Acunetix License

[Mario Davis]

Thefirst of all, thank you for reading my question, I really appreciate it! I am trying to integrate jenkins and acunetix (a vulnerability scanner software), but it seems to be near impossible...My situation is as follows:

There are two machines, a debian 9 machine [DEB] and a win10 machine [WIN]. In [WIN] I installed Acunetix v11 and jenkins in [DEB], and I configured acunetix to be accessible from outside (following this tutorial: -acunetix-host-localhost/). After that, I followed another tutorial ( -acunetix-root-certificate-another-computer/) to connect jenkins with acunetix. I managed to access to acunetix webpage from [DEB] via web (Not issues in network or configuration in that sense).

However, I could not connect with acunteix from jenkins despite the fact I followed every single step explained in acunetix web page. I got this error: "Please add the Acunetix scanner certificate to Java CA store" when I tested the connection from jenkins (obviously, acunetix plugin is installed in jenkins). I checked that the certificate obtained from acunetix installation (in [WIN]) "ca.cer" was correctly added in the keystore of [DEB]. Then, I made a custom keystore to be used by jenkins (as it is explained in this other tutorial: -us/articles/203821254-How-to-install-a-new-SSL-certificate-) and I got the same result...At that time, I thought that maybe something was wrong in [DEB], so I used another windows 10 machine [WIN2] to repeat the process...and I got the same result... The acunetix certificate was also included in the OS apart from java keystore in all cases.

We've configured the plugin properly (we're able to invoke acunetix from jenkins although we're having issues getting the report copied into the Jenkins workspace). The issue he might have run into is that you might have more than one jre installed and you have to register the certificate on the keystore JRE that Jenkins is using (you can check which one is being used by jenkins by looking at the "" tag in the jenkins.xml config file)

I can schedule daily, weekly or monthly scans of targets which checks for vulnerabilities in our cloud infrastructure from one control panel. The ability to send different types of reports to various parties, for example a 'Board level' report or 'Developer' report is handy for tailoring content to the audience.

It perhaps could be improved by adding a section for commenting on how a vulnerability was fixed and a link to a relevant URL to confirm this. Pricing is good for a small amount of targets, but quickly becomes expensive for multiple target locations.

Good thing for a web application pentesting, can give You insight of a present vulnerabilities. Would recommend using in tandem with infrastructure scanner (like Nessus) to create a complete testing solution. Also presence of continous scanning and scheduler could be used for a regular security assesment of Your web applications.

Ease of use, good customer support, very insightful reports (especially Developer raport), good vulnerability management. Also continous scanning option is an interesting thing for having continous security awareness of Your vulnerability level. Also login sequence recorder is an awesome tool.

Not a lot of scan options to configure - especially in comparison to Nessus - every check is done in default, You can't choose specifically which test is done in selected scan, only the type of scan (full, high-risk vulnerabilities, xss, sqli, weak passwords, crawl only ) or technology in which the scanned web app is written.

Regarding your comment about choosing what to scan for you can already do this in Acunetix, although the feature is slightly hidden away in Settings > Scan Types. Here you can create your own custom Scan Types, and you will be able to choose which vulnerabilities to check for. When creating a new custom Scan Type, you can filter the vulnerability checks from the top right hand corner of the page.

Example 1: In the "Site Structure" of a scan it is possible to press "exclude", does it exlude the path from futre scans? If so why don't I see anything in the target settings? Or does "exlude" exclude vulnerabilities from the report? BTW after pressing exlude I'm not able to "include" it again.

Example 2: "scan speed", how many threads per setting are we talking about?

* Would definitly like to get some more feedback from scans directly in the interface, what is it doing, why did it fail, did all the "allowed hosts" got scanned etc. I know you can debug a target, but this is not what I mean.

* As a pentester I absolutely miss a more flexible way to configure settings like it was possible in v10. The interface is built as "point a shoot", idiot proof. Currently, If I want to configure things I need to change xml config files on the server and reload acunetix...

* After the release of v12 we were called by a sales agent as we suddently couldn't add targets anymore. The license model suddenly changed completely. The entire business model is now based on scanning an applications continuously over the year. However, as a pentesting business for we mostly scan apps just 1 time for our security assessments. It absolutely makes no sense to apply the same costs! Just like Netsparker, acunetix should have plans for pentesters and consultants.

* Scanning an app that spans multiple domains always results in problems. Currently you have the "Allowed hosts" settings which is crappy in setting up. I need to set all (sub) domains to a different target. And ofcourse with the current business model you are charged per target, lol.

As you rightly say, we try to keep an easy to use interface, with the intention of automatically detecting the best way to scan the site. There are some settings which are not used by most of our customers, and which can be manually tweaked from the settings file.

I think you might have missed the little help icon at the top right corner of the Acunetix interface. When clicked, this provides help on the settings loaded in the current page. But to answer your queries:

As a scanner it is quite good, relevant and well described findings, so far no false positives. Following an initial trial and PoC with couple of competitors, Acunetix had the best features, most suitable licensing model, good support, so we purchased a three year license. However, at some point, it all changed. The license became based on other criteria, the testing and verification tools were removed, there is no support or way of reverting to a previous version, after you realise that the changes introduced and making the software unusable or insufficient. Overall, unless there are guarantees that it won't happen again, I will be very reluctant to renew.

You can download the free Acunetix Manual Pentesting Tools from -scanner/free-manual-pen-testing-tools/. You can copy the Request done by Acunetix from the Vulnerability details, and use this in the Acuneix Manual Tools

We are using Acunetix now for more than 5 years. It is very easy to create new targets and quickly start automatic scans. The AcuSensor often gives me a good hint where I should take a closer look manually.

Our management likes the well structured reports.

If a web application is very complex, the scanner sometimes does not really manage to find its path through the process.

Since the application changed to the web gui, it is more complicated to specify pre-recorded login sequence. The user has to log into the server, where Acunetix is hostet and start a different application to record the sequence.

We are planning on integrating the Acunetix Login Sequence Recorder in the Acunetix web UI. This will make it easier to record login sequences moving forward. If all goes well, we will have this feature in place by the end of Q3 / beginning Q4 this year.

3a8082e126