Invicti vs Veracode comparison

Invicti and Veracode are both solutions in the Application Security Posture Management (ASPM) category. Invicti is ranked #5 with an average rating of 8.5, while Veracode is ranked #1 with an average rating of 8.1. Additionally, 96% of Invicti users are willing to recommend the solution, compared to 89% of Veracode users who would recommend it.

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Oct 8, 2024

Veracode and Invicti are leading contenders in the application security market. Invicti is often seen as superior due to its comprehensive feature set and automation capabilities, making it a preferred choice for those seeking a feature-rich solution.

Features: Veracode offers standout static analysis capabilities and strong third-party tool integration. It provides effective vulnerability detection and remediation guidance. Invicti’s key features include dynamic scanning, real-time issue identification, and automation for detailed web vulnerability analysis, offering a thorough approach to security management.

Room for Improvement: Veracode users express a desire for faster scan times and enhanced reporting capabilities. They find limitations in its analytics precision that could be improved. Invicti needs better documentation and support for complex configurations. Users also wish for improved interface responsiveness in larger environments.

Ease of Deployment and Customer Service: Veracode is recognized for its simple cloud deployment and seamless integration into workflows, coupled with proactive customer support. Although Invicti offers comprehensive deployment guides, users find its setup process challenging in larger environments, with diverse feedback on support team responsiveness.

Pricing and ROI: Veracode’s pricing strategy is attractive to small enterprises, providing a cost-effective option with compelling ROI metrics for long-term utilization. In contrast, Invicti demands a higher initial investment but justifies this with robust security features and efficiency, delivering a high ROI that appeals to enterprises ready to spend upfront for extensive capabilities.

To learn more, read our detailed Invicti vs. Veracode Report (Updated: January 2026).

Buyer's Guide

Invicti vs. Veracode

January 2026

Download the complete report

Helped 881,082 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Cortex Cloud by Palo Alto N...

Featured Reviews

Nuno-Santos

Cybersecurity Analyst at a tech services company with 11-50 employees

Has improved real-time threat detection and unified cloud protection through AI and automation

Cortex Cloud by Palo Alto Networks is creating some confusion in terms of names because this is recent. They changed the names of the products and are now clarifying their offer. The family of the products is not easy to follow because it's very recent. Regarding the generative AI security tool, I know for sure it's Agentic. Based on my experience with Palo Alto, I can suggest what Cortex Cloud by Palo Alto Networks could make better or what additional functions could be added. This is the best tool in the market. It's not the time to tell what they could do better because it's a recent tool. The market is now adopting it. Our experience doesn't show that they need to do more.

Read full review

Valavan Sivgalingam

Senior Manager, Security Engineering at ESS

Dynamic testing regularly identifies web vulnerabilities and has strong false positive confirmations

It has good false positive confirmations, confirmed issues identification, and proof of exploit-related features as part of it. We use Invicti for these things in our portfolios. The solution includes Proof-Based Scanning technology. Invicti is part of our SSDLC portfolio, and DAST dynamic testing is very important for our web applications and portfolios. For both the API endpoints and web applications, we do regular testing on a monthly basis for all our releases. Invicti does a good job. The only concern is on the performance side, but other than that, we find it really helpful in identifying web vulnerabilities. A full scan takes more time based on your website and other factors, but for us, it takes more than two to three days. The scan performance can be improved upon. When we check with them, they discuss proof-based scanning and related aspects. However, there could be intermittent results that could help us.

Read full review

reviewer2703864

Head of Security Architecture at a healthcare company with 5,001-10,000 employees

Onboarding developers successfully while improving code security through IDE integration

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"I have absolutely seen improvements in our incident close rates, with mean time to detect and respond reduced significantly, sometimes by at least forty to fifty percent."

"Cortex Cloud by Palo Alto Networks has impacted our organization positively by keeping our machines secure and our team using the dashboard to find issues quickly."

"Overall, Cortex Cloud by Palo Alto Networks is a technically strong product, and I rate it ten out of ten."

"The AI and automation features in detecting and responding to high-risk threats are impressive; it's one of the best tools regarding AI technology and unifies security in one platform in real-time, improving vulnerability analysis, incident response, and compliance reporting."

