Invicti pricing

Published tiers provide a fixed monthly price and a defined set of APIs, scans, and features. The Free tier is zero cost and includes CLI access with 3 scans per month. The Starter tier is billed at a fixed monthly rate and supports up to 15 APIs, monthly recurring scans, a web dashboard for reports and trends, email alerts, and the MCP Server for AI coding assistants. The Pro tier is billed monthly with a base subscription for 100 APIs and incremental pricing per additional API; it adds continuous monitoring, diff detection between scans, compliance report downloads, GitHub Action integration as a CI/CD gate, Slack and Teams alerts, and signed webhooks. The Enterprise tier is quote based and aimed at large scale programs, offering unlimited APIs, custom rules, SSO, detailed audit logs, an SLA, and dedicated support.

Authenticated scanning is available from the Starter tier upward and supports Bearer tokens, API keys, Basic authentication, and cookies. Before credentials are accepted, a domain verification gate requires proof of ownership through a DNS TXT record or an HTTP well-known file so that only the domain owner can enable authenticated scans. When authenticated scanning is active, the scanner forwards a restricted set of headers: Authorization, X-API-Key, Cookie, and X-Custom-*, ensuring that credentials are not exposed to unrelated services.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the product helps you prepare for audits and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance guarantees. This approach keeps the tool focused on detection while clarifying its role in broader assessment programs.

middleBrick is a scanner that detects and reports; it does not fix, patch, block, or remediate. Specific attack categories are out of scope, including active SQL injection or command injection testing, business logic validation, blind SSRF detection, and full web application pentesting. The tool also does not replace a human pentester for high-stakes audits, and findings such as sensitive data exposure or unsafe consumption patterns are provided with remediation guidance rather than automated correction.

Scan data is deletable on demand and purged within 30 days of cancellation; customer data is never sold and is not used for model training. The scanner enforces a strict safety posture by using only read-only methods, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and never sending destructive payloads. This design reduces risk to the target environment while maintaining transparency about what the scanner does and does not test.