Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Acunetix 360 DAST/API Integration
Acunetix 360 (now Invicti) is a cloud-based DAST platform offering scalable web application scanning with proof-based vulnerability detection. This integration allows Invicti AppSec to trigger scans on Acunetix 360 and import verified vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Acunetix 360 URL | Your Acunetix 360 tenant URL (e.g., https://your-org.netsparkercloud.com) |
| API Token | A user API token generated from your Acunetix 360 account |
Get an API Token (on Acunetix 360 Side)
- Log in to your Acunetix 360 dashboard.
- Click your profile icon in the upper right corner.
- Select User Settings from the dropdown.
- Navigate to the API Token section.
- Click Generate Token.
- Copy the token — it is shown only once after generation.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Acunetix 360
Scroll through the list of DAST/API scanners to find Acunetix 360.
- If Acunetix 360 is not activated, you will see an "Activate" button. Click it to enable the integration.
The scan method badge on the Acunetix 360 card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Acunetix 360 card to open the configuration panel. Fill in the required fields:
- Username: Enter your Acunetix 360 account username.
- Token: Paste the API access token you generated from your Acunetix 360 user settings.
- URL: Enter your Acunetix 360 tenant URL (e.g.,
https://your-org.netsparkercloud.com). - Insecure: Enable this checkbox only if your Acunetix 360 instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms connectivity.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Acunetix 360 |
| 4 | Enter Username, Token, URL, and optional Insecure setting |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Acunetix 360 Scanner
- Select DAST/API as the scanner type.
- Choose Acunetix 360 from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | Acunetix 360 project to bind to | Yes |
| Scan Type | Select scan type: New or Retest | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run this scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan status notifications.
KDT Command
kdt scan -p <project_name> -t acunetix360 -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API token | Regenerate the token from Acunetix 360 user settings |
| Wrong tenant URL | Verify the correct tenant subdomain (e.g., your-org.netsparkercloud.com) |
| Token expired or revoked | Generate a new API token and update the integration |
| Network access | Ensure Invicti AppSec can reach netsparkercloud.com on port 443 |
Scan Issues
| Issue | Resolution |
|---|---|
| No websites available | The user account must have access to the target websites in Acunetix 360 |
| Scan not triggered | Verify the account has the necessary permissions to create scans |
| Empty results | Check if the scan completed in the Acunetix 360 dashboard |
| Rate limits hit | Reduce concurrent scan triggers or contact Acunetix 360 support |
Best Practices
- Use a dedicated service account with the minimum required permissions in Acunetix 360.
- Rotate the API token every 90 days.
- Pre-configure and verify target websites in Acunetix 360 before triggering scans from Invicti AppSec.
- Use proof-based scanning profiles to eliminate false positives.
- Schedule scans outside of peak traffic hours.
Limitations
- The API token is associated with a specific user account; permissions are limited to what that account can access in Acunetix 360.
- Concurrent scan capacity is governed by your Acunetix 360 subscription.
- Cloud-based scanning requires the target application to be accessible from Acunetix 360 infrastructure.
- Some advanced scan configurations (e.g., authenticated scans with complex login flows) must be configured directly in Acunetix 360.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center