Website vulnerability scanners benchmark

Discover which website vulnerability scanners deliver the most accurate findings and how you can use these insights for your security workflow.

This benchmark compares the best website scanners to help you understand their detection capabilities and limits and give you objective data for improving your tooling and workflows.

Benchmark technologies illustration

Overview of this website scanners benchmark

Necessary

Why compare the best web app scanners?

The transparent results in this benchmark provide clear data useful for validating anecdotal evidence and vendor-provided information, for lack of standardized testing.

The insights about the actual effectiveness of leading web app scanners from this analysis can help security specialists effectively evaluate and choose the right tools for their needs.

Transparent

What kind of findings does this benchmark include?

The results in this benchmark come from rigorously testing 6 of the most popular website vulnerability scanners against Broken Crystals and DVWA (Damn Vulnerable Web Application).

The key findings and full list of results include the types of vulnerabilities and vulnerable paths detected during testing.

Realistic and relevant

How does this benchmark evaluate the scanners?

The benchmark examines how the vulnerabilities each scanner reported compare to the target’s security posture, revealing their rate of true positive, false positive, and false negative results.

Transparent criteria ensure a fair, standardized comparison across open-source and commercial tools, reflecting what appsec engineers look for in a DAST (Dynamic Application Security Testing) tool.

Methodology for this website scanners benchmark

Testing period: February 2024

Detections: all scanners were updated with the latest detections as of February 2024.

Configuration: each scanner was manually configured for maximum crawl coverage and enabled to use all available vulnerability detections.

  • 6

    popular website scanners evaluated

  • 2

    independent testbeds - DVWA & Broken Crystals

  • 3

    criteria: true positives, false positives, false negatives

  • 107

    vulnerable paths tested

Criteria for evaluating website scanners in this benchmark

  • True positive rate: reported vulnerabilities that actually exist.

    The true positive rate was calculated as

    =

    number of detected true positive vulnerabilities

    total number of true positive  vulnerabilities reported by all scanners

    * 100
  • False positive rate: reported vulnerabilities that do not actually exist.

    The false positive rate was calculated as

    =

    number of detected vulnerabilities which were false positive

    total number of false positive vulnerabilities reported by all scanners

    * 100
  • False negative rate: reported vulnerabilities that exist but the scanner did not report.

    The false negative rate was calculated as

    =

    number of undetected true positive vulnerabilities

    total number of true positive  vulnerabilities reported by all scanners

    * 100

Watch the benchmark breakdown

Watch Stefan Mihalache, Security Research Engineer, break down the results of this benchmark in just 4 minutes, and see how the best website vulnerability scanners did against each of the targets.

Download the benchmark
Comparing the BEST Website vulnerability scanners [2024]

The results of this website scanners benchmark

Tool rankings

Overall detection

The evaluation of leading web application vulnerability scanners indicates that both commercial tools and the prominent open-source tool ZAP provide generally consistent vulnerability detection, with only minor differences observed.

Detection accuracy

While most web app scanners demonstrated effective accuracy with minimal false positives, ZAP had notable inaccuracies in DVWA scans. The Website Vulnerability Scanner on Pentest-Tools.com, however, consistently reported a lower rate of false positives across both targets.

Real world relevance

With web security vulnerabilities and technology continuously evolving, scanners must constantly refine their detection capabilities, making static benchmarks less relevant over time. This is why it’s crucial to recognize that a scanner's benchmark performance might not translate directly to real-world scenarios.

The most accurate website vulnerability scanners

When looking at their performance across both vulnerable targets and their roster of vulnerabilities, there is a similar level of detection availability among the evaluated tools. When looking at accuracy, though, one scanner in particular stands out through the number of false positives it produced.

Website scanners benchmark both targets illustration

The best website scanners against Broken Crystals

Broken Crystals was one of the main targets for testing the most popular website vulnerability scanners because it reflects modern web application environments.

This publicly available target incorporates a wide range of technologies and vulnerabilities, including a REST and a GraphQL API, XSS and SQL injection vulnerabilities, as well as security issues arising from flawed JWT and GraphQL implementations.

These components make Broken Crystals an impartial and relevant testbed that enables this benchmark to transparently and accurately compare each scanner's reported vulnerabilities against the actual security posture of the target.

Website scanners benchmark Broken Crystals true positives illustration
  • In the Broken Crystals assessment, Invicti’s Acunetix secured the leading position by a significant margin. The Pentest-Tools.com Website Vulnerability Scanner achieved second place, in a tie with Burp Suite from Port Swigger. Notably, ZAP exceeded the performance of both Qualys and Rapid7 InsightAppSec, earning a commendable fourth place.
Website scanners benchmark Broken Crystals false positives illustration
  • Regarding false positives, all scanners performed moderately, each producing some, but none standing out negatively. The slight variations among them didn't provide a decisive differentiation, suggesting a generally even match across the scanners.

