Skip to content
Home ASPM Tools Invicti ASPM
Invicti ASPM

Invicti ASPM

Category: ASPM
License: Commercial
GitHub
0 Comments
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 7, 2026
7 min read
0 Comments

Invicti ASPM is a commercial Application Security Posture Management platform that pairs proof-based DAST scanning with multi-scanner orchestration. Invicti acquired Kondukto in August 2025 and merged both products. The platform connects over 110 security tools, CI/CD systems, and issue trackers. Invicti claims 99.98% accuracy on its DAST findings through safe exploitation proofs, and reports 40% shorter remediation times across 3,600+ organizations.

Invicti ASPM dashboard showing open vulnerabilities, scan targets, and MTTR metrics

The platform doesn’t replace your existing scanners. It orchestrates them. Results from SAST, SCA, DAST, container scanning, and IaC tools get pulled in, normalized, deduplicated, and routed through automated workflows. Verified fixes trigger targeted rescans that close tickets without anyone stepping in.

Invicti started as Netsparker, a DAST tool known for proof-based scanning. Kondukto was a Turkish-founded ASPM startup with broad scanner support and a CLI tool. After the acquisition, both products merged under the Invicti ASPM brand. The company is headquartered in Austin, Texas.

What is Invicti ASPM?

Invicti ASPM is a commercial ASPM platform that orchestrates your security testing pipeline. It sits on top of your existing scanners, pulling in results from SAST, SCA, DAST, container scanning, and IaC tools, then normalizing everything into one view.

The main differentiator compared to ArmorCode or DefectDojo is the proof-based scanning layer from Invicti’s DAST engine. When the built-in DAST scanner finds a potential vulnerability, it performs a safe exploitation to confirm the flaw actually exists. You get a proof artifact attached to every finding, not just a confidence score.

Proof-Based Scanning
The built-in DAST engine safely exploits each finding to confirm it’s real before reporting. Invicti reports 99.98% scan accuracy with proof artifacts attached to every confirmed vulnerability.
Security Orchestration
Connects 110+ scanners, CI/CD tools, issue trackers, and WAFs. Manages the full scan lifecycle from trigger to ticket with automated deduplication and routing.
SBOM Radar
Tracks libraries, frameworks, and transitive dependencies across your applications. Monitors for new CVEs and flags license compliance risks using CycloneDX and SPDX formats.

Key features

Proof-based scanning

The built-in DAST engine validates each finding through safe exploitation before reporting it. If the scanner detects a potential SQL injection, it attempts a read-only query to prove the flaw exists. A suspected remote file inclusion gets confirmed by reading a system file. Each confirmed vulnerability includes a proof artifact showing how the issue was exploited. Invicti reports this as 99.98% scan accuracy, close to zero false positives in practice.

Invicti ASPM vulnerability details view showing proof of exploit for command injection

How proof-based scanning works
Unlike traditional DAST tools that flag potential issues based on heuristics, Invicti’s scanner safely exploits each finding to confirm exploitability. A SQL injection candidate gets verified with a read-only query. A file inclusion gets confirmed by reading a known system file. The proof artifact is attached to the vulnerability report.

Security orchestration

Invicti ASPM manages the scan lifecycle from trigger to ticket. You define which scanners run against which projects, set vulnerability thresholds, and configure automated ticket creation. Supported scanner and tool categories:

CategoryTools
SASTSemgrep, SonarQube, Checkmarx, Fortify, CodeQL, Veracode, Coverity, Brakeman, Gosec, SonarCloud
SCASnyk, Trivy, Dependabot, OWASP Dependency-Check, Mend.io
DASTInvicti (native), Burp Suite, OWASP ZAP, Acunetix
ContainerTrivy, Grype, Docker Scout
IaCCheckov, KICS, Terrascan, tfsec
CSPMCloud security posture checks
Bug BountyBug bounty platform integration

Invicti ASPM scan details showing vulnerability findings by severity with MTTR tracking

Deduplication and normalization

Run three scanners against the same codebase and you’ll get overlapping findings. Invicti ASPM normalizes results into a common format, merges duplicates, and applies suppression rules for known false positives or accepted risks. If you’ve spent a morning deduplicating Checkmarx and Semgrep results in a spreadsheet, this is the part that saves you.

Fix verification

After a developer pushes a fix, Invicti ASPM triggers a targeted rescan against that specific finding. If the vulnerability is gone, the ticket closes automatically. If it’s still there, the ticket reopens with updated context. No more pinging the security team to re-run a scan and manually close Jira tickets.

SBOM Radar

SBOM Radar tracks every component in your applications: libraries, frameworks, transitive dependencies. It watches for newly disclosed CVEs against your bill of materials and flags license compliance risks. You can import SBOMs in CycloneDX or SPDX format, or let integrated SCA scanners generate them.

