Skip to content
Home DAST Tools Invicti
Invicti

Invicti

Category: DAST
License: Commercial
0 Comments
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 13, 2026
4 min read
0 Comments

Invicti is an enterprise-grade DAST tool that merges DAST, IAST, and SCA capabilities into one solution. The tool scans websites and APIs for security vulnerabilities and has been adopted by over 3,600 organizations globally.

It evolved from Netsparker, an established dynamic analysis tool. In 2024, the parent company acquired Kondukto for ASPM capabilities.

Invicti enterprise dashboard showing vulnerability overview and scan status

What is Invicti?

Invicti’s main claim is proof-based scanning. When the scanner finds a potential vulnerability, it attempts to safely exploit it to confirm the issue is real. This produces a proof of exploit for each finding, which cuts down false positive triage significantly.

The platform crawls up to 2,500 pages by default, with expansion possible to 15,000 pages. Typical scans complete in 8-10 hours depending on application size.

FeatureDetails
DeploymentCloud (AWS US, AWS EU) and on-premises (Windows)
Scanning approachDAST with proof-based verification
Additional testingIAST (Shark agent), SCA
Crawl limit2,500 pages default, up to 15,000
Scan duration8-10 hours typical, 24-hour max
AuthenticationForm-based, HTTP Basic, client certificates, OAuth
Brute force wordlist59 entries default, expandable to 5,000
EditionsStandard, Team, Enterprise
Organizations using3,600+
Proof-Based Scanning
Automatically exploits detected vulnerabilities in a safe way to confirm they are real. Each confirmed finding includes proof of exploit, reducing false positive triage to near zero.
Combined DAST + IAST + SCA
Single platform covers dynamic testing, interactive testing via the Shark IAST agent, and software composition analysis for third-party library vulnerabilities.
Enterprise Scale
Manages thousands of scan targets with group-based organization, batch scanning, and shared scan profiles. Three editions (Standard, Team, Enterprise) for different team sizes.

Key Features

Vulnerability Detection

Invicti identifies web application security issues including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.

Invicti security issues detection showing vulnerability findings

Proof-Based Accuracy
According to Invicti, the platform achieves 99.98% scan accuracy through proof-based scanning. When a finding is marked as confirmed, the scanner has actually exploited it safely and can show evidence of the vulnerability.

Software Composition Analysis

Beyond vulnerability scanning, the platform catalogs technologies within web applications and flags outdated or vulnerable libraries.

Invicti out-of-date technology detection showing library versions

DevSecOps Integration

Most organizations incorporate Invicti into their CI/CD pipelines to catch vulnerabilities before production.

Invicti SDLC integration workflow for DevSecOps pipelines

Discovery Feature

The Discovery function activates automatically upon account creation, automatically identifying websites potentially associated with your organization through multiple data sources:

  • Business email domain matching
  • Out-of-scope links from scans
  • Websites hosted on identical IP addresses
  • SSL certificate organization names
  • Domain keyword and second-level domain analysis

Discovery Feature

Since automated discovery isn’t perfect, filtering capabilities help eliminate unrelated results.

Discovery Filter Options

Website Management

Adding Targets

You can add websites individually or import multiple targets via CSV.

Websites support membership across multiple groups for organizational flexibility based on:

  • Hosting infrastructure
  • Technology stack
  • Geographic location
  • Team assignment
  • Priority levels

Add a New Website

Website Groups

Group Scanning

Group assignments enable batch scanning operations across related targets.

Starting a Group Scan

Scan Configuration

Scan Profiles

Save and share scan configurations across team members.

Save a Scan Profile

Scan Policies

Pre-built Options

Select from standard policies including OWASP Top 10 or PCI compliance checks.

Built-in Scan Policies

Custom Policy Creation

Create a New Scan Policy

Security Checks Configuration

Customize which vulnerability types to scan, such as focusing exclusively on out-of-band SQL injection detection.

Security Checks in Scan Policy

Crawling Parameters

The platform crawls up to 2,500 pages by default, with expansion possible to 15,000 pages.

Crawling configurations

JavaScript Handling

For single-page applications, use predefined presets and adjust DOM load timeouts and simulated element limits.

Javascript configurations

CSS Selector Exclusion

Exclude specific website sections from scanning using CSS selectors.

Exclude by CSS

Proof-Based Scanning

Disable proof generation by unchecking the “Enable Proof Generation” option.

Attacking configurations

Form Value Configuration

Customize default form values used when attacking contact forms.

Configure Form Values

Brute Force Settings

The tool attempts authentication forms using basic username/password combinations.

The default wordlist contains 59 entries, expandable to 5,000 with an Internal Agent or Invicti Standard.