The best website scanners against DVWA

DVWA (Damn Vulnerable Web Application) is an unmissable testbed for testing website vulnerability scanners against traditional web applications.

This well-known publicly available target helps assess the scanners' detection accuracy, providing a clear benchmark for how effective they are in identifying common vulnerabilities in a widely recognized and relevant testing environment.

Website scanners benchmark DVWA true positives illustration
  • In tests against DVWA, Burp Suite leads the field, identifying 29 out of 39 vulnerabilities. Following closely, the Pentest-Tools.com Website Vulnerability Scanner detected the second highest number of vulnerabilities. Rapid7 InsightAppSec and Invicti’s Acunetix rank 3rd and 4th respectively, with Rapid7 identifying 19 vulnerabilities and Acunetix 18.
Website scanners benchmark DVWA false positives illustration
  • When it comes to false positives, the scan results differ quite a lot from the Broken Crystals tests. ZAP is excluded from this comparison because it incorrectly reported 88 instances of SQL injection false positives, a significantly higher rate than the other scanners.

See the full benchmark results and all the data behind them

Download the benchmark
Target illustration

9 things you can do with this benchmark of website scanners

1. Evaluate web app scanner capabilities

Compare the effectiveness of popular website scanners by assessing their ability to crawl a wide range of application functionalities, identify a diverse roster of vulnerabilities, and accurately report findings. Save time and resources while researching tools to strengthen your attack surface mapping and web app vulnerability detection capabilities.

2. Benchmark internal tools

Compare the effectiveness of your in-house tools against commercial and open-source web app vulnerability scanners regarded as industry standards to highlight areas of strength and opportunities for improvement in your setup.

3. Enhance your CI/CD pipeline

Identify the best web app scanners to integrate into your CI/CD pipeline and detect vulnerabilities early in the development process, ensuring secure code before deployment.

Evaluate which tools help you avoid gaps in detection and which can effectively complement your security toolset and workflow.

4. Select tools for web app penetration testing

Choose website vulnerability scanners that can truly inform and complement manual testing, improving your team’s ability to detect critical security issues and speed up remediation - especially in time-sensitive contexts.

5. Improve stakeholder communication

Use benchmark data to communicate the effectiveness of web application security tools to stakeholders and decision-makers whose budget approval you need to pursue internal projects.

6. Inform negotiations with vendors

Leverage the findings from this website scanners benchmark in negotiations with vendors or use it to provide feedback for product improvements you find necessary for your needs.

7. Optimize resource allocation

Allocate resources more efficiently by understanding which web application scanners provide the best coverage and accuracy for your requirements.

8. Improve support for compliance efforts

Choose web app scanners that align with compliance requirements by evaluating their detection capabilities against industry standards.

Share the findings in this benchmark to improve collective knowledge within your team, organization, or community. (Your feedback on ways to improve this benchmark is more than welcome!)

See the full benchmark results and all the data behind them

Download the benchmark
Target illustration
What were the criteria for including the detected vulnerabilities in the final results?

In the benchmark testbeds, vulnerabilities are defined based on established standards, including OWASP Top 10 and the Common Weakness Enumeration (CWE). In addition, issues identified by scanners that serve as effective defense-in-depth measures, such as anomalies in the Content Security Policy (CSP) header, were also included.

While this approach introduces a degree of subjectivity, it aligns with the practical responsibilities of security engineers who evaluate scanner reports during real-world assessments.

What was the methodology for determining true and false positives in the benchmark testbeds?

The validation of each vulnerability reported by the scanners was conducted manually to ascertain its accuracy as a true positive. We encourage stakeholders to contact us should there be any concerns or discrepancies identified in our measurement of results, as we aim for the highest level of precision in our evaluations.

Why does the benchmark not include other testbeds?

In choosing benchmark testbeds, the preference for open-source options was guided by the goal of making it easy for independent testers to replicate the setup.

A benchmark is only as valuable as its level of transparency and the lengths to which it allows for results verification within the cybersecurity community.

The number of False Positives ZAP reported on DVWA seems suspicious. How was the scan configured?

The Active Scan policy was configured to a Default Alert Threshold of Low and Default Attack Strength to Insane. Additionally, injection was enabled in all the input vectors. At the time of writing, these were: URL Path, URL Query String (with the option to add parameters), POST Data, HTTP Headers, and Cookie Data.

Which website vulnerability scanner is the most accurate?

The benchmark evaluates detection and accuracy rates across two targets - Broken Crystals and DVWA (Damn Vulnerable Web Application) - which include multiple vulnerable technologies. Acunetix from Invicti, the Pentest-Tools.com Website Vulnerability Scanner, and Burp Suite consistently reported higher accuracy in vulnerability detection.

