Invicti Security

Invicti test

Dynamic Application Security Testing · Category 9. DAST · Tier 1
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier: Visible (Listed) Verified (CAE) Enterprise (EEE) Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
Executive Summary 30 seconds

What it is

Proof-based Dynamic Application Security Testing (DAST) platform that automatically crawls and scans web applications, APIs, and web services for security vulnerabilities. Invicti uses proprietary Proof-Based Scanning technology to confirm exploitable vulnerabilities, dramatically reducing false positives.

Best for

Automated web vulnerability scanning (OWASP Top 10), PCI DSS Req. 6.2/6.5 (secure development and vulnerability management), DORA Art. 8(4) (ICT security testing). Ideal for organizations managing large web application portfolios requiring continuous DAST with minimal false positives.

What it does NOT do

No source code analysis (SAST), no SCA (Software Composition Analysis), no WAF capabilities, no endpoint protection, no IAM, no network-level scanning. Not a SIEM or SOC tool — focuses exclusively on black-box web application vulnerability detection.

CL Recommendation

Invicti is the leading proof-based DAST platform for enterprise web application security. Unique Proof-Based Scanning eliminates false positives on confirmed vulnerabilities. Critical for PCI DSS 6.x, OWASP compliance, and DORA Art. 8 testing requirements. Combine with SAST (Cat. 9), WAF (Cat. 6), and SIEM (Cat. 12) for complete application security. Gartner recognized in application security testing market.

Regulatory Fit Per regulation verdict
PCI DSS v4.0
~18% of requirements
✔ Strong — Req. 6.2, 6.5 (web application vulnerability testing)
DORA
~12% of obligations
● Moderate — Art. 8(4) ICT security testing
NIS2
~10% of Art. 21
● Moderate — Art. 21(2)(e) security in acquisition/dev
GDPR
~4% of articles
△ Supporting only — Art. 25 (DPbD via vulnerability detection)
HIPAA
~5% of provisions
△ Supporting only — §164.312(a) access controls via web app testing
OWASP
~85% of Top 10 categories
✔ Strong — Full coverage of OWASP Top 10 2021 categories
▼ Show detailed regulatory mapping (OLIR format)
PCI DSS v4.0 (PROPRIETARY)
FocalObligationOLIR Rel.Hub RefRationale
Req. 6.2.4Software engineering techniques prevent attacksDirectSA-11 / PR.PS-06Functional
Req. 6.3.1Identify security vulnerabilitiesDirectRA-5 / ID.RA-01Functional
Req. 6.5.5Address common web vulnerabilitiesDirectSA-11 / PR.PS-06Functional
Req. 11.3.1External vulnerability scanningContributingRA-5 / ID.RA-01Semantic
DORA (OPEN_GOV)
FocalObligationOLIR Rel.Hub RefRationale
Art. 8(4)Secure ICT dev lifecycleContributingSA-11 / PR.PS-06Semantic
Art. 24(1)Threat-led penetration testingContributingCA-8 / RS.AN-02Semantic
Art. 8(5)ICT testing methodologiesDirectSA-11 / PR.PS-06Functional
OWASP Top 10 (OPEN_GOV)
FocalObligationOLIR Rel.Hub RefRationale
A01:2021Broken Access Control detectionDirectAC-3 / PR.AA-05Functional
A03:2021Injection vulnerability detectionEquivalentSI-10 / PR.PS-06Syntactic
A07:2021XSS and identity/auth failuresDirectSI-10 / PR.PS-06Functional
A09:2021Security logging and monitoring failuresContributingAU-6 / DE.AE-02Semantic

Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.

🎯 Buyer Guidance Decision support

✔ Consider When

  • + PCI DSS Req. 6.2/6.5 web application security testing compliance
  • + Large web application portfolio (50+ apps) requiring continuous scanning
  • + Zero false positive requirement for confirmed vulnerabilities
  • + CI/CD pipeline integration needed for automated DAST in DevSecOps
  • + OWASP Top 10 compliance and reporting required by auditors
  • + Need proof-of-exploit evidence for vulnerability prioritization

