AcuMonitor, AcuSensor, and the Acunetix Verified Badge

AcuMonitor and AcuSensor work together to enhance the reliability and precision of vulnerability scans. AcuMonitor ensures accurate detection of out-of-band vulnerabilities, while AcuSensor leverages IAST technology to confirm vulnerabilities with 100% certainty, significantly reducing false positives.

The Acunetix Verified badge is displayed for vulnerabilities with a 100% confidence rating.

This document explains in detail the vulnerabilities detected by AcuMonitor and AcuSensor, as well as those marked with the Acunetix Verified badge, and describes how to identify them in the vulnerability results.

AcuMonitor

AcuMonitor enables Acunetix to improve the accuracy and reliability of vulnerability scans by identifying out-of-band vulnerabilities (exploits reported back to the scanner). It integrates seamlessly with out-of-band checks and requires no installation or configuration; however, it does need internet access to bxss.me. (Refer to our allowlisting documentation for more information.)

By default, all scans use AcuMonitor, unless specific checks are excluded or the service is disabled. Without AcuMonitor, out-of-band detection is not possible. Vulnerabilities verified through out-of-band testing are marked with the AcuMonitor label, confirming their validation. Vulnerabilities detected with AcuMonitor are never false positives.

How to identify AcuMonitor-detected vulnerabilities

  1. Select Vulnerabilities from the left-side menu.
  2. Identify the detected vulnerabilities by looking for the AcuMonitor label.

  1. Double-click the selected vulnerability to display its details on the right-hand side. The AcuMonitor label will also appear within the vulnerability details.

AcuSensor

AcuSensor is an IAST solution, a piece of code integrated into your application to pinpoint the exact location of vulnerabilities within the code. By installing and using AcuSensor, Acunetix enhances visibility into the backend of your web application, providing more detailed insights into detected vulnerabilities.

Acunetix can verify vulnerabilities with or without AcuSensor, although AcuSensor does help in the verification of some vulnerabilities. For more information about installing and using AcuSensor, refer to Introduction to deploying AcuSensor.

Beyond vulnerability confirmation, IAST in AcuSensor offers additional capabilities such as runtime Software Composition Analysis (SCA), API Discovery, Zombie API detection, and assessment of application configurations. Together, these features provide comprehensive security insights for modern applications.

How to identify AcuSensor-detected vulnerabilities

  1. Select Vulnerabilities from the left-side menu.
  2. Identify the detected vulnerabilities by looking for the AcuSensor label.

  1. Double-click the selected vulnerability to display its details on the right-hand side. The AcuMonitor label will also appear within the vulnerability details.

Acunetix Verified badge

The Acunetix Verified badge indicates vulnerabilities detected with 100% certainty during a scan, confirming their existence in the scanned web application and eliminating the need for manual verification. Acunetix can assign the verified badge to vulnerabilities with or without AcuSensor, although AcuSensor can assist in confirming some vulnerabilities.

Vulnerabilities not marked with the verified badge are generally valid; however, the detection method may prevent Acunetix from being completely certain of their existence. Nonetheless, Acunetix maintains a very low false positive rate.

How to identify vulnerabilities with the Acunetix Verified badge

  1. Select Vulnerabilities from the left-side menu.
  2. Check the Confidence % column for a value of 100% to identify the vulnerabilities.

  1. Double-click the selected vulnerability to display its details on the right-hand side. The Acunetix Verified badge appears within the vulnerability details.

« Back to the Acunetix Support Page