"I have seen several benefits from using Cortex Cloud by Palo Alto Networks: It was easy to use and easy to migrate from the IBM platform."

"It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites."

"It has very good integration with the CI/CD pipeline."

"Netsparker has valuable features, including the ability to scan our website, an interactive approach, and security data integration."

"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."

"I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool. It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy."

"The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support."

"This tool is really fast and the information that they provide on vulnerabilities is pretty good."

"Netsparker provides a more interactive interface that is more appealing."

More Invicti pros

"What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode."

"One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."

"Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."

"The solution is stable. we've never had any issues surrounding its stability."

"The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting.""

"The capability to identify vulnerable code is the most valuable feature of Veracode."

"I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use."

"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."

More Veracode pros

Cons

"Cortex Cloud by Palo Alto Networks is creating some confusion in terms of names because this is recent."

"Some aspects of the GUI can be confusing and make it difficult for me to find certain options or navigate where needed."

"Overall, I rate Cortex Cloud by Palo Alto Networks as an eight out of ten. I think that it could improve on price, as I know that the Google solution has the best price, and this is one of the conditions."

"The pricing is high, making ROI challenging to justify, especially during transitions between solutions."

"The solution needs to make a more specific report."

"I think that it freezes without any specific reason at times. This needs to be looked into."

"They could enhance the support for data swap testing for the platform."

"Invicti takes too long with big applications, and there are issues with the login portal."

"Invicti's reporting capabilities need enhancement."

"They need to improve their support in the documentation. Their support mechanism is missing. Their responsiveness, technical staff, and these types of things need to be improved, and comprehensive documentation is required. They should have good self-service portal enhancement"

"Maybe the ability to make a good reporting format is needed."

"The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them."

More Invicti cons

"Their scanning engine is sometimes a little bit slow. They can improve the scan time."

"The zip file scanning has room for improvement."

"Maybe the boards could be made easier to understand or easier to customize."

"Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis."

"In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me."

"The pricing for qualified startups such as Neo4j could be improved."

"We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process."

"Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects."

More Veracode cons

Pricing and Cost Advice

Information not available

"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."

"The price should be 20% lower"

"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."

"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."

"The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers."

"OWASP Zap is free and it has live updates, so that's a big plus."

"We never had any issues with the licensing; the price was within our assigned limits."

"It is competitive in the security market."

More Invicti pricing and cost advice

"The pricing for Veracode is high, making it difficult for beginners to afford."

"We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach. So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily."

"Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."

"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."

"Veracode's pricing is on the higher end, but it is acceptable."

"It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."

"We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides."

"No issues, the pricing seems reasonable."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Posture Management (ASPM) solutions are best for your needs.

See recommendations

881,082 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Performing Arts

10%

Financial Services Firm

10%

Manufacturing Company

Computer Software Company

Financial Services Firm

17%

Computer Software Company

11%

Manufacturing Company

Government

Financial Services Firm

17%

Computer Software Company

13%

Manufacturing Company

10%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

By reviewers
Company Size	Count
Small Business	14
Midsize Enterprise	4
Large Enterprise	13

By reviewers
Company Size	Count
Small Business	69
Midsize Enterprise	44
Large Enterprise	115

Questions from the Community

What is your experience regarding pricing and costs for Cortex Cloud by Palo Alto Networks?

The solution is costly, with high-end capabilities suitable for enterprises. It is less affordable for startups or sm...

See all answers

What needs improvement with Cortex Cloud by Palo Alto Networks?

Regarding areas for improvement, the tool performs its functions well, but frequent name changes across Palo Alto Net...

See all answers

What is your primary use case for Cortex Cloud by Palo Alto Networks?

Cortex Cloud by Palo Alto Networks serves as our primary tool for understanding our assets and performing API integra...

See all answers

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?

The setup cost is pretty competitive. For example, if you want to talk about the SAST license, it comes to about $150...

See all answers

What needs improvement with Invicti?

At this time, there is nothing that comes to mind. However, most of the products in the market are pretty much neck-t...

See all answers

What is your primary use case for Invicti?

I have worked on a couple of products, specifically in web application security. I have worked on Invicti, and with r...

