Invicti Reviews

I used Netsparker in my company to apply continuous penetration testing. The company has 1000-plus web applications.

Because the company has many web applications, we had to automate scans. I wrote a batch script with the Netsparker API. This made it easy for my jobs.

Netsparker offers some pretty features:

• Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface.
• Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner.
• A very useful API for automating the scans.

Perhaps the custom attack preparation screen might be improved. Also, they can implement mobile penetration testing support for manual and automated tests.

The new version of Netsparker is better than the older versions for scalability.

I rate it at nine out of 10 because, although I have used many web application scanners by now, Netsparker gives the fewest false-positives. That's the most important property for a web application scanner. When you buy a web application scanner, you actually pay for two features: non false-positive detection, and attack diversity. Other features affect the quality of a product. So, Netsparker deserves a nine.

The primary use case of this solution is to Check the major vulnerabilities of the product such as SQL injection, XSS Exploitation, Broken Authentication,  Upload File Inclusion, CSRF, etc.

When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done.

With this wonderful tool, we can easily point out the outstanding reports of "Important", "Medium", "Low", and "Information" cases of vulnerabilities. Apart from that, it also visualizes what's wrong with the server, such as an outdated version, authorization, version disclosure, etc.

I like the way it provides the comprehensive result explaining the vulnerabilities which have been found along with how we can exploit those vulnerabilities with an example.

When scanning a large web-based application, it tends to process slow and takes a long time especially on crawling and attacking part. Would be better if that part would not take much time.

Apart from that, it would be better for listing and attacking Java-based web applications to exploit vulnerabilities.

Till now, no.

Yes, sometimes it hangs up when running large web-based applications.

9 out of 10.

Yes, I have used Acunetix, and the reason I switched to Netsparker would be:

The performance I found on Acunetix was very slow. It would take like a day if I had to scan our web based application product. That is not reliable when you are working with those clients who want a quick response.

I found it's straightforward and anyone can setup this solution. However naive or rookie, you may have obstacles setting up with LDAP login or Browser Authentication.

I would definitely recommend to those who really want to know in-depth details of their applications/products regarding the security of their web system.

No, I haven't.

Like I wrote earlier, I would highly recommend implementing this product to those who really care about the vulnerabilities and security of their products/applications.

This product is mainly required for Automated Web Application Security Testing. We used the product over a shared directory.

It was very effective to highlight the low and medium level vulnerabilities which are generally easy to miss out.In certain cases we observed that high-level vulnerabilities could be pointed out with ease.

The scanner is light on the network and does not impact the network when scans are running. It is very efficient in highlighting medium-low vulnerabilities. These vulnerabilities during in-depth testing may find a miss but Netsparker can figure these very easily.

The higher level vulnerabilities like Cross-Site Scripting, SQL Injection, and other higher level injection attacks are difficult to highlight using Netsparker.

The product is highly stable and does not create any issues.

It is available across different platforms and is highly scalable.

The technical support team was highly responsive and we used to get regular emails from their side, i.e., whenever there were any issues or new releases. In fact, the customer service is the best when compared to other competitor products.

Since the time I am associated to this company, we have constantly used Netsparker as one of our tools.

The setup is very straightforward and as it is connected to the network, it is very easy to update the product on a regular basis.

In our organization, we had a separate team which looked after the pricing and licensing policies. However, we never had any issues with the licensing; the price was within our assigned limits.

We do use other different products to confirm our results namely Burp Suite, Nessus, Qualys Inc. etc. Each product is used for the different stages of testing.

It is a highly scalable and multi-user platform. You need to ensure that you have a virtual machine connected over to the internet for most of the system, as there are weekly and monthly updates.

Scan, proxify the application, and then detailed report along with evidence and remediations to problems.

We are trying to integrate this product fully into our CI/CD Pipeline. Right now, the basic scan is done. More is being done currently.

I think that it freezes without any specific reason at times. This needs to be looked into.

The UI is a bit cluttered, but it's ok since the Application Security does look at many facets of the Application.

No. Not so far with the upgrades. It updates itself given it is network access and it has plugins too.

We haven't scaled it up so I can't comment. But, we have plans.

Quite high. They are scattered all over social. They have wikis, a website, YouTube videos. They don't have a blog, or I might not have come across it, but given the option of googling things around, they are documenting many things.

Plus, they have active Google groups, where their response time is around a day.

For application security, we tried Netsparker, Accunetix, but this one has a free option and recommended Software from OWASP.

Quite straightforward. We did have a detailed look at YouTube videos, and read the wiki.

In other words, we did our research thoroughly, as their content was online. So it was finding the right content at the right time.

Being as this software is on an Open Source license, I would advise having a technical person on board, who knows how to handle this product.

OWASP Zap is free and it has live updates, so that's a big plus.

Organizations thinking to implement it need a team of technical personnel onboard.

We did try the commercial ones, but since OWASP is known as an authority in web application security, we opted for this software.

Go right ahead. You need to have a technical person.

The scanner and the result generator are valuable features for us.

We have integrated the Netsparker API into the scripts that we use.

The support's response time could be faster since we are in different time zones.

We have been using the solution for a couple of years.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

I would rate the technical support at an eight out of 10.

We use simultaneous products, but I found this to be the best of the lot.

It is easy to use. There is always someone available who can give you a free demo when you install the software according to your convenience.

There is flexible pricing per user and per year. It is competitive in the security market.

We evaluated Nessus and Acunetix.

It is a pretty good product, if you go with the full version. It has a good report generation and enables better customization of policies.

Its ability to crawl a web application is quite different than another similar scanner.

Sometimes, it can find more vulnerabilities that another scanner can’t. Usually, I have used both the scanners so I can get more results.