❌ Avoid When

  • Need source code analysis (SAST) — Invicti is DAST-only
  • Non-web applications (desktop, embedded, IoT)
  • Need WAF or runtime application protection
  • Budget-constrained startup — enterprise pricing model
  • Need SCA or open-source dependency scanning
  • Internal network vulnerability scanning required (not web-focused)
Capabilities 20 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers
Proof-Based Scanning 5✓ 0● 0✗
Proof-Based vulnerability confirmation
Automatically confirms exploitable vulnerabilities with proof-of-concept
Specific Obl.Out-of-Box
OWASP Top 10 detection
Full coverage of OWASP Top 10 2021 categories
Specific Obl.Out-of-Box
SQL injection detection & proof
Proof-based SQL injection detection with data extraction evidence
Specific Obl.Out-of-Box
XSS detection & proof
Reflected, stored, and DOM-based XSS with proof payloads
Specific Obl.Out-of-Box
Out-of-band vulnerability detection
Detects blind vulnerabilities via callback server
Control FamilyOut-of-Box
Web Application Discovery 4✓ 1● 0✗
Automated web crawling
JavaScript-rendered SPA crawling with headless browser
Specific Obl.Out-of-Box
REST API scanning
OpenAPI/Swagger import and automated API testing
Specific Obl.Config Change
Authenticated scanning
Form-based, header-based, and OAuth authentication support
Control FamilyConfig Change
Web asset discovery
Automatic discovery of forgotten/shadow web assets
Control FamilyOut-of-Box
GraphQL API testing
GraphQL introspection and vulnerability scanning
Control FamilyConfig Change
CI/CD & DevSecOps 5✓ 0● 0✗
Jenkins integration
Native Jenkins plugin for pipeline DAST
Control FamilyOut-of-Box
Azure DevOps integration
Pipeline extension with scan triggers
Control FamilyOut-of-Box
GitLab/GitHub Actions integration
YAML-based CI/CD integration templates
Control FamilyConfig Change
REST API for automation
Full programmatic scan management and results retrieval
Control FamilyOut-of-Box
Issue tracker integration (Jira, Azure Boards)
Auto-create tickets for confirmed vulnerabilities
Generic ControlConfig Change
Reporting & Compliance 4✓ 1● 0✗
OWASP Top 10 compliance report
Pre-built OWASP compliance template with evidence
Specific Obl.Out-of-Box
PCI DSS compliance report
Req. 6.x vulnerability testing evidence
Specific Obl.Out-of-Box
Executive dashboard
Trend analysis, risk scoring, and vulnerability aging
Generic ControlOut-of-Box
CWE/CVE mapping
Map findings to CWE and CVE databases
Specific Obl.Out-of-Box
WAF integration for virtual patching
Export rules to WAF for temporary mitigation
Control FamilyConfig Change
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1016
Vulnerability Scanning
Full (claimed)
M1050
Exploit Protection
Full (claimed)
M1051
Update Software
Partial (claimed)
M1013
Application Developer Guidance
Full (claimed)

Score: 3.5 / 5.0 (70%) — All vendor-claimed. Techniques addressed: T1190, T1059, T1203, T1071 (exploitation & web attack family).

▼ Show ATT&CK techniques detail
TechniqueNameHow AddressedProvenance
T1190Exploit Public-Facing ApplicationDAST scanning identifies exploitable web vulnerabilities before attackersDERIVED via M1016
T1059Command and Scripting InterpreterDetects injection flaws (SQL, OS command, LDAP) in running applicationsDERIVED via M1016
T1203Exploitation for Client ExecutionIdentifies XSS, CSRF, and client-side injection vulnerabilitiesDERIVED via M1050
T1071Application Layer ProtocolDetects insecure API endpoints and protocol misconfigurationsDERIVED via M1016
📄 Evidence Pack DR-2 §5.1 — Proof of value
DAST scan reports (PDF/HTML)
Detailed vulnerability findings with proof-of-exploit evidence. Exportable.
OWASP Top 10 compliance report
Pre-built compliance mapping with pass/fail per category.
Proof-Based vulnerability evidence
Confirmed exploitability proof for each vulnerability found.
CI/CD pipeline audit trail
Scan execution logs with policy gate decisions.
API scan documentation
REST/GraphQL endpoint coverage and findings.
Third-party penetration test
Independent security assessment of Invicti platform.

Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).

Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
MetricInvicti Standard (Single-user)Invicti Enterprise (Multi-user)Enterprise (Full Portfolio)
Implementation1-2 days1-3 weeks4-8 weeks
FTE Required0.1 FTE0.25-0.5 FTE0.5-1 FTE
Time to first valueDay 1 (first DAST scan on primary web application)
Time to productionMonth 1-3 (all web apps onboarded, CI/CD gates active, scan policies tuned)
Anti-Hype: Marketing vs. Reality
Zero false positives with Proof-Based Scanning
Proof-Based findings are indeed confirmed exploitable, but only ~30-50% of all findings are proof-based. Remaining findings still have typical DAST false positive rates.
Partial
Scans modern SPAs and JavaScript frameworks
Verified. Headless browser crawling handles React, Angular, Vue. Complex SPAs may require manual crawl configuration.
Verified
Complete API security testing
REST and SOAP well covered. GraphQL support is newer and less mature. gRPC not supported.
Partial
Fastest DAST scanner on the market
Scan speeds are competitive but depend on application complexity. Large applications (10K+ pages) can take several hours.
Misleading
Replaces manual penetration testing
Augments but does not replace manual pentesting. Business logic flaws and complex chained attacks require human expertise.
Misleading
Strengths & Cautions

✔ Strengths

  • + Proof-Based Scanning — unique technology confirming exploitable vulnerabilities
  • + Very low false positive rate on confirmed (proof-based) findings
  • + Comprehensive OWASP Top 10 2021 coverage out-of-box
  • + Modern SPA and JavaScript framework crawling support
  • + Strong CI/CD integration (Jenkins, Azure DevOps, GitHub Actions)
  • + Web asset discovery for shadow IT identification
  • + Pre-built PCI DSS and OWASP compliance reports

⚠ Cautions

  • ! Enterprise pricing — no free tier or community edition
  • ! DAST-only — no SAST or SCA capabilities
  • ! Not all findings are proof-based (30-50% coverage)
  • ! GraphQL and gRPC API testing less mature
  • ! Complex SPAs may require manual crawl configuration
  • ! Cannot detect source-code level vulnerabilities
  • ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 9 — DAST
CapabilityInvicti testHCL AppScanAcunetixQualys WAS
Proof-based scanning
DAST web scanning
API security testing
CI/CD integration
SPA/JavaScript crawling
On-prem deployment
Pricing entryEnterprise onlyEnterprise onlySMB tierEnterprise only

Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.

📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tables
NIST SP 800-53 Rev 5
ControlNameContributionProvenance
RA-5Vulnerability Monitoring & ScanningdirectDERIVED via PCI DSS 6.3
SA-11Developer Testing & EvaluationdirectDERIVED via PCI DSS 6.2
SI-10Information Input ValidationdirectDERIVED via OWASP A03
CA-8Penetration TestingcontributingCL-ORIGINAL
SA-15Development Process & StandardscontributingDERIVED via DORA Art. 8(4)
CM-4Impact AnalysescontributingCL-ORIGINAL
NIST CSF 2.0
ControlNameContributionProvenance
IDENTIFYID.RA-01 Vulnerability identificationdirectDERIVED via RA-5
PROTECTPR.PS-06 Secure software developmentcontributingDERIVED via SA-11
DETECTDE.CM-09 Software monitoringdirectCL-ORIGINAL
RESPONDRS.AN-02 Impact analysiscontributingCL-ORIGINAL
ISO 27001:2022 Annex A
ControlNameContributionProvenance
A.8.29Security testing in dev & acceptancedirectDERIVED via NIS2-ISO
A.8.8Management of technical vulnerabilitiesdirectDERIVED via PCI DSS 6.3
A.8.25Secure development life cyclecontributingDERIVED via OWASP-ISO
A.8.28Secure codingcontributingCL-ORIGINAL
▼ Show Vendor Security Practices (SSDF / CRA)
SSDF IDPracticeStatus
PW.1Risk-based secure designClaimed
RV.2Timely vulnerability remediationClaimed
PO.5Secure development environmentClaimed
PS.3SBOM availableNot stated
RV.1Vulnerability disclosure programClaimed
PS.2Code signingUnknown
Compliance Labs · Software Listing v3.5 · OLIR Schema Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Vendor
  • Category
  • CL Tier
  • Short description
  • Website
  • What it is
  • Best for
  • Does NOT do
  • CL verdict
  • Regulatory coverage
  • Frameworks tested
  • Capabilities
  • MITRE ATT&CK
  • Strengths
  • Cautions
  • Anti-hype claims
  • Operational metrics
  • Evidence pack
Compare
Compare ×
View comparison Continue browsing software