Security KPI dashboard

The dashboard tracks security KPIs: mean time to fix (MTF), window of exposure (WOE), vulnerability density, and risk score trends. You can filter metrics by project, product, business unit, team, or label. Security scoring at the developer and team level shows where training or process changes would help.

Invicti ASPM metrics dashboard showing security KPI trends, risk scores, and project health

Integrations

Invicti ASPM integrates with 110+ tools across multiple categories:

CI/CD Pipelines
GitHub Actions GitHub Actions
GitLab CI GitLab CI
Jenkins Jenkins
Azure Pipelines Azure Pipelines
CircleCI CircleCI
Bamboo Bamboo
TeamCity TeamCity
Bitbucket Bitbucket
Issue Trackers
Jira Jira
Azure Boards Azure Boards
GitHub Issues GitHub Issues
GitLab Issues GitLab Issues
ServiceNow ServiceNow
Trello Trello
YouTrack YouTrack
Shortcut Shortcut
Communication & Monitoring
Slack Slack
Microsoft Teams Microsoft Teams
Mattermost Mattermost
Splunk Splunk
PagerDuty PagerDuty
WAFs & Security
Cloudflare Cloudflare
AWS WAF AWS WAF
F5 BIG-IP F5 BIG-IP
FortiWeb FortiWeb
Imperva Imperva
ModSecurity ModSecurity
SSO & Identity
Okta Okta
Azure AD Azure AD
PingFederate PingFederate
Google SSO Google SSO

Invicti ASPM integrations panel showing scanner connections for SAST, DAST, SCA, and IaC tools

Getting started

1
Install the KDT CLI — Download the CLI tool that connects your CI/CD pipelines to Invicti ASPM. Install via curl: curl -sSL https://cli.kondukto.io | sh
2
Configure credentials — Set your instance URL and API token as environment variables: INVICTI_ASPM_HOST and INVICTI_ASPM_TOKEN
3
Connect your scanners — Activate your security tools (Semgrep, Trivy, Checkmarx, etc.) in the Integrations panel and map them to your projects.
4
Trigger your first scan — Run kdt scan -p ProjectName -t semgrep -b main to kick off a scan and see results flow into the dashboard.

CLI tool (KDT)

The KDT CLI is how you integrate Invicti ASPM into your CI/CD pipelines. It’s written in Go and open-source under GPL-3.0.

curl -sSL https://cli.kondukto.io | sh
export INVICTI_ASPM_HOST=https://your-instance.invicti.com
export INVICTI_ASPM_TOKEN=your_api_token

Commands

CommandDescription
kdt pingCheck server connectivity
kdt ping -aValidate API token
kdt scan -p Project -t semgrep -b mainTrigger a scan
kdt scan ... --threshold-crit 0 --threshold-high 5Scan with vulnerability thresholds
kdt scan ... -f results.jsonImport results from file
kdt scan ... --asyncNon-blocking scan
kdt scan ... --image myapp:latestContainer image scan
kdt scan ... -M main --pr-number 42PR decoration scan
kdt release -p Project -b main --sast --scaCheck release criteria
kdt sbom import -f sbom.json -p Project -b mainImport SBOM
kdt list projectsList all projects
kdt list scannersList available scanners
kdt list agentsList registered agents
kdt create project -p Name --repo-id URL --alm-tool githubCreate a project

Exit codes: 0 = success, 1 = error, 100 = unauthorized, 255 = threshold exceeded.

GitHub Actions

- name: Security Scan
  env:
    INVICTI_ASPM_HOST: ${{ secrets.INVICTI_ASPM_HOST }}
    INVICTI_ASPM_TOKEN: ${{ secrets.INVICTI_ASPM_TOKEN }}
  run: |
    curl -sSL https://cli.kondukto.io | sh
    kdt scan -p ${{ github.repository }} -t semgrep -b ${{ github.ref_name }} --threshold-crit 0

GitLab CI

security_scan:
  stage: test
  script:
    - curl -sSL https://cli.kondukto.io | sh
    - kdt scan -p $CI_PROJECT_NAME -t trivy -b $CI_COMMIT_REF_NAME --threshold-crit 0
  variables:
    INVICTI_ASPM_HOST: $INVICTI_ASPM_HOST
    INVICTI_ASPM_TOKEN: $INVICTI_ASPM_TOKEN

Jenkins Pipeline

stage('Security Scan') {
    environment {
        INVICTI_ASPM_HOST = credentials('invicti-aspm-host')
        INVICTI_ASPM_TOKEN = credentials('invicti-aspm-token')
    }
    steps {
        sh 'curl -sSL https://cli.kondukto.io | sh'
        sh 'kdt scan -p my-project -t checkmarx -b ${BRANCH_NAME} --threshold-crit 0'
    }
}

Deployment

OptionSpecs
Cloud (SaaS)Fully managed, no infrastructure
On-Premise (PoC)4 cores, 16GB RAM, 90GB disk
On-Premise (Prod)8 cores, 64GB RAM, 250GB disk
DistributedApp: 4c/64GB, DB: 8c/64GB (MongoDB 5+)

When to choose Invicti ASPM

Invicti ASPM fits best when you’re running multiple security scanners and tired of manually reconciling their output.

