning. Its distribution is good, but integration and the simple interface need improvement. Support is responsive, yet some issues remain unresolved. I rate it 7-8 out of 10, requiring expertise. |
| Information Security Engineer at Trillium Information Security Systems | 3.5 | I have used Rapid7 AppSpider for over three years. Its initial deployment is simple, and it's stable when configured correctly. However, I have experienced some stability glitches that need improvement. Overall, I recommend it. |
| Network & Security Engineer at PT. Centrin Online Prima | 4.0 | I use this to test application vulnerabilities. While setup is straightforward and customer service is good, integration needs significant improvement, especially with recorded credentials and platforms like GitLab. Overall, I recommend it. |
| Security Consultant at a tech vendor with 11-50 employees | 4.0 | As a Rapid7 AppSpider distributor, I find its accurate scanning and detailed vulnerability reports very valuable. Setup is straightforward. However, it only scans one application at a time, and support response times need improvement. I rate it an 8/10. |
| Program Director at a financial services firm with 201-500 employees | 3.5 | I use Rapid7 AppSpider for data mining, finding its stability a key advantage. However, the dashboard and interface need improvement. Overall, I recommend it and rate it seven out of ten. |
Our clients use AppSpider to address security concerns for their websites. It is particularly used by customers who require security assessments.
One of the most valuable features of AppSpider is its broad range of authentication identification, which is a key reason for its utilization. Additionally, the crawling technology is very good and customizes well for customer solutions.
For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users.
I have been working with Rapid7 AppSpider for about ten years.
The solution is highly stable, rated at ten out of ten.
The solution is scalable due to its SaaS nature, however, it faces competition, so I rate its scalability at six or seven out of ten.
Technical support is good, and I would rate it eight out of ten.
Positive
The initial setup is a bit complex since it requires professional knowledge for exploiting the website. Expertise is needed.
The return on investment is medium.
The price is not high, but for Japanese customers, localization may incur additional costs.
I would recommend AppSpider to other customers as I do not have any bad impressions of the solution.
Overall, I would rate Rapid7 AppSpider six out of ten.
The most valuable feature of Rapid7 AppSpider is the vulnerability reporting data. Additionally, the data is reported in a convenient way rather than seeing them as a PDF. We are able to generate all the reports exactly what we want in a flexible way.
The performance of the solution could improve. When I compare the speed it is slower than others on the market. There are some tricks we use to help speed up the solution.
I have been using Rapid7 AppSpider for approximately six years.
I have had some stability problems but it could be the Microsoft Windows operating system. I found that closing other applications helps with stability. It is helpful to have as much memory as possible, such as eight gigabytes. The more pages being processed the more resources you need.
I rate the stability of Rapid7 AppSpider a nine out of ten.
I rate the support from Rapid7 AppSpider an eight out of ten.
Positive
The initial setup is highly simple. The installation is on Microsoft Windows only and the solution needs to be downloaded from the vendor's website. There are other services that you cannot use together with this solution causing some conflict, you then have to remove some services.
The price of Rapid7 AppSpider cost 9,000 annually but there is limited usage. Large companies are able to negotiate a better price or a better deal for the usage with the vendor.
The price of the solution is average compared to other vendors.
I rate the price of Rapid7 AppSpider a five out of ten.
This solution might not be needed for everyone because of its high performance.
There is minimal maintenance required, such as updating the solution.
I would recommend this solution to others. The detailed reports are valuable.
I rate Rapid7 AppSpider an eight out of ten.
AppSpider is primarily intended for web application scanning, and it provides me with the ability to scan all of our web apps for vulnerabilities. It is also able to scan the application APIs, where we can actually log into the web application and then scan the whole interface. I typically only use it once or twice a month, and mainly for basic web app scanning.
Previously, I was working at a bank but I have now switched to a position as Head of Security within the FinTech industry, where I am managing our company's entire security portfolio. Right now, it's still a startup environment but we're a growing company and we also use a range of other security tools that we recently procured, with more tools in the pipeline. For example, for our SIEM solution, we are using Wazuh, an open source SIEM platform, and we are also using the security operating system Kali Linux.
What I like most about AppSpider is that it's easy to use and its automated scan gives me all the details I need to know when it comes to vulnerabilities and their solutions. I wouldn't say it is extraordinary, but it serves our purposes well.
One of the challenges I have with AppSpider is that it gives you a lot of false positives, especially when compared to other solutions. This is the main aspect that I hope to see Rapid7 improve on.
Beyond reducing false positives, I would also like to see them implement better reporting features, particularly in the executive summary type of reports which need to be user-friendly and easily understood by non-technical people. The recommendations and solutions on these reports could always be improved to make them more relevant, too.
Lastly, the stability isn't that great, and sometimes it becomes non-responsive. I feel like the stability of the application is very average and currently needs more work.
