2018 Vulnerability Scanner Comparison

This is a comparison between Syhunt products and some of its key competitors, backed by independent public data from the ongoing 2018 WAVSEP project and Syhunt's internal tests and vulnerability coverage research using the open source WAVSEP platform and open source samples from the NIST's SAMATE project.

Product FeatureSyhuntAppScanWebInspectAcunetixNessus
Hybrid Scan
Source Code Scan
Dynamic Scan
DAST Detection (XSS)100%100%100%100%Declined to participate (2018-2014)
66% (in 2012)
DAST Detection (SQL Injection)100%100%98%100%Declined to participate (2018-2014)
85% (in 2012)
DAST Detection (LFI/Path Traversal)100%
52% (2012)
100%
48% (2012)
94%
49% (2012)
94%
32% (2012)
Declined to participate (2018-2014)
8% (in 2012)
DAST Detection (RFI)Waiting results (2018)
100% (2017)
44% (2012)
N/A (2018)
100% (2017)
0% (2012)
100% (2018)
100% (2017)
61% (2012)
64% (2018)
N/A (2017)
44% (2012)
Declined to participate (2018-2014)
0% (in 2012). No RFI plugin was available,
same for AppScan in 2012
DAST Detection (Unvalidated Redirect)100%
0% (2014)
No UR plugin in 2014.
36%
36% (2014)
95%
50% (2014)
100%
16% (2014)
Declined to participate (2018-2014)
DAST Detection (OS Command Injection)Waiting results (2018)N/A (2018)N/A (2018)78% (2018)Declined to participate (2018)
Crawling Coverage (WIVET, 2014)94%92%94%94%Declined to participate
CVSSv3 Support
CVSSv2 Support
PCI DSS 3.2 Support

Notes:

  • Hybrid Scan refer to the ability to perform hybrid (static and source code) analysis, learning from the target code before performing checks
  • 2018 data refer to independent evaluation by the WAVSEP project as well as internal evaluation performed by Syhunt using the open source WAVSEP environment. Syhunt has been invited and accepted to participate the 2018 project and is waiting the full official evaluation results. For detailed info, see WAVSEP 2018
  • 2017 data refer to internal evaluation performed by Syhunt using the open source WAVSEP environment.
  • 2014 data refer to independent evaluation by the WAVSEP project performed during this period. For detailed info, see WAVSEP 2014.
  • 2012 data refer to independent evaluation by the WAVSEP project performed during this period. For detailed info, see WAVSEP 2012.
  • Declined to participate - According to the WAVSEP project, Qualys, Tenable Nessus, Retina and Nexpose were contacted but these specific vendors declined to contribute and participate towards the WAVSEP benchmarks. Nessus participated for the last time in 2012.
  • N/A represents missing data or scores for the time being
  • For better visualization, any detection rates with percentage below 90% was marked with red color, A 0% score means a specialized plugin was not available at the time for performing the specific check.