How were the website scanners evaluated?

Scanners were tested against Broken Crystals and DVWA (Damn Vulnerable Web Application), focusing on true positives, false positives, and false negatives to ensure a comprehensive and transparent comparison. The goal was to simulate the perspective of an application security engineer looking to evaluate a DAST (Dynamic Application Security Testing) tool.

Which scan settings did you use for the tests in this benchmark?

Each web app scanner was manually configured to use their most comprehensive crawling strategy and to attempt to use all the vulnerability detections they have.

Where available, the REST API swagger files that defined the API were specified, as well as the GraphQL endpoint to be scanned.

Some vulnerabilities were present in endpoints protected by authentication, so, where possible, each scanner was configured to run the security scan as an authenticated user.

Can these website scanners detect all types of security vulnerabilities?

No scanner can guarantee to detect every vulnerability. The benchmark shows each tool's strengths and weaknesses across a varied range of technologies.

Which website vulnerability scanner is the fastest?

Scanning speed is not included as a performance metric in this benchmark.

Are open-source website scanners included in the benchmark?

Yes, the 6 selected website vulnerability scanners included in the benchmark are a mix of open-source (ZAP) and commercial scanners (Invicti Acunetix, Port Swigger Burp Scanner, Pentest-Tools.com Website Vulnerability Scanner, Qualys - WAS/Web Application Scanning, Rapid7 InsightAppSec).

This selection focuses on the most popular web application scanning tools in the cybersecurity industry.

Are cloud-based website scanners included in the benchmark?

The benchmark includes both on-premise website vulnerability scanners (Rapid7 InsightAppSec) and tools that run on a cloud platform such as the Pentest-Tools.com Website Vulnerability Scanner, with some vendors offering both versions for the same product (e.g. Invicti Acunetix, Port Swigger Burp Scanner).

How does this benchmark help with compliance?

This benchmark provides insights into which web application scanners are better at detecting vulnerabilities relevant to specific compliance requirements, especially those focusing on mapping and monitoring the attack surface of an organization.

Can I use the benchmark results to guide tool purchasing decisions?

Absolutely! The scan results in this benchmark help security teams select suitable scanners by highlighting detection capabilities, detection gaps, and vendor commitments to adding detection for high-risk vulnerabilities in complex web app architectures.

Does the benchmark consider false positives?

Yes, the evaluation includes a detailed analysis of false positives reported by each scanner. This aspect is critical as it impacts the trustworthiness and efficiency of the scanner in real-world scenarios.

High false positive rates can lead to unnecessary investigations, wasting time and resources. By assessing the rate of false positives, the benchmark helps security professionals understand which tools provide the most accurate and reliable results, ensuring better resource allocation and more effective vulnerability management.

The benchmark uses standardized criteria to ensure consistent and fair comparison across different scanners.

Are these website scanners suitable for small businesses?

The benchmark includes both lightweight and scanners with more robust functionality, catering to various business sizes and web application security requirements.

How often is this benchmark updated?

This benchmark was first published on May 29, 2024 and will be updated annually.

How does pricing affect the choice of website scanners?

The benchmark focuses on the most popular website scanning tools in the security industry and does not include pricing information, which is highly variable based on customer needs and can be subject to change depending on the vendors’ commercial decisions.

How user-friendly are these website vulnerability scanners?

The benchmark does not address user interface and ease of use for each scanner because there are no objective criteria for comparing these factors, important as they may be for the decision-making process and overall performance of the tool.

How reliable are the benchmark results?

This benchmark’s results are based on standardized tests across a transparently described setup. They provide a reliable comparison based on publicly available data about test results. Download the benchmark (PDF) for the complete details.

What is the importance of false negative rates in the benchmark?

False negative rates are critical for risk assessment as they indicate the vulnerabilities that scanners fail to detect, which can leave web apps exposed to potential threats.

High false negative rates undermine the reliability of a scanner, as attackers can exploit undetected vulnerabilities, posing significant security risks.

The benchmark measures the false negative rates to provide a clear understanding of each scanner’s detection capabilities, ensuring that security teams can trust their tools to uncover as many vulnerabilities as possible and minimize overlooked risks.

This metric helps prioritize scanners that offer comprehensive coverage and improve overall security posture by identifying the most effective tools for vulnerability detection.

Can these website scanners integrate with other security tools?

The benchmark does not address integration capabilities with other security solutions because there are no truly objective criteria for comparing these factors, important as they may be for the decision-making process and overall performance of the tool.

How does the benchmark handle updates and new vulnerabilities?

For those wishing to independently confirm the findings, it is essential to acknowledge that all scanners were updated with the latest detections as of February 2024, which is when the benchmark tests were run.