I have been using AppSpider for about five months.
Regarding stability, I would have to give AppSpider an average rating of five out of 10, mainly because it occasionally becomes non-responsive. Sometimes it works well, but sometimes not, so the stability really needs to be improved.
In the long run, I believe that I will eventually need to find a more stable and robust kind of scanner than AppSpider. At present, I view AppSpider as more of a utility rather than a complete solution, and if I don't use it in future, then it won't be a major problem. I can always use other tools, and it's not necessarily a vital part of our product list.
In my previous organization I used HCL AppScan for a brief period of time, and I started using AppSpider instead when I moved over to my new organization. Comparing the two, I don't see many differences in terms of functionality. Another web app scanner I used recently is called Yaazhini.
Although I haven't used it yet, I have also heard good things about Checkmarx.
The setup was good. It's just a simple installation and it's really easy. Once it is installed, it offers a nice and simple approach to setting up your first scan. And if you want to go deeper, it provides you with a form which asks you about how it should be configured.
If you select all the details, it takes you deeper into the configuration options, and if you choose to go the simple route, then it's just a matter of a quick form to fill in. It's a good, straightforward approach, in my opinion, and I would give it a rating of four out of five for ease of setup.
I deployed it myself in-house and on-premises.
AppSpider is closed-source software and you need to acquire a license in order to use it. However, I was fortunate enough to obtain a single-user license by one of my colleagues who is a security researcher doing his PhD, where he sometimes gets access to evaluation licenses.
I would rate Rapid7 AppSpider a seven out of ten.
AppSpider is primarily used to scan web applications. It scans all the components developed within a web application. It's used for various purposes related to web application security.
One of the most valuable features is a replay attack. The feature identifies vulnerabilities in the web application and makes changes in the code to address identified vulnerabilities.
It needs better integration with mobile applications. It would be better if we could scan not only web applications but also mobile applications, like iOS, Android, and Windows Mobile. It would be better for our team to have the ability to scan mobile applications as well. The performance could be better when it comes to scanning two mobile applications.
I have been using this solution for six years and working with the latest version of Rapid7 AppSpider.
I would rate the stability an eight out of ten.
I would rate Rapid7 AppSpider's scalability a nine out of ten. It is a very scalable solution. A customer does not need to know how many scan engines are used. Even if they want to perform ten concurrent scans with overextend, they can handle how many scan engines are being used.
There are around ten users in my company.
The customer service and support team is very helpful. They have a great response time and have segmented teams. At the end of the day, I interacted with several teams. For example, if we're talking about scan engines, there may be a different technical support team handling it, and yet another team may cover false positives.
Positive
The initial setup is straightforward, and it takes a couple of minutes. It's quite easy, you just need to put in the key, and then you can progress with installing the scan engine.
Moreover, you're not only limited to the cloud, but you have the option to install a local scan engine. So we have both on-prem and cloud-based versions with our customers.
When it comes to maintenance, at least two people are needed. One person to conduct scans and an additional person to monitor the end-to-end process. After conducting scans, the results are sent to the developer for analysis and discussion. It is possible for different interpretations of the scan results to occur, which can lead to varying outcomes. This aspect of technical analytics is a separate segment from the maintenance process. The maintenance team typically consists of administrators.
There are huge limitations in terms of pricing. There are two methods, one for covering unlimited critical web applications and the other for scanning unlimited websites, but only quarterly, meaning four times a year.
This solution is cloud-based, so there are no additional costs, but if we are talking about services, then yes. But for hardware, no. All of these things are provided in the cloud, which we can download from the website of Rapid7.
Overall, I rate it an eight out of ten. If Rapid7 had a feature where we could scan for the mobile application, I would rate it a nine.
AppSpider's most valuable feature is reporting - everything is stored in the local database so it can be sent to other machines. Its internal analytics and customizations are also good.
AppSpider has some problems with the RAM needed while scanning. There are also a lot of options, which can make it difficult to configure the system to get the results you want.
I've been using AppSpider for five years.
I would rate AppSpider seven out of ten.
The customer that I handle right now uses AppSpider to scan web applications for vulnerabilities and application testing.
For AppSpider there is more than one valuable feature. The distribution is good. With one console dashboard, we can integrate with one, two, or three different engines. When it is set up, each engine can do scanning on all of the web apps automatically.
The integration is also good when it is available. For example, we are using selenium to record usernames and passwords. Then we use selenium recording to automate the login and scanning of the apps. These are only two of the things that make AppSpider easy to work with.
AppSpider could improve in the area of integration. They need to add more opportunities. The documentation about integration with AppSpider is bad news and some integrations are quite difficult to do right now. It would be nice if we had a simple resource where we could look up on the internet what they are set up to integrate with. Some products will not currently integrate with AppSpider.
