Acunetix is a heuristic scanner and not a signature based scanner, which by design is an efficient way of reducing false positives.

With the introduction of AcuSensor Technology, false positive reporting has been drastically reduced because vulnerability detection is no longer based on just the error messages returned from the server or web application, but also from information sent back to the scanner from the sensors installed on the web server.

Still, if a reported vulnerability happens to be a false positive one can mark it as ‘false positive’ from the vulnerability description, so next time a scan is launched against the same website or web application, the vulnerability will not show up again.

For a complete security assessment of a web application we always recommend automated scans to be supplemented with manual tests so one can verify and understand the automated scan results, which is why Acunetix WVS is also shipped with a set of advanced manual penetration testing tools.

You can also report a false positive by sending all the vulnerability technical details to

View the complete FAQ


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.