Acunetix DAST Review 2026: Pricing, Accuracy & Alternatives

Acunetix is a web vulnerability scanner built for teams that want automated DAST without a steep learning curve. It detects over 7,000 vulnerability types with 99.98% accuracy through proof-based scanning.

Acunetix scans list showing multiple targets with scan type, schedule, vulnerability counts by severity, and completion status

Part of the Invicti family, Acunetix targets small and mid-sized organizations while Invicti handles enterprise accounts. Thousands of companies use it, including Cisco, NASA, and American Express.

According to the OWASP Foundation, automated dynamic testing is a recommended practice for identifying runtime vulnerabilities that static analysis alone misses.

What are Acunetix’s key features?

Feature	Details
Vulnerability checks	7,000+ types including OWASP Top 10, out-of-band
Accuracy	99.98% with proof-based scanning
Scanning engine	C++ based, 2-4 hour average scan time
IAST support	AcuSensor agent for .NET, Java, PHP, Node.js
Risk scoring	Predictive AI model using 220+ parameters, 83% minimum confidence
API scanning	REST, SOAP, GraphQL
SPA support	Full JavaScript rendering for React, Angular, Vue
Concurrent scans	Unlimited parallel scans
Update cadence	Monthly releases with auto-update

I run authenticated dynamic scans against logged-in user sessions using the Business Logic Recorder, which lets me reach pages that anonymous crawlers cannot. The scanner does API security testing (black-box) against REST, SOAP, and GraphQL endpoints by ingesting OpenAPI/Swagger specs or recorded traffic. SQL injection / XSS probing uses payload mutation across discovered parameters, and the proof-based engine confirms each finding by safely exploiting it before I see the alert.

Proof-Based Scanning

Acunetix confirms vulnerabilities by safely exploiting them, producing proof-of-exploit for each finding. Less time triaging, more time fixing.

AcuSensor IAST

Deploy the AcuSensor agent inside your application server to combine DAST with IAST. The agent identifies the exact line of code causing a vulnerability and catches issues invisible to external scanning alone.

Business Logic Recorder

Record multi-step workflows like checkout flows, registration sequences, or admin operations. The scanner replays these recorded paths during scans, covering areas that automated crawlers miss.

Acunetix scan result page showing Threat Level 3 assessment with discovered vulnerabilities including XSS and SQL injection findings, scan duration, and latest alerts

Predictive Risk Scoring

Acunetix uses a machine learning model that analyzes over 220 parameters to estimate vulnerability risk before scanning begins. The model requires a minimum 83% confidence threshold before assigning a risk score.

Your most exposed targets get scanned first.

Acunetix predictive risk scoring output ranking 12 targets by risk score with confidence percentages, highest-risk target flagged for first scan

Note: Acunetix and Invicti share the same proof-based scanning engine. Acunetix is the simpler, more affordable option aimed at SMBs. If you outgrow it, migration to Invicti's enterprise platform is straightforward.

Reporting

Acunetix ships with multiple report templates covering both technical and compliance needs:

Standard reports: Affected Items, Developer, Executive Summary, Quick
Compliance reports: CWE, HIPAA, ISO 27001, NIST SP 800-53, OWASP Top 10, PCI DSS, Sarbanes-Oxley, STIG DISA, WASC
Export formats: CSV, JSON, XML

What does Acunetix integrate with?

Issue Trackers

GitHub

GitLab

Jira

Azure DevOps

CI/CD

Jenkins

GitLab CI

Azure DevOps

WAF

F5 BIG-IP

Imperva

FortiWeb

AWS WAF

There is also a REST API for custom integrations. For broader context, see the DAST tools landscape and the enterprise sibling Invicti .

How do I get started with Acunetix?

Add targets — Enter your web application URLs. Acunetix supports FQDNs, IP ranges, and API endpoints.

Configure authentication — Use the Business Logic Recorder to capture login flows and multi-step processes the scanner should follow.