The interface of the enterprise product is a bit too simple. It would be good if there were options for customizing the views more like a dashboard.
I do pre-sales for Rapid7 solutions and I have been doing that for around one or two years. I do not work with AppSpider day-to-day as part of my job, but I am doing presentations, POC (Proof of Concept), and I do some installations for our customers.
For Rapid7, I also work with InsightVM and Metasploit doing presentations, POC, and installations for customers. We are a distributor for Rapid7 products.
Because we are only using the product during POC and testing and not using it day-to-day, we do not test the stability under higher usage. Because of that, it is hard to judge stability accurately.
I do not have a lot of experience with the scalability of the product. I think it is scalable because it is easy to do a distribution installation. The ability to use just one dashboard to employ more than one engine is good. I think that shows the processes are scalable.
Right now our clients are mostly medium enterprise businesses. We have not had the opportunity to scale to many larger organizations.
For InsightVM the technical support from Rapid7 has been good. If we create a ticket, we get feedback. But right now, one of our customers is a big telco in Indonesia. They are having a problem with an upgrade to Nexpose. The problem has remained unresolved for around one month already. The support only responded by saying that they will try to resolve this issue within six months. They suggested for us to upgrade to the next Nexpose already, but it still not resolved right now. Our customer is left still using the old Nexpose. It is not a good situation.
To do the installation and initial setup is easy, I think. To use the app is where you need to have an expert in using the product. Even though I have had some experience with AppSpider and I do presentations, I think I still need more time to explore the product to understand it better.
On a scale of one to ten (where one is the worst and ten is the best), I would rate Rapid7 AppSpider as a seven or eight-out-of-ten.
The initial deployment is very straightforward and simple.
The product is stable if configured properly.
There are some glitches with stability, and it is an area for improvement.
I've been using it for three and a half years.
Both cloud and on-premises versions are available.
The product is stable, but you need to configure it properly.
The initial deployment is very straightforward and simple, but there are some things you have to understand when you use the cloud version. You need to scan or protect any other text such as the post information so that you can continue to deliver using that title.
It takes about a day to deploy.
The deployment can be done in-house.
The licensing cost depends on the number of users.
I would recommend Rapid7 AppSpider to others.
I try to have our customers to use the solution, then I review the solution, and then I help customers deploy the applications.
Testing the vulnerability of applications.
Integration could be better. For example, while doing the scanning, using the recording username and passwords, there are issues. Also, they could integrate CSED into the product which would benefit in the future.
We have had no problems with scalability.
Customer service has been quite good.
The setup is usually straightforward.
We do the deployment for our clients.
The price is pretty fair.
I would recommend this product. I would give them a higher rating but they need to have more integration available. They do not have integration for GitLabs for example.
I rate Rapid7 AppSpider a nine out of ten.
We are a distributor for Rapid7 and AppSpider is one of the products that we implement for our clients.
It does a scan that performs about 100 checks on web applications and produces a clear report on all of the vulnerabilities that are found. It is a dynamic scanner.
The reporting is very nice. There are many different reports and they include remediation details such as links as to where you can find patches.
It is really accurate and the rate of false positives is very low.
It can be integrated with the software development life cycle, which our customers have found very useful. It also integrates with Jira and other ticketing solutions.
With AppSpider, you can scan only one application at a time. If you have AppSpider Enterprise then you can connect one or two more scanners and scan multiple applications at one time.
Support response times are slow and can be improved.
I have been working with Rapid7 AppSpider for a month or two.
AppSpider is pretty stable.
I have tried a couple of open source solutions like Burp Suite but nothing that is in competition with AppSpider.
The initial setup is pretty straightforward. If the user has a Windows machine then they just download the file and press Next several times. That's it. The deployment will take perhaps 20 minutes, although if there are network issues then it might take up to an hour.
We deploy AppSpider on a laptop and it is easier that way because you can take it in and out of the domain. You can connect with the web apps where they are.
It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once.
My advice to anybody who is considering this solution is that there are other products out there, and everyone has their own requirements. If AppSpider meets the requirements then it is a great one to implement.
I would rate this solution an eight out of ten.
We are using Rapid 7 AppSpider mainly for mining data and looking for market manipulations.
The most valuable feature is the ability to mine data.
The dashboard and interface are crucial and they need some improvement.
I have been using Rapid7 AppSpider for two or three years.
I would say that it is stable, as I am not aware of any major issues.
I don't know if it is scalable, as we haven't gotten to that stage yet. We are still testing it on quantities and conditions. Theoretically, yes, it's scalable.
We have between 10 and 20 users.
I have not contacted technical support, nor do I know of anybody in the company who has.
This is a product that I would recommend.
I would rate this solution a seven out of ten.
