As an automated black-box web application security scanner, Acunetix performs a series of tasks to identify web application vulnerabilities as outlined below.

1 – Target identification

  1. Acunetix checks if the Target in question is reachable and running a web server, and therefore serving requests over the HTTP protocol.
  2. Acunetix fingerprints the web server to identify popular technologies that the web server might be using. This allows the scanner to identify the type of web server (e.g. Apache HTTP Server, Nginx, IIS…), the server-side language being used (e.g. PHP, ASP.NET, Java/J2EE, Python, NodeJS…) as well as the operating system the web server is running on. This information allows the scanner to automatically tune itself to the Target to be scanned – for example, certain vulnerabilities will only exist on Windows servers, or specific versions of PHP.

2 – Site crawling and structure mapping

  1. The index file is requested from the web server. This is determined by the start URL (e.g. will load index.html).
  2. Once a response is received, DeepScan is launched, executing any JavaScript present on the web page.
  3. The Crawler, hand-in-hand with DeepScan will follow links, map input fields and parameters. This contributes to building a list of directories and files within the site.

3 – Security analysis performed against the site structure

  1. Acunetix launches a number of security tests against the target website
  2. As Acunetix discovers vulnerabilities, alerts are reported in real-time. Each alert produces detailed information about the vulnerability, recommendations on how to fix it, as well as several links through which the user can learn more about the reported vulnerability and how to fix it.

After a scan is completed scan results may exported to an XML format, submitted to Issue Tracker, exported to a WAF for virtual patching, or generated into to a variety of reports.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.