• Close

    Scan all the apps

    SPAs, APIs, mobile—the evolution of application technology is measured in months, not years. Is your application security tool designed to keep up? AppSpider lets you collect all the information needed to test all the apps so that you aren’t left with gaping application risks.

    Our dynamic application security testing (DAST) solution crawls to the deepest, darkest corners of even the most modern and complex apps to effectively test for risk and get you the insight you need to remediate faster. With AppSpider on your side (or, rather, all of your sides), you’ll be able to scan all the apps today—and always be ready for whatever comes next.


    Is your app security program up to date?

    Experience AppSpider for yourself.

    Get Your Free Trial

    Close the application security coverage gap

    Meet Web Application Scanning Compliance Requirements

    COLLECT: Keep pace with the application evolution

    From Single Page Applications to mobile apps, even today’s most modern apps are no match for AppSpider. Equipped with (what we endearingly call) the Universal Translator, AppSpider collects all the information needed to crawl, interpret, and test all the apps so you aren’t left with gaping application risks. Bonus: AppSpider users dramatically reduce manual testing times and the app scan legacy of false positives/negatives.

    Continuous Web Application Monitoring

    PRIORITIZE: Reduce risk with every build and remediate earlier in the SDLC

    Most application security vulnerabilities are actually defects in the design—naturally, finding them earlier in the software development lifecycle (SDLC) reduces risk and saves you time, money, and a whole mess of ibuprofen. AppSpider automates your app security test with each build to help you continuously reduce future risk and provide DevOps with exactly what they need to remediate. Bonus: For organizations using Selenium, you can leverage Selenium test scripts to automatically inform AppSpider to run an automated security test based on your automated test scripts.

    Organized Web Application Testing

    REMEDIATE: Hand deliver the right insight the right way to DevOps

    AppSpider’s reporting and DevOps integration help streamline remediation efforts by uncovering actionable, accurate, and prioritized insights—and making them easier to share with DevOps. With one click, you can drill deeper into a vulnerability to get DevOps the information they need to remediate, and then replay an attack in real-time to better understand the vulnerability and confirm that it’s fixed. Bonus: With AppSpider, you can automate much of your RESTful API testing to reserve your expert pen testers for the tough problems that can’t be automated, like Business Logic testing.

    AppSpider enables you to:

    • Consolidate findings by attack types (XSS, SQLi, etc.)
    • Enable users to further investigate vulnerabilities by clicking on them
    • Provide the ability to reproduce attacks in real-time
    • Support XML export for import into your tracking system
    • Provide analysis for compliance reporting requirements (PCI, FISMA, OWASP, SOX, HIPAA, GLBA, and more)
    Controlled Application Security Scanner

    Stay in control

    It’s absolutely critical to know what you’re scanning, when you’re scanning it, and how. With AppSpider, nothing is obfuscated from your view and everything is in your control. You select which portions of the application to scan, when they get scanned, and which attack policies you want to use. You can even throttle the scanner to control the balance between speed and server load.

    Microsoft trusts Rapid7 AppSpider

    During the proof of concept, we looked at all the industry leaders – AppSpider had the right mix of what we were looking for...The fact that it has a rich API makes our lives a heck of a lot easier.

    How a leading company built a world-class web application security program.
    Read the customer story

    A scanning solution for every need

    AppSpider Pro - A desktop web application security scanner that provides more coverage of your web services, mobile, and rich internet applications (RIAs) than any other dynamic analysis tool available. Most importantly, AppSpider Pro saves you time by delivering the best rates in the application security industry for the elimination of false positive and false negative findings. All of our AppSpider solutions are based on this same sophisticated scanning technology.

    AppSpider Enterprise - An on premise solution that enables you to build a global, fully-scalable, flexible web application security program. It also provides the data you need to assess if your security posture is improving or not, enabling you to easily manage scanning, vulnerabilities testing, and more across thousands of applications. In addition, this solution enables you to adopt the DevSecOps mindset and embed application security into CI, issue tracking, and test automation.

    AppSpider OnDemand - A hosted version of AppSpider Enterprise, which gives you a powerful platform to run a global web application security program without the hassle of installing and maintaining a local environment.

    AppSpider Managed Services - Our AppSpider Managed Services help you leverage your security program investment by allowing you to offload the entire process to our team of application security experts. This minimizes your workload, reduces your time to productivity, guarantees a consistent application assessment process, and frees you up for other tasks. This solution includes add-on services such as vulnerability validation and business logic testing.

    [AppSpider] should be considered by enterprises seeking an easy-to-use, full-featured DAST that is competitively priced as an alternative to the larger players' DAST technologies.

    Critical Capabilities Report, 2014,
    22 September 2014,
    Neil MacDonald, Joseph Feiman

    Going way beyond the OWASP Top 10

    Our research and product teams keep up with the latest application security attacks and best practices, so you don’t have to. AppSpider goes way beyond the OWASP Top 10 to test for more than 80 attack types and best practices. Users can also create custom checks to address additional issues and risks that are custom to your environment.

    AppSpider attack types

    Our research and product teams keep up with the latest application security attacks and best practices, so that you can rely on us. AppSpider goes way beyond the OWASP Top 10 to test for the following 83 attack types and best practices. Users can also create custom checks to address additional issues and risks that are custom to your environment.

    • Apache Struts 2 Framework Checks
    • Apache Struts Detection
    • Arbitrary File Upload
    • ASP.NET Misconfiguration
    • Autocomplete attribute
    • Browser Cache directive (web application performance)
    • Browser Cache directive (leaking sensitive information)
    • Brute Force (HTTP Auth)
    • Brute Force (Form Auth)
    • Blind SQL
    • HTTP Authentication over insecure channel
    • HTTPS Downgrade
    • HTTP Headers
    • HTTP Response Splitting
    • Information Disclosure in response
    • Information Leakage in responses
    • Integer overflow
    • Java Grinder
    • LDAP Injection
    • Local File Include (LFI)
    • Local Storage Usage
    • Secure and non-secure content mix
    • Sensitive data over an insecure channel
    • Server Configuration
    • Server Side Include (SSI) Injection
    • Session Fixation
    • Session Strength
    • Shellshock check
    • Source Code Disclosure
    • SQL Information Leakage
    • SQL Injection
    • SQL injection Auth Bypass

    View All

    AppSpider Product Sheet

    Application Assessment for the
    Modern World
     Download now

    Rapid7 AppSpider Achieves Highest Score from Gartner for Web Application Security Testing

     Read Now

    Free Trial Download

    Request a free 15-day trial today