Acunetix by Invicti security is an automated web application security scanner that detects vulnerabilities such as SQL injection, XSS, and OWASP Top 10 flaws across websites, web applications, and APIs. It is used by security teams to run regular audits and catch risks before they reach production.
It combines DAST and IAST technology to deliver high-accuracy results with proof-of-exploit, reducing the guesswork that typically slows down remediation. This dual-layer approach allows it to scan both from the outside like an attacker would and from within the application for deeper coverage.
It supports modern application types including SPAs and password-protected areas, making it applicable across a range of environments. Organizations commonly position it as a core tool in DevSecOps workflows where continuous security testing runs alongside continuous delivery
This guide covers what it actually delivers, where it falls short, pricing and what you should know before committing to it.
TL;DR: Acunetix review
Acunetix is a capable enterprise-grade DAST tool with strong vulnerability coverage and proof-based scanning. It works well for organizations that need reliable automated scanning, compliance reporting, and CI/CD integration for conventional web applications. However, the per-FQDN pricing model and limited modern API support make it a harder fit for teams on modern stacks or tighter budgets.
Detects 7,000+ vulnerabilities: Covers XSS,SQL injection, and a broad range of OWASP Top 10 flaws across web apps and APIs
Proof-based scanning: Automatically verifies vulnerabilities before surfacing them, reducing false positive triage
Compliance reporting: Generates audit-ready reports mapped to PCI DSS, GDPR, HIPAA, and ISO 27001
CI/CD integration: Supports Jenkins, GitHub Actions, GitLab CI, and Azure DevOps for continuous testing
Expensive at scale: Pricing starts around $7,000 annually and scales past $25,000 for larger deployments
Limited modern stack support: GraphQL and complex API architectures are not well covered
G2 rating & review:
Acunetix by Invicti generally holds a strong rating of 4.1/5 on G2. Users consistently praise the ease of use and accurate vulnerability detection of Acunetix, highlighting its ability to quickly identify critical security issues in web applications. The intuitive interface and comprehensive reporting make it a valuable tool for both developers and security professionals. However, some users note that the scanning process can be resource-intensive and time-consuming, especially for larger applications.
Key features of Acunetix
- Automated scanning for web applications and APIs
Acunetix uses a proprietary crawling and scanning engine to identify vulnerabilities across web apps and APIs. It supports authenticated scans, handles session-based applications, and can process JavaScript-rendered content to reach deeper application states.
- Coverage for OWASP Top 10 vulnerabilities
The scanner is built around OWASP Top 10 coverage, detecting SQL injection, XSS, insecure deserialization, security misconfigurations, and related vulnerability classes. This makes it a reasonable baseline for teams that treat OWASP as a minimum standard.
- Detection of misconfigurations and weak authentication
Beyond code-level vulnerabilities, Acunetix flags server misconfigurations, exposed admin interfaces, weak TLS configurations, and authentication weaknesses. This broadens coverage beyond just application layer issues.
- Crawl and scan engine for complex modern applications
Acunetix includes a JavaScript crawling engine that can interact with SPAs built on frameworks like React, Angular, and Vue. It also supports login sequence recording and macro-based authentication to scan areas of an application that require active sessions.
- CI/CD integration for DevSecOps pipelines
Acunetix integrates with Jenkins, GitHub Actions, GitLab CI, and Azure DevOps, allowing scans to be triggered as part of a build or deployment pipeline. Findings can be routed to issue trackers to connect security results to developer workflows.
- Compliance reporting for frameworks like PCI DSS and GDPR
Acunetix generates compliance-mapped reports for PCI DSS, GDPR, HIPAA, ISO 27001, and OWASP Top 10. For teams that need to produce security documentation for audits or internal governance, this reduces significant manual reporting overhead.
Acunetix is a solid scanner for organizations that want automated coverage across web assets.
Pros of Acunetix
- High accuracy with proof-based scanning
Acunetix automatically verifies vulnerabilities before surfacing them, significantly reducing false positives and the manual triage that comes with them.
