Getting Started


This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

In this glossary, you can find an explanation of commonly used terms in Invicti.

Account Owner

This is the user that has all the permissions in an Invicti Enterprise account.

Addressed Issue

This is an issue that has been addressed and whose state has been updated.


  • Scanner Agent: This lets you scan your website. The agent will conduct the actual scan job and then report the results back to Invicti Enterprise. For further information, see Installing Internal Agents.
  • Authentication Verifier Agent: This carries out the form authentication so that you can run an authenticated scan in your network. For further information, see Authentication Verifier for Internal Agents.

Agent Mode

This displays whether the agent is scanner or an authentication verifier agent.

Application and Service Discovery

This service enables you to become aware of an enterprise’s online assets, web applications, and services.

Authentication Profiles

This lets you save a custom script for form authentication in Invicti and use it many times for different websites. When configured, Invicti uses this custom script to authenticate itself against the target website. For further information, see Authentication Profiles.

Bi-directional Integration (2-way sync)

This is an integration method that helps Invicti and an issue tracker system to synchronize issues between the applications. For further information, see Integrations.

Certainty Percentage

This is the likelihood of that vulnerability being present.


Invicti classifies vulnerabilities in various standards like CWE, CVSS, PCI, and HIPAA.


This indicates that Invicti is 100% certain about an issue identified. Invicti verifies vulnerabilities by exploiting them in a read-only and safe manner. For further information, Proof-Based Scanning.

Controlled Scan

This is an attack method that can be used to scan a link with selected parameters and engines.

Heuristic Web Vulnerability Scanner

Invicti is a heuristic scanner and does not use a signature database as traditional antivirus software does. So, it’s able to identify zero-day vulnerabilities in any type of custom web application. For further information, see the Advantage of Heuristic over Signature Based Web Vulnerability Scanners.

Incremental Scan

This allows the scanning of newly introduced and amended pages since the initial scan. Invicti also checks whether the vulnerabilities identified previously still exist.


This is a vulnerability identified by Invicti.


This is an HTTP Request for Invicti. This can be a web page, submit button at the end of a form, or AJAX requests.  

Link Pool

This is the pool where Invicti collects all links while crawling the web application or website. Invicti also uses this link pool to attack these links to identify vulnerabilities.

Manual Crawling

This is a process that is used to scan parts of a web application that cannot be crawled automatically. This feature also lets you scan mobile web applications and native desktop applications. For further information, see Manual Crawling in Proxy Mode.

Invicti Hawk

This lets Invicti detect out-of-band vulnerabilities. For further information, see How Invicti Hawk Finds Vulnerabilities.

Invicti Shark (IAST)

This adds interactive security scanning (IAST) capabilities to Invicti Enterprise. For further information, see Deploying Invicti Shark.


This lets you and your users be informed immediately about the status of a web application security scan or when specific vulnerabilities are detected by it. For further information, see Notifications.

Proof-Based ScanningTM

Invicti’s Proof-Based Scanning technology actively and automatically verifies detected vulnerabilities, confirming that they are real and not false positives, by exploiting them in a read-only and safe manner.

It’s completely safe. For example, when exploiting a SQL injection vulnerability and generating a proof of exploit for it, the scanners only try to read data from the database, not write or delete data from the database.

Proof of Concept

Proof of Concept is the actual exploit that proves that the vulnerability exists. For example, after exploiting cross-site scripting (XSS) vulnerability, Invicti will report the payload that was used to inject code. Apart from providing evidence of the vulnerability, a proof of concept can also help developers isolate the exact issue that made exploitation possible.

Proof of Exploit

A proof of exploit is used to report the data that can be extracted from the vulnerable target once the vulnerability is exploited, demonstrating the impact an exploited vulnerability can have and proving that it is not a false positive.

Invicti scanners can generate proof when they identify the following vulnerability types:

Report Policy

This is a list of reporting settings for web security scan results and reports. For further information, see Overview of Report Policies.

Request Builder

Invicti allows you to work with HTTP requests. Thanks to the request builder, you can, for example, craft your own HTTP requests, send requests to targets, and modify the imported HTTP requests. For further information, see HTTP Request Builder.

Resource Finder

This is a feature of Invicti that checks files and folders that can lead to security risks even when they are not linked in the web application. These files, for example, can be admin, login, or backups.


This allows the scanning of the vulnerable pages after the fix.


This allows you to determine what kind of responsibilities a team member has within Invicti Enterprise. For further information, see Managing Roles in Invicti Enterprise.


This shows the importance of the vulnerability identified. For further information, see Vulnerability Severity Levels.

Scheduled Scans

This lets you schedule scans in advance. You can schedule full, incremental, and group scans. For further information, see Scheduling Scans.

Scan Groups

This lets Invicti create a scan group based on your scan configuration although these scans are related to the same host/domain name. So, you can view relevant dashboards, issue trends, etc. based on the scan group you selected. For further information, see Scan Groups in Invicti Enterprise.

Scan Policy

This is a list of web application security scan settings. When you want to run a Scan, you attach it to a Scan Policy. For further information, see Overview of Scan Policies.

Scan Policy Optimizer

This is a built-in wizard that helps you narrow down the security checks that will be run against your web application. Thanks to the optimizer, you can tweak the scanner to only run, for instance, Apache-related security checks while ignoring ISS-related checks. For further information, see Scan Policy Optimizer.

Scan Profile

This lets you save scan settings for future scans. Scan Profiles can be reconfigured at any time. For further information, see Scan Profiles.

Scan Scope

This lets you define which parts of the target web application should be crawled. For further information, see Scan Scope.

Target URL

This is the target URL of the website, including the path.

Technical Contact

This is the person who is responsible for the website or vulnerability.

Trend Matrix

This provides correlated, trending data about the status of those vulnerabilities identified in your web application across several scans. For further information, see Trend Matrix Report.


A website is defined in Invicti as a fully qualified domain name (FQDN). An FQDN is the complete domain name for a specific target and consists of two parts: the hostname and the domain name.

The below examples are considered to be 1 website as they share the same FQDN.


Subdomains and ports share the same FQDN but are considered to be different websites. For example:


Website Groups

Invicti lets you group websites to ease the management of multiple websites and scans. Grouping websites also is important for the multiple team feature in Invicti as you can assign a team or members only to website groups. For further information, see Website Groups in Invicti Enterprise.

Vulnerability Database

This is the database Invicti rests on to report known technologies, their versions, and their vulnerabilities. The database is periodically updated. For further information, see the Vulnerability Database.

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.