Acunetix 360 DAST/API Integration
Acunetix 360 (now Invicti) is a cloud-based DAST platform offering scalable web application scanning with proof-based vulnerability detection. This integration allows Invicti ASPM to trigger scans on Acunetix 360 and import verified vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Acunetix 360 URL | Your Acunetix 360 tenant URL (e.g., https://your-org.netsparkercloud.com) |
| API Token | A user API token generated from your Acunetix 360 account |
How to Get an API Token (on Acunetix 360 Side)
- Log in to your Acunetix 360 dashboard.
- Click your profile icon in the upper right corner.
- Select User Settings from the dropdown.
- Navigate to the API Token section.
- Click Generate Token.
- Copy the token — it is shown only once after generation.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Acunetix 360
Scroll through the list of DAST/API scanners to find Acunetix 360.
- If Acunetix 360 is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the Acunetix 360 card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Acunetix 360 card to open the configuration panel. Fill in the required fields:
- Username: Enter your Acunetix 360 account username.
- Token: Paste the API access token you generated from your Acunetix 360 user settings.
- URL: Enter your Acunetix 360 tenant URL (e.g.,
https://your-org.netsparkercloud.com). - Insecure: Enable this checkbox only if your Acunetix 360 instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms connectivity.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Acunetix 360 |
| 4 | Enter Username, Token, URL, and optional Insecure setting |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Acunetix 360 Scanner
- Select DAST/API as the scanner type.
- Choose Acunetix 360 from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | Acunetix 360 project to bind to | Yes |
| Scan Type | Select scan type: New or Retest | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run this scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan status notifications.
KDT Command
kdt scan -p <project_name> -t acunetix360 -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API token | Regenerate the token from Acunetix 360 user settings |
| Wrong tenant URL | Verify the correct tenant subdomain (e.g., your-org.netsparkercloud.com) |
| Token expired or revoked | Generate a new API token and update the integration |
| Network access | Ensure Invicti ASPM can reach netsparkercloud.com on port 443 |
Scan Issues
| Issue | Resolution |
|---|---|
| No websites available | The user account must have access to the target websites in Acunetix 360 |
| Scan not triggered | Verify the account has the necessary permissions to create scans |
| Empty results | Check if the scan completed in the Acunetix 360 dashboard |
| Rate limits hit | Reduce concurrent scan triggers or contact Acunetix 360 support |
Best Practices
- Use a dedicated service account with the minimum required permissions in Acunetix 360.
- Rotate the API token every 90 days.
- Pre-configure and verify target websites in Acunetix 360 before triggering scans from Invicti ASPM.
- Use proof-based scanning profiles to eliminate false positives.
- Schedule scans outside of peak traffic hours.
Limitations
- The API token is associated with a specific user account; permissions are limited to what that account can access in Acunetix 360.
- Concurrent scan capacity is governed by your Acunetix 360 subscription.
- Cloud-based scanning requires the target application to be accessible from Acunetix 360 infrastructure.
- Some advanced scan configurations (e.g., authenticated scans with complex login flows) must be configured directly in Acunetix 360.
Updated about 10 hours ago