Configure Brute Force

Request Configuration

Set the user-agent string and adjust request rate per second to control scan speed.

Configure Requests

Product Editions

Invicti Standard

Single-instance Windows-only scanning tool primarily used by penetration testers and cybersecurity engineers for initial vulnerability discovery.

Invicti Team

  • Cloud-only deployment (AWS US or AWS EU)
  • Supports internal application scanning via agents (Windows, Linux, Docker)
  • Unlimited users
  • Includes standard features

Invicti Enterprise

Target organizations with 50+ websites requiring enterprise-grade features.

Key Features

  • Cloud and on-premise deployment options (Windows only for on-premise)
  • Unlimited users
  • Internal application scanning via agents (Windows, Linux, Docker)
  • Dedicated technical support
  • Custom integration support
  • Includes Team and Standard capabilities

Firewall Whitelisting

IP Address Whitelisting

Whitelist scanning traffic by source IP.

Invicti AWS (US):

  • 54.88.149.100
  • 54.85.169.114

Invicti AWS (EU):

  • 3.121.126.156
  • 3.122.64.138

Getting Started

1
Choose your edition — Invicti Standard is a Windows desktop scanner for individual pentesters. Invicti Team is cloud-only (AWS US or EU) with internal scanning via agents. Invicti Enterprise adds on-premises deployment and dedicated support.
2
Add your targets — Add websites individually or import multiple targets via CSV. Organize them into groups by hosting infrastructure, technology stack, geography, or team assignment.
3
Configure scan policies — Select from built-in policies (OWASP Top 10, PCI compliance) or create custom ones. Choose which vulnerability types to test and set crawling limits.
4
Run scans and review findings — Launch scans manually, on schedule, or via CI/CD triggers. Proof-based findings include exploit evidence. Push results to Jira, Azure DevOps, or other ticketing systems.
Best For
Enterprise security teams managing 50+ web applications that need proof-based vulnerability confirmation and want DAST, IAST, and SCA in a single platform. Not for teams seeking a free or lightweight scanner — Dastardly or ZAP better serve that need.

Operational Notes

Firewall Whitelisting

Whitelist scanning traffic by source IP.

Invicti AWS (US):

  • 54.88.149.100
  • 54.85.169.114

Invicti AWS (EU):

  • 3.121.126.156
  • 3.122.64.138

Default Contact Form Behavior

The platform uses “[email protected]” by default in contact forms during scans, which can generate numerous emails. Adjust form values in scan configuration to avoid this.

Scan Duration

Scans should not exceed 24 hours. Contact [email protected] for speed optimization guidance if scans run long.

Note: Formed from merger of Acunetix and Netsparker. Acquired Kondukto (2024) for ASPM capabilities. Acunetix continues as standalone product.

Frequently Asked Questions

What is Invicti's proof-based scanning?
Invicti automatically exploits detected vulnerabilities in a safe way to confirm they are real, not theoretical. This produces a proof of exploit for each finding, so teams spend less time triaging false positives.
Is there a free version of Invicti?
No. Invicti is an enterprise-focused commercial product without a free tier. Pricing is based on the number of scan targets and the deployment model you choose (cloud or on-premises).
What is the difference between Invicti and Acunetix?
Both are owned by the same parent company. Invicti targets larger enterprise teams with features like role-based access, advanced workflow integrations, and multi-engine scanning. Acunetix is positioned for small to mid-sized teams that want a simpler, more affordable DAST solution.
Does Invicti integrate with issue trackers and CI/CD tools?
Yes. Invicti has built-in integrations with Jira, Azure DevOps, GitLab, Jenkins, and others. Scan results can be pushed directly into your ticketing system and scans can be triggered automatically as part of your deployment pipeline.
How we review tools Suggest an edit

Other DAST Tools

AppCheck
AppCheck

Former Internal Pentest Tool

Nikto
Nikto

Fast Web Server Scanner

Qualys WAS
Qualys WAS

AI-Powered Cloud DAST

Wapiti
Wapiti

Python-Based Black-Box Web Scanner

See all DAST tools

Complement with IAST

Pair dynamic testing with runtime instrumentation for broader coverage.

Contrast Assess
Contrast Assess

Runtime IAST with Low False Positives

Acunetix AcuSensor
Acunetix AcuSensor

Line-of-Code Details

See all IAST tools

Learn More

AI-Generated Code Security API Security Testing Application Security Checklist AppSec Compliance Mapping

Compare Invicti

Invicti vs Acunetix Invicti vs Burp Suite
Invicti Alternatives

Comments

Powered by Giscus — comments are stored in GitHub Discussions.