Run a scan — Pick a scan profile (Full, High Risk, XSS, SQL Injection, or custom) and launch. Average scan time is 2-4 hours.

Review findings — Each vulnerability includes proof-of-exploit, affected URL, severity rating, and remediation guidance. Push results to Jira or your issue tracker.

How to use Acunetix

After install, my typical workflow is: add a target FQDN, attach an authentication profile (form, basic, or recorded macro), pick a scan profile (Full, High Risk, XSS, or SQL Injection), and launch. Average scan time runs 2-4 hours per target depending on application size.

I trigger scans from the UI for ad-hoc work and from the REST API for CI/CD pipelines. The CLI is not the primary entry point — Acunetix is API-first for automation. A typical pipeline call posts to /api/v1/scans with a target ID and profile, polls for status, and pulls findings as JSON.

Triage happens in the dashboard. Each finding ships with proof-of-exploit, severity, and remediation guidance, and selected issues push straight to Jira, GitHub, or Azure Boards via the integration layer. The Business Logic Recorder is the right answer when a workflow needs multi-step macros that the crawler cannot follow on its own.

Licensing

Acunetix uses target-based pricing per FQDN. Minimum purchase is 5 targets on a 2-year subscription with annual payment. No free tier or community edition exists.

What are Acunetix’s limitations?

Acunetix does not offer a free tier. The 5-target minimum and 2-year commitment may not suit organizations that want to test a single application first.

Authenticated scanning of highly complex SPAs can still require manual macro recording. For open-source alternatives, consider ZAP or Nuclei .

As a DAST tool , it focuses on web applications and APIs. For teams comparing testing approaches, see SAST vs DAST vs IAST .

Acunetix does not replace static analysis or manual penetration testing for business logic flaws.

What are alternatives to Acunetix?

If Acunetix does not fit, four alternatives cover most exit paths.

Invicti is the enterprise sibling — same proof-based engine, multi-team RBAC, and ASPM via the Kondukto acquisition. Pick it when you outgrow Acunetix’s per-FQDN pricing or need to manage thousands of apps in one console.

Burp Suite Professional is the standard manual-testing toolkit. Pick it when a hands-on pentester drives the work and the BApp Store extensions matter more than guided scans. PortSwigger publishes Burp Suite Pro at $475 per user as of 2026.

ZAP is the most capable free DAST. Pick it when budget is the constraint and your team has the security expertise to tune the configuration.

Detectify leans on a 400+ ethical-hacker crowdsource program plus EASM. Pick it when external attack surface coverage matters as much as deep app scanning.

StackHawk wraps ZAP for CI/CD. Pick it when developer-owned pipeline scans matter more than IAST or proof-based confirmation.

Note: Part of Invicti family. Acunetix targets SMBs while Invicti serves enterprise.

Visit Acunetix

Frequently Asked Questions

What does Acunetix scan for?

Acunetix crawls and scans web applications, APIs, and single-page applications for over 7,000 vulnerability types including SQL injection, XSS, CSRF, and misconfigurations. It works against running applications without access to source code.

Is Acunetix free?

No. Acunetix is commercial with no free tier. Licensing is target-based (per FQDN) with a minimum of 5 targets on a 2-year subscription. Contact sales for pricing.

How does Acunetix compare to Burp Suite Enterprise?

Acunetix is easier to set up with a guided scanning workflow aimed at teams without deep security expertise. Burp Suite Enterprise gives experienced testers more manual control and extensibility but has a steeper learning curve.

Can Acunetix run in a CI/CD pipeline?

Yes. Acunetix provides a REST API and integrations with Jenkins, GitLab CI, and Azure DevOps. You can trigger scans per build and fail the pipeline on high-severity findings.

What is AcuSensor?

AcuSensor is an IAST agent you deploy inside your application server. It gives Acunetix visibility into server-side code execution during scans, helping identify the exact line of code responsible for a vulnerability and reducing false positives.