- Detects over 7,000 vulnerabilities
Coverage spans XSS, SQL injection, and a broad range of vulnerability classes beyond the OWASP Top 10, including SPAs and authenticated areas.
- Pinpoints the exact line of code
Acunetix identifies where in the codebase the issue exists, reducing back-and-forth between security and development teams and speeding up the fix cycle.
- Fast scans with CI/CD support
Scans are quick relative to coverage depth, and scheduling alongside CI/CD integration means security testing can run continuously without manual intervention.
Cons of Acunetix
- Expensive for smaller teams
Acunetix is consistently cited as a high-cost tool. The per-FQDN pricing model compounds this for organizations with many applications or environments like dev, staging, and production.
- Authentication challenges
Multi-step or token-based authentication often requires extensive manual configuration.
- Limited modern support
Struggles with intelligent crawling for complex, modern web technologies like SPAs and GraphQL.
- Complex setup and configuration
Users find the initial setup and configuration of Acunetix challenging, particularly for integrations and larger applications. For newcomers, the learning curve can slow down time to value considerably.
Pricing
Acunetix licenses annually based on the number of targets, meaning each website, application, or API you scan counts toward your plan. There is no public pricing page and all quotes are obtained directly through their sales team.
Small teams and startups: According to AWS marketplace pricing typically starts around $7,000 per year.
Mid-market and professional teams: Costs range from $15,000 to $25,000 or more annually depending on the number of targets and features required.
Enterprise and MSSPs: Premium options exist at significantly higher price points, quoted directly based on scale and deployment requirements.
Acunetix Manual Tools are free for private and commercial use but they are not an open-source project.
| Tier | Annual price | Best for | Pricing model |
|---|---|---|---|
| Small teams/ startups | From $7,000 | Teams with limited scan targets | Quote-based |
| Mid-market/ professional | $15,000 - $25,000+ | Organisations with multiple web assets | Quote-based |
| Enterprise/MSSPs | Custom | Large enterprises and managed service providers | Quote-based |
The per-FQDN licensing model can become expensive quickly for organizations running multiple environments such as dev, staging, and production, as each counts as a separate target. Factor this in when estimating total cost for your actual scan surface.
Summing up: Acunetix review
Acunetix remains a solid web application security scanner for organizations that need reliable automated scanning, broad vulnerability coverage, and compliance-ready reporting. For enterprises running conventional web stacks with dedicated security teams, it is a defensible choice.
The limitations become harder to ignore as application architectures evolve. GraphQL and modern API support is shallow, authentication setup for complex flows requires significant manual configuration, and the per-FQDN pricing model gets expensive quickly for teams managing multiple environments.
The right tool depends on your team’s goals, scale, and budget. Smaller teams and startups may find the cost difficult to justify relative to what they get. If your priority is a modern AppSec program that scales with your development team, tools like Beagle Security offer agentic AI-powered testing, native GraphQL support, 2FA handling, and flexible pricing without per-FQDN restrictions.
Ultimately, no single tool fits every organization. The key is aligning your security tooling with how your team builds and ships software. Acunetix earns its place in environments where compliance reporting and broad automated coverage are the priority, but teams with modern stacks and faster release cycles should weigh their options carefully before committing.
FAQs
What is Acunetix used for?
Acunetix is used for automated dynamic application security testing. It scans web applications, APIs, and web services to identify vulnerabilities such as SQL injection, XSS, and OWASP Top 10 flaws. It is also widely used for compliance reporting against standards like PCI DSS, HIPAA, and GDPR.
Is Acunetix SAST or DAST?
Acunetix is a DAST/IAST tool. SAST tools analyze source code from the inside like a developer would, while DAST tools test the running application from the outside like an attacker would. Acunetix combines both approaches, using DAST for external scanning and IAST through its AcuSensor agent for deeper internal coverage.
Is Acunetix part of Invicti?
Yes, Acunetix and Invicti are two families of web application security products under Invicti Security. They operate as separate product lines serving different market segments but share the same parent company.