Strengths:

  • Proof-based scanning eliminates false positives from the DAST layer
  • 110+ integrations, so it probably works with whatever you already run
  • Fix verification closes the loop on remediation without manual rescans
  • PR decoration and release gates put security checks where developers already work
  • Security KPI dashboards track MTTR, window of exposure, and risk score trends

Limitations:

  • Commercial-only, no free tier. If budget is tight, DefectDojo is the open-source alternative
  • Proof-based scanning only applies to the DAST engine. Findings from third-party SAST/SCA tools still depend on those tools’ accuracy
Best for
Teams running multiple security scanners that want unified orchestration, automated deduplication, and proof-based DAST to cut through false positives.

How it compares:

vs.Key difference
DefectDojoOpen-source aggregation without proof-based scanning or built-in DAST
ArmorCodeCloud-only; Invicti ASPM supports on-premise deployment and uses proof-based scanning
ApiiroFocuses on code-change risk analysis; Invicti covers the full scan orchestration pipeline
Ox SecuritySupply-chain focus; Invicti covers a wider range of scanner integrations

History

Invicti started as Netsparker, a DAST tool known for proof-based scanning. Kondukto was a Turkish-founded ASPM startup that built an orchestration platform with broad scanner support and a solid CLI.

Invicti acquired Kondukto in August 2025 and merged both products under the Invicti ASPM brand. The KDT CLI still uses the Kondukto domain (cli.kondukto.io) for downloads, but the environment variables were rebranded to INVICTI_ASPM_HOST and INVICTI_ASPM_TOKEN.

Note: Formed from Invicti's acquisition of Kondukto in August 2025. Combines Invicti's proof-based DAST with Kondukto's ASPM orchestration.

Frequently Asked Questions

What is the difference between Invicti ASPM and Kondukto?
Kondukto was an independent ASPM platform acquired by Invicti in August 2025. The product is now branded as Invicti ASPM and integrates Invicti’s proof-based DAST engine directly into the orchestration layer. Existing Kondukto users were migrated to the Invicti platform.
Does Invicti ASPM replace my existing security scanners?
No. Invicti ASPM orchestrates your existing scanners rather than replacing them. It integrates with 110+ tools including Semgrep, SonarQube, Checkmarx, Snyk, Trivy, Burp Suite, and many others. The platform normalizes and deduplicates findings from all connected scanners into a single view.
What is proof-based scanning?
Proof-based scanning is Invicti’s approach to DAST where the scanner safely exploits a detected vulnerability to confirm it is real before reporting it. For example, if it detects a potential SQL injection, it will attempt a safe read-only query to prove the flaw exists. This eliminates false positives and delivers 99.98% scan accuracy.
Is there a free trial of Invicti ASPM?
Invicti offers a guided demo and proof-of-concept deployment. Contact their sales team through the Invicti website to request a trial for your environment.
What CI/CD platforms does Invicti ASPM support?
Invicti ASPM integrates with GitHub Actions, GitLab CI/CD, Jenkins, Azure DevOps Pipelines, CircleCI, Bamboo, TeamCity, and Bitbucket Pipelines through its KDT CLI tool. The CLI can trigger scans, import results, and enforce release criteria as pipeline gates.
How we review tools Suggest an edit

Other ASPM Tools

Aikido Security
Aikido Security

All-in-One AppSec with 95% Noise Reduction

Apiiro
Apiiro

#1 ASPM in Gartner Magic Quadrant 2025

ArmorCode
ArmorCode

AI-Powered Risk Correlation

Cycode
Cycode

Complete ASPM with 94% Fewer False Positives

See all ASPM tools

Complement with SAST

Pair posture management with static analysis for broader coverage.

Graudit
Graudit

Grep-Based Code Auditing

Veracode Static Analysis
Veracode Static Analysis

Binary Analysis, No Source Needed

See all SAST tools

Learn More

AI-Generated Code Security API Security Testing Application Security Checklist AppSec Compliance Mapping

Comments

Powered by Giscus — comments are stored in GitHub Discussions.