See all answers

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

See all answers

What do you like most about Veracode Static Analysis?

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabil...

See all answers

What is your experience regarding pricing and costs for Veracode Static Analysis?

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

See all answers

Comparisons

Prisma Cloud by Palo Alto Networks vs Cortex Cloud by Palo Alto Networks

Compared 19% of the time

Wiz vs Cortex Cloud by Palo Alto Networks

Compared 17% of the time

Microsoft Defender for Cloud vs Cortex Cloud by Palo Alto Networks

Compared 8% of the time

SentinelOne Singularity Cloud Security vs Cortex Cloud by Palo Alto Networks

Compared 7% of the time

AWS GuardDuty vs Cortex Cloud by Palo Alto Networks

Compared 6% of the time

More Cortex Cloud by Palo Alto Networks Competitors

Acunetix vs Invicti

Compared 16% of the time

SonarQube vs Invicti

Compared 8% of the time

OpenText Dynamic Application Security Testing vs Invicti

Compared 6% of the time

Rapid7 InsightAppSec vs Invicti

Compared 6% of the time

OWASP Zap vs Invicti

Compared 5% of the time

More Invicti Competitors

SonarQube vs Veracode

Compared 12% of the time

Checkmarx One vs Veracode

Compared 8% of the time

GitHub Advanced Security vs Veracode

Compared 5% of the time

Coverity Static vs Veracode

Compared 4% of the time

OWASP Zap vs Veracode

Compared 3% of the time

More Veracode Competitors

Product Reports

Buyer's Guide

Cortex Cloud by Palo Alto Networks

January 2026

Cortex Cloud by Palo Alto Networks report

Download Cortex Cloud by Palo Alto Networks product report

Buyer's Guide

Invicti

January 2026

Download Invicti product report

Buyer's Guide

Veracode

January 2026

Download Veracode product report

Also Known As

No data available

Netsparker

Crashtest Security , Veracode Detect

Overview

Cortex Cloud by Palo Alto Networks provides comprehensive cybersecurity management, focusing on enhancing security operations with advanced automation and threat intelligence, addressing complex security challenges efficiently.

Cortex Cloud by Palo Alto Networks integrates cloud-scale data analytics and automation to streamline security operations, enabling faster threat detection and response. It leverages AI and machine learning to provide real-time threat intelligence and automate routine tasks, reducing the burden on security teams. Users benefit from improved visibility across networks and greater operational efficiency, making it crucial for enterprises aiming to secure their digital assets against evolving cyber threats.

What are the key features of Cortex Cloud by Palo Alto Networks?

Automated Threat Detection: Identifies and mitigates threats in real-time using AI algorithms.
Advanced Analytics: Provides in-depth data insights for proactive threat prevention.
Incident Management: Streamlines incident response with automated workflows.
Scalable Architecture: Offers flexibility to grow with organizational needs.

What benefits or ROI should you expect from Cortex Cloud by Palo Alto Networks reviews?

Increased Efficiency: Automation reduces manual efforts in threat management.
Enhanced Security Posture: Improved visibility leads to better threat preparedness.
Cost Savings: Minimizes expenses related to manual threat detection and response.
Scalability: Grows with the organization, reducing the need for constant upgrades.

Cortex Cloud by Palo Alto Networks is favored in sectors like finance, healthcare, and telecommunications, where data security is paramount. Its ability to integrate with existing infrastructure and provide real-time insights makes it a preferred choice for securing sensitive information and ensuring compliance within industry regulations.

Palo Alto Networks

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

Invicti

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Veracode

Sample Customers

Information Not Available

Samsung, The Walt Disney Company, T-Systems, ING Bank

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Buyer's Guide

Invicti vs. Veracode

January 2026

Free Report: Invicti vs. Veracode

Find out what your peers are saying about Invicti vs. Veracode and other solutions. Updated: January 2026.

DOWNLOAD NOW

881,082 professionals have used our research since 2012.

See our Invicti vs. Veracode report.

See our list of best Static Application Security Testing (SAST) vendors, best Container Security vendors, and best Software Composition Analysis (SCA) vendors.

We monitor all Application Security Posture Management (ASPM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.