Invicti Security announced the results of an extensive analysis of six years' worth of real-world vulnerability data processed by Invicti's Netsparker solution. Within this research, Invicti found that Netsparker's Proof-Based Scanning technology automatically confirmed 94% of direct-impact vulnerabilities with a confirmation accuracy of 99.98%. In other words, only 0.02% were later found to be false positives. 

The analysis of anonymized customer data suggests the following trends: 

• Security teams suffer from alert overload: The average security team manages more than 500 websites and applications, each of which annually generates an average of 20 vulnerabilities. This means security teams are responsible for validating a staggering 10,000 vulnerabilities per year.
• False positives in scan results cost time (and money): With the average time to manually investigate a vulnerability estimated at one hour, enterprise security teams are spending nearly 10,000 hours a year checking unreliable vulnerability reports. Invicti found that this lost time could cost enterprises as much as half a million dollars annually.
• Manual vulnerability verification delays remediation and detracts from valuable security work: Deploying accurate automated vulnerability confirmation enables issues to be remediated quickly and frees security professionals' time so it can be spent on high-value security and development projects.

Proof-Based Scanning provides confirmation where it matters most: for vulnerabilities that are directly exploitable by attackers. Over the last decade, Invicti's security researchers and developers have used vulnerability data to continuously refine the product by identifying real-life edge cases and incorporating them into the Netsparker security checks. With this level of accuracy, the proof-based approach does double duty: ensuring trustworthy results and demonstrating that if an automated testing tool can get through, so can malicious actors. Most importantly, accurate results that can be routed directly to remediation so that vulnerabilities are fixed much faster.

"Throughout our history, we've understood the value of listening to those on the front lines of addressing security issues - security engineers and developers," said Ferruh Mavituna, founder and CEO at Invicti. "We've used this insight to continually shape and improve our technology, and today are proud to offer a solution that is proven to help development and security cut through the noise so they can focus on delivering valuable innovation without compromising security." 

Delivering innovative AppSec solutions since 2005, Invicti has protected more than 800,000 websites for over 3,100 customers globally. For the first time, Invicti was included this year in the 2021 Gartner Magic Quadrant for Application Security Testing. The company has also recently been recognized by G2 as a Momentum Leader for its Acunetix and Netsparker products, won two Cyber Defense Global InfoSec Awards this year, and is also the recipient of a 2021 Globee Award for Cyber Security Global Excellence. 

Click here for the white paper and here for the infographic reflecting Invicti's six-year analysis of anonymized customer vulnerability data.