Syhunt as Alternative to Tenable.io WAS
This document compares key functionality and scan capabilities of two industry-leading products: Syhunt Hybrid and Tenable.io WAS. The comparison is of particular interest for those undecided between the two products and for those seeking for an alternative to Tenable.io WAS.
Background
Both Syhunt and Tenable are long-time established security assesment companies. Syhunt was founded in 2003, as a web application security focused company, while Tenable, creator of the Nessus technology, was founded in 2002 with a more broad focus. In 2008, Syhunt went beyond the DAST market and added its first SAST capabilities (Syhunt Code), which has been expanding heavily since then, and in 2019, added mobile application security testing (Syhunt Mobile). Tenable in comparison released its DAST offering (Tenable.io WAS) in 2017. Syhunt's OAST capabilities (Syhunt Signal), unveiled in 2020, integrate with Syhunt's SAST and Syhunt's SAST-in-DAST capabilities (2021) to provide hybrid-augmented security analysis. In 2023, Syhunt became the first player in the market to add AI-powered capabilities for both DAST and SAST.
Comparison
The table below offers a closer look at the different testing methodologies and features of Syhunt Hybrid and Tenable.io WAS and why Syhunt can best suit the application security needs of an organization.
Feature | Syhunt Hybrid Platinum Plus | Tenable.io WAS | |
Delivery | On-Premises | Cloud-Based | |
Number of Target Websites | Single, Wildcard and Unlimited Targets | Restricted to 5 (min) to 15 (max) FQDNs Custom +15 offering available | |
Detect Mobile Vulnerabilities | iOS & Android | ||
Gray-Box Vulnerability Testing | HAST (Hybrid-Augmented Analysis), SAST-in-DAST | ||
Black-Box Vulnerability Testing | DAST & OAST (Syhunt Signal) | DAST | |
White-Box Vulnerability Testing | SAST, MAST & FAST | ||
PCI Vulnerability Scanning | |||
PCI Vulnerability Report | (Requires separate product) | ||
Version Control Systems Integration (GIT, Azure Repos, GitHub, etc) | |||
Continuous Scanning & Integration (GitLab, Jenkins, etc) | |||
Issue Tracker Integration (Jira, GitHub, etc) | |||
Tech Support Included | |||
Vulnerability Assessment Features | |||
Modern Framework Support (HTML5, JavaScript, AJAX, etc) | |||
Advanced Authentication (Web Forms, Client-side Certificates, Basic Auth, etc) | |||
Safe Scanning | |||
Manual Crawling | |||
Known Vulnerability Detection | |||
Unknown Vulnerability Detection | |||
High Detection Accuracy | |||
Web Services Scanning (WSDL, REST etc) | SAST-based | ||
Vulnerability Reporting | |||
Full Detailed Scan Report | |||
Compliance Reports (CWE/SANS, and more) | |||
OWASP Top 10 Report | |||
CVSS (Common Vulnerability Scoring System) for Severity | CVSS3 | CVSS3 | |
Trend Graphs | |||
Integrations | |||
Security Dashboard | GitLab Ultimate (On-Premise & Cloud-Based) | Tenable.sc (On-Premise) | |
WAF Virtual Patching | Big IP ASM, Imperva, ModSecurity | ||
Version Control Systems Integration (GIT, Azure Repos, GitHub, etc) | |||
Issue Tracker Integration (Jira, GitHub, etc) | |||
Continuous Integration | GitHub & GitLab Jenkins Pipeline | ||
Integration APIs | CLI, REST API & Lua API | REST API only | |
PowerShell Integration | |||
Other Functionality | |||
Advanced Pen Testing Tools | AI-Powered Login Syhunt Chrome Extension Syhunt Sandcat Syhunt Huntpad Firefox Integration | Tenable.io Chrome Extension |
DAST Accuracy & Crawling Coverage Comparison with Tenable Tools
Tenable.io, according to offical documentation, is powered by the Nessus technology: the Nessus WAS technology has been compared to Syhunt in 2012 by the independent WAVSEP project (results are available below). According to the WAVSEP project, between 2018 and 2014, Tenable declined to participate the benchmark project. As of 2021, independent accuracy comparison between Syhunt and Tenable.io WAS is still not available in the security community.
Vulnerability | Syhunt Dynamic | Tenable Nessus WAS | Tenable.io WAS |
Cross-Site Scripting (XSS) Detection | 100% | Declined to participate (2018-2014) 66% (in 2012) | N/A |
SQL Injection | 100% | Declined to participate (2018-2014) 85% (in 2012) | N/A |
LFI/Path Traversal | 100% | Declined to participate (2018-2014) 8% (in 2012) | N/A |
Unvalidated Redirect | 100% | Declined to participate (2018-2014) | N/A |
Crawling Coverage (WIVET) | 94% | Declined to participate | N/A |
For more details. see Scanner Comparison.