I’m not sure about the improvement part for our organization since I have only used this product for three months.

Maybe the ability to make a good reporting format is needed.

I got the trial license for about three months.

There were no stability issues.

There were no scalability issues.

I have never contacted technical support.

We did not switch solutions, just tried different tools to see the results.

The setup is easy and straightforward, because I was using Windows.

My office gave me the trial license and told me to try out these products. That’s it. Just compared it to other similar tools such as NeXpose and Acunetix.

I like the way Netsparker provides the comprehensive reports in various formats such as PDF, HTML, etc., which are enough to understand what's going on with our web application.

When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done. By using this wonderful tool, we can easily see on the outstanding reports "Important", "Medium", "Low", and "Information" vulnerabilities. Apart from that, it also visualizes what's wrong with a server such as an outdated version, authorization, version disclosure, etc.

Sometimes, it is slow; when we are running this application and browsing other applications concurrently, it makes other applications work slow. Besides that, it seems fine.

When I use Netsparker along with other applications such as testing web apps on browsers like Chrome or Firefox for a little longer than normal, there are issues that might be due to the CPU high usage. I'm unable to work on other applications (mainly browsers such as Chrome/Firefox) and ultimately it hangs and takes time to browse on browsers.

I have used it for most of the cases when I have to check vulnerabilities and other security exploitation. So, it's been like six months.

I have not use this feature. I will let you know when i am done with deployment.

Until now, I have not encountered any stability issues.

It sometimes hangs when running large web-based applications.

The way they are communicating with users like us, yeah, we can give them 9 out of 10. :)

I have used Acunetix. The reason I switched to Netsparker would be that the performance I found on Acunetix was very slow. It would take something like a day if I had to scan our web-based application product. That is not reliable when you are working with clients who want a quick response regarding how the application performs.

I found initial setup to be straightforward; anyone can set up this solution.

Not from a vendor team.

Price seem to be reliable.

No i did not evaluate other options.

I would definitely recommend it to those who really want to know in-depth details of their applications/products regarding security.

The product’s most valuable features are its security scanning features.

It has improved the security of our code by scanning it and finding security defects.

Speed: It spends about one hour on scanning; I would like it to be less than 30 minutes. Because our solution is large, NetSparker spends about one hour on scanning our code. It also depends on network speed, and just like anti-virus software, the scan time is a key performance requirement for NetSparker. The less the better. Thank you.

I have used it for two years.

I did not encounter any stability issues.

I did not encounter any scalability issues.

Technical support is good.

Initial setup is not complex. Just follow the instructions.

Price is not the key point.

• It has a very user-friendly page.
• Creating custom policies is very easy.
• It searches for a lot of updated vulnerabilities.

Before Netsparker, we were opening internal web pages to the outside for manual tests. Health tests were limited by a system admin’s capabilities. After Netsparker, a lot of the security tests became automated. We added a step in our policy document to scan pages with Netsparker before opening a site to the outside.

Maybe supported clients can be improved. It still does not search vulnerabilities in DB2 databases, for example. In NetSparker you can modify your scan for specifik target database type, programming language and web server type. And there isn’t DB2 database option for database target in scan Editor.

I have been using it for about two years.

On early versions, scanning for vulnerabilities didn’t complete. But now it takes an acceptable amount of time.

I did not encounter any scalability issues. With a licence, you can install and run multiple instances of Netsparker at the same time, of course on different targets. Also, you can restrict network access or requests to the page.

Technical support is very professional, 10/10. They know what they are doing.

We did not previously use a different solution. We started with Netsparker.

Setting up and updating Netsparker is very easy; only one click.

Actually, I am a technical guy; I don’t know exactly the price, but I do know that if the product was expensive, our manager wouldn’t have bought it. J

We tried Acunetix, but Netsparker has one up on it.

You must work on your environment first. List the web applications’ background: the systems they are using, web server type, database type, programming language. Netsparker supports lots of them, but there are still some restrictions. If they know their environment, the decision is easier.

• Simple, easy and straightforward to start.
• eader information is displayed in an easy to ready way which can be interpreted separately.
• Vulnerabilities categorization, along with the suggestions, is pretty helpful.
• Command line tool did seem interesting, but I couldn’t do much with it. It was a bit hard to learn its usage.
• Crawling websites is one of its best features.

NetSparker is a very easy to use and understand product. Its web crawler feature has benefitted us the most. And introduced us to many security vulnerabilities and information we had not known before. I really like how we can tune the number of concurrent sessions as well, which allows us to do some performance testing as well.

It covers basic-intermediate web attacks and presents the information in a very descriptive way. This enhances knowledge and also helps to identify which areas are lacking attention.

Other than that, it helps you start looking for the attack vectors and points of weakness.

Login functionality: Netsparker does not integrate single-sign-on functionality, which makes it very difficult to use for such websites. SSO has become an essential part of web security testing over the last few years. I would love to see this feature in new releases.

I have been using it for ~6 months.

It is a resource-intensive program, and while it is running, other processes get very slow.

I did not encounter any scalability issues.

This was the starting point. We chose this because Troy Hunt (security advisor) had provided a positive and thorough review of this product on his blog.

We used this product along with some others (SkipFish, NMap, etc.) to fully test the security of our products.

As I mentioned before, installing and using Netsparker is pretty easy compared to other products available.

It is a good tool, as we found out with the Community Edition trial. But the price point is quite expensive for a startup or average-sized company.

Other than what I’ve written, it is a fine product but it cannot be used alone. It covers most of the basic-intermediate level attacks, which is really good as a starting point. But for the high-level and advanced analysis, other (similar) tools are needed, which is why I think its price point is very high.