Invicti

Invicti

Category: DAST
License: Commercial
Visit Website →

Invicti represents an enterprise-grade DAST platform that merges DAST, IAST, and SCA capabilities into one solution.

The tool scans websites and APIs for security vulnerabilities and has been adopted by over 3,100 companies globally.

It evolved from Netsparker, one of the industry’s most recognized dynamic analysis tools.

Invicti Enterprise Dashboard

Primary Use Cases

Vulnerability Detection

Invicti identifies web application security issues including SQL injection and cross-site scripting (XSS) attacks.

Security Issues Detection

Software Composition Analysis

Beyond vulnerability scanning, the platform catalogs technologies within web applications and monitors these libraries proactively.

Out of Date Technologies

DevSecOps Integration

Most organizations incorporate Invicti into their DevSecOps workflows.

SDLC Integration

Discovery Feature

The Discovery function activates automatically upon account creation, automatically identifying websites potentially associated with your organization through multiple data sources:

  • Business email domain matching
  • Out-of-scope links from scans
  • Websites hosted on identical IP addresses
  • SSL certificate organization names
  • Domain keyword and second-level domain analysis

Discovery Feature

Since automated discovery isn’t perfect, filtering capabilities help eliminate unrelated results.

Discovery Filter Options

Website Management

Adding Targets

You can add websites individually or import multiple targets via CSV.

Websites support membership across multiple groups for organizational flexibility based on:

  • Hosting infrastructure
  • Technology stack
  • Geographic location
  • Team assignment
  • Priority levels

Add a New Website

Website Groups

Group Scanning

Group assignments enable batch scanning operations across related targets.

Starting a Group Scan

Scan Configuration

Scan Profiles

Save and share scan configurations across team members.

Save a Scan Profile

Scan Policies

Pre-built Options

Select from standard policies including OWASP Top 10 or PCI compliance checks.

Built-in Scan Policies

Custom Policy Creation

Create a New Scan Policy

Security Checks Configuration

Customize which vulnerability types to scan, such as focusing exclusively on out-of-band SQL injection detection.

Security Checks in Scan Policy

Crawling Parameters

The platform crawls up to 2,500 pages by default, with expansion possible to 15,000 pages.

Crawling configurations

JavaScript Handling

For single-page applications, use predefined presets and adjust DOM load timeouts and simulated element limits.

Javascript configurations

CSS Selector Exclusion

Exclude specific website sections from scanning using CSS selectors.

Exclude by CSS

Proof-Based Scanning

Disable proof generation by unchecking the “Enable Proof Generation” option.

Attacking configurations

Form Value Configuration

Customize default form values used when attacking contact forms.

Configure Form Values

Brute Force Settings

The tool attempts authentication forms using basic username/password combinations.

The default wordlist contains 59 entries, expandable to 5,000 with an Internal Agent or Invicti Standard.

Configure Brute Force

Request Configuration

Set the user-agent string and adjust request rate per second to control scan speed.

Configure Requests

Product Editions

Invicti Standard

Single-instance Windows-only scanning tool primarily used by penetration testers and cybersecurity engineers for initial vulnerability discovery.

Invicti Team

  • Cloud-only deployment (AWS US or AWS EU)
  • Supports internal application scanning via agents (Windows, Linux, Docker)
  • Unlimited users
  • Includes standard features

Invicti Enterprise

Target organizations with 50+ websites requiring enterprise-grade features.

Key Features

  • Cloud and on-premise deployment options (Windows only for on-premise)
  • Unlimited users
  • Internal application scanning via agents (Windows, Linux, Docker)
  • Dedicated technical support
  • Custom integration support
  • Includes Team and Standard capabilities

Firewall Whitelisting

IP Address Whitelisting

Whitelist scanning traffic by source IP.

Invicti AWS (US):

  • 54.88.149.100
  • 54.85.169.114

Invicti AWS (EU):

  • 3.121.126.156
  • 3.122.64.138

Common Questions

Email Notifications

If receiving unsolicited Invicti emails, unauthorized scanning may be occurring.

The platform uses “invicti@example.com” by default in contact forms, potentially generating numerous emails during scans.

Contact support@invicti.com for suspected unauthorized activity.

Scan Duration

Typical scans complete in 8-10 hours, depending on application size and complexity.

Scans should not exceed 24 hours.

Contact support@invicti.com for speed optimization guidance.

Note: Formed from merger of Acunetix and Netsparker. Acquired Kondukto (2024) for ASPM capabilities. Acunetix continues as standalone product.

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools