Full-Coverage Application Security Scanner: NTOSpider

NTOSpider, an application security scanner, provides more coverage of your web services, mobile, and rich internet applications (RIA’s) than any other dynamic analysis tool available. Most importantly, NTOSpider saves you time by delivering the best rates in the application security industry for the elimination of false positive and false negative findings.

To learn more about our application security scanner, call the NT OBJECTives team at (877) 686-9327 or experience its premier level of accuracy and sophisticated automation by requesting a free trial today.

Key Benefits of Our Dynamic Analysis Tool

Most Accurate

We have spent more than 11 years building a sophisticated dynamic analysis tool that crawls more of your application than any other, attacking it with a sophisticated approach. With NTOSpider’s advanced, highly-automated application security scanning ability, you can count on receiving the best false positive and false negative rates available across all technologies from HTML and JavaScript to JSON, REST and AJAX.

Broadest Coverage

Our application security scanner is uniquely able to automatically analyze web services, RIA’s and mobile applications for security vulnerabilities. NTOSpider is the only dynamic analysis tool, with Universal Translator Technology, that can detect and attack vulnerabilities in newer technologies such as JSON, REST, SOAP, AJAX, etc. that were previously only discoverable by manual testing.

Saves Time

Unlike other dynamic analysis tools, you will spend much less time configuring the scanner and training it to understand your application. This gives your organization’s security experts time to do the work that requires manual intervention and understanding of the business. We know today’s applications are customized with unique site structures, parameter names and responses; therefore, NTOSpider doesn’t simply test for known vulnerabilities. Instead, our dynamic analysis tool conducts a thorough analysis of your site and interprets exactly what your application is expecting. It then creates customized attacks based on your architecture to give you the most accurate results.

Our goal is 100% automation. We automate every part of the application security assessment process that can possibly be automated. Our comprehensive application coverage achieved through Universal Translator, superior client-side JavaScript testing and innovative pre-attack analysis enables organizations to achieve more testing in less time with less manual work.

Easy & Enterprise Ready

Our sophisticated automation delivers ease of use such that most sites test with a simple point-and-shoot. NTOSpider is part of a larger suite of products designed to quickly scale for the largest security programs in the world.

To give you the most accurate application security scanning in the industry, our dynamic analysis tool provides comprehensive scans using sophisticated and state-of-the-art attack methodologies. If you’re in need of a web application security scanner, NTOSpider not only serves as one of the most advanced dynamic analysis tools on the market, but also provides highly-interactive reports and a simple interface for user convenience.

Superior Application Security Scanning

The most technically-advanced application security scanner capable of delivering the most accurate and comprehensive results even on emerging technologies.

Speak Any Language with Universal Translator Technology

Dynamic analysis tools were originally built with a crawl-and-attack architecture around HTML and JavaScript. However, crawling is not a concept that works for web services and other dynamic technologies. NTOSpider can still crawl traditional name=value pair formats like HTML, but it has also been re-architected to understand all of the new formats being used in today’s web and mobile applications, as well as web services.

NTOSpider’s Universal Translator has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications. The Universal Translator translates them to a common schema and then launches simulated attacks that penetrate the back-end systems where vulnerabilities and threats exist.

Understood by Universal Translator:

Capabilities of Universal Translator:

  • REST
  • JSON
  • AJAX
  • HTML4
  • HTML5
  • Silverlight
  • Google Web Toolkit
  • Flash Remoting (AMF)
  • Living in the DOM
  • True Sequence Support
  • XSRF Token Tracking

Typical Scanner Coverage

NTOSpider Coverage

Product Tour
Data Sheet
NTOSpider Checks

Server & General HTTP

Data Injection & Manipulation Attacks

Sessions & Authentication

  • Shellshock (aka The BASH Bug)
  • CORS (Cross-Origin Resource Sharing)
  • ASP.NET ViewState Validation
  • AJAX Auditing
  • Detection of Client-Side Technologies
  • Directory Indexing and Enumeration
  • HTTP Response Splitting
  • Canonicalization Attacks
  • Cookie Security
  • Custom Fuzzing
  • Path Manipulation – Traversal
  • Brute Force Authentication Attacks
  • XPath Injections
  • LDAP Injection
  • XML External Entity
  • Server Side Include (SSI) Injection
  • Expression Language Injection
  • Blind SQL Injection
  • Remote File Include (RFI) Injection
  • Operating System Command Injection
  • Parameter Redirection
  • Persistent XSS
  • DOM-Based XSS
  • Cross-Site Request Forgery
  • SQL Injection
  • Reflected Cross-Site Scripting (XSS)
  • Session Strength
  • Authentication Attacks
  • Insufficient Authentication
  • Path Truncation
  • WebDAV Auditing
  • Web Services Auditing
  • File Enumeration
  • Information Disclosure
  • Directory and Path Traversal
  • Brute Force Authentication Attacks
Automatically Test Application Workflows

NTOSpider is the only web application security scanner capable of automatically and accurately testing complex business workflows like shopping cart or application processing. Complex business workflows require the functionality to be tested in the prescribed order of the workflow (enter credit card data before it’s submitted) and the workflow must best tested in its entirety (last name may not be submitted to database until credit card is processed).

But, its important to understand that application security scanners must also be architected to attack functionality at random because for most application functionality, random attacking is preferred. NTOSpider is the only dynamic analysis tool architected to handle both kinds of security testing, testing at random and testing for complex workflows where both order and completeness are critical.

Interactive Reports
Our web application security scanner provides interactive actionable reports help streamline remediation efforts by featuring accurate results that help users quickly analyze the data that matters most.  Our reports are designed to help users quickly get to the data that matters most. With one click, you can drill deep into a vulnerability to get more information.

In addition, these reports:

  • Consolidate findings by attack types (XSS, SQLi, etc.)
  • Enable users to further investigate vulnerabilities by clicking on them
  • Provide the ability to reproduce attacks in real-time
  • Support XML export for import into your tracking system
  • Provide analysis for compliance reporting requirements (PCI, FISMA, OWASP, SOX, HIPAA, GLBA, and more)
Key Integrations


Most enterprise testing teams already use test automation tools & scripts such as Selenium to create repeatable tests that can be executed in conjunction with nightly application builds. It only makes sense to integrate security tests into this as well so that security tests can run automatically every time the application changes. This is a great way to catch web application security vulnerabilities early in the SDLC. Learn More

Continuous Integration

Many organizations are pushing development to use Continuous Integration (CI) solutions to streamline QA efforts and to reduce time to market. Security teams are wise to find ways to plug their scanning activity into the CI to ensure that every build is security tested before it goes into production. NTOSpider can fit into your CI environment because it works well in “point and shoot” mode and offers open API’s for running scans. (Jenkins plug-in available)


NTO and Coverity have partnered to deliver the first Interactive Application Security Testing (IAST) solution built on a “developer-ready” platform. With this integration, the results from NTO’s DAST solution, NTOSpider, are integrated into the development workow of Coverity’s Static Application Security Testing (SAST) solution and then automatically correlated, enabling security teams to find and fix security defects earlier in the lifecycle and improving collaboration between security and development teams. Learn More


Denim Group’s ThreadFix application vulnerability management platform can now import the results from NTOSpider – enabling you to compare and analyze the results of other testing efforts, and have a more complete picture of your application security testing program.

Jira, Archer, HP Quality Center

NTOSpider is capable of automatically adding tickets to several popular bug tracking systems including Jira, Archer and HP Quality Center.
Enterprise Ready

Our dynamic analysis tools are regarded as some of the most accurate and reliable in the industry. Plus, all of your findings in NTOSpider can be seamlessly integrated into our global enterprise application security platform, NTOEnterprise. Paired with NTOSpider, either as software or a cloud-based SaaS solution, NTOEnterprise allows companies to manage their application security scanner from one centralized management platform.

To find out more about our security services, download a free trial of our application security scanner today, or call the experts at NT OBJECTives at (877) 686-9327.

Immediately Patch with Custom WAF/IPS Rules

NTODefend leverages NTOSpider’s results to create a truly custom rule based on knowledge of the application, the WAF/IPS and the vulnerability.

NTODefend enables security professionals to patch vulnerabilities immediately – in a matter of minutes instead of the days or weeks it can take to build a custom rule for a WAF or IPS or the time it takes to deliver a source code patch. This gives developers time to identify the root cause of the problem and fix it in the code.