NTOSpider, featuring new Universal Translator technology, is the only dynamic application security testing (DAST) solution available that is capable of effectively testing modern mobile and web applications that leverage new technologies like REST, AJAX, JSON and GWT. Available, as software or SaaS, NTOSpider delivers more comprehensive application coverage and sophisticated attack methodologies than any other solution available. Most importantly, NTOSpider delivers the best rates in the industry for the elimination of false positive and false negative findings.

Free Trial Download of NTOSpider

Key Benefits

More Coverage – Mobile, AJAX, JSON

Enables security teams to automatically interpret and scan modern application technologies such as Mobile, JSON, REST, SOAP, HTML5 and AJAX. The new dynamic application security testing (DAST) solution includes Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that were previously only discoverable by manual testing.

Sophisticated Automation

With NTOSpider, you will have the utmost confidence that you are getting the best false positive and false negative rates available. NTOSpider automates as much of the process that can be automated. We have spent more than 11 years building a sophisticated tool that crawls more of your application than any other and attacks it with a sophisticated approach.


You don’t have to test the entire application every time. You can choose the sections you need to re-test and when you need to retest to validate that one specific vulnerability has been removed, you can test for just that vulnerability.

Saves Time

You will spend a lot less time configuring the scanner and training it to understand your application.This enables your organization’s security experts need time to do the work that requires manual intervention and understanding of the business.


NTOSpider doesn’t test known vulnerabilities because we know today’s applications are custom with unique site structures, parameter names and responses. Instead, NTOSpider conducts a thorough crawl of your site and interprets exactly what your application is expecting. It then creates custom attacks based on your architecture to give you the most accurate results.


Our reports provide accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most, with one click, you can drill into a vulnerability to get more information.

NTOSpider Checks For:

  • Data Injection and Manipulation Attacks
  • Blind SQL injection
  • Remote File Include (RFI) injection
  • Operating system command injection
  • Parameter Redirection
  • Persistent XSS
  • DOM-based XSS
  • Cross-site request forgery
  • SQL injection
  • Reflected Cross-site scripting (XSS)
  • Server and General HTTP
  • AJAX auditing
  • Detection of Client-side Technologies
  • Directory indexing and enumeration
  • HTTP response splitting
  • Canonicalization attacks
  • Cookie security
  • Custom fuzzing
  • Path manipulation – traversal
  • Brute force authentication attacks

How It Works

Comprehensive Application Achieved Through:

  • Universal Translator technology interprets & attacks mobile and modern application technologies such as JSON, AJAX and GWT
  • Presentation layer position and proximity analysis for form population
  • Multiple parsing and JavaScript execution engines
  • Smart login and session management

Attack Methodologies Include:

  • Enables users to automatically crawl and attack rich client traffic including AJAX, JQuery, GWT and Flash/Flex/AMF.
  • Enables users to decode and attack many popular formats including JSON, REST, AMF, SOAP and XML to enable simulated attacks of web and mobile back-end services.
  • Includes true sequence crawling and attacking to enable proper testing of features such as shopping cart, and business workflows.
  • Capable of scanning applications with XSRF protection. Uniquely, performs XSRF token detection, then during attack NTOSpider collects and uses valid tokens during each attack.
  • Allows users to view and reproduce attacks in real time from innovative and usable reports.
  • Pre-attack analysis conducts recon to isolate attack vectors and determines the best ways to attack them
  • Reflection analysis delivers more intelligent cross- site scripting (XSS) payloads
  • Confirmation is key: automated process checks and re-checks vulnerability findings to reduce false positives

Sophisticated, Actionable Reports
Our reports provide accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most. NTO’s reports:

  • Consolidate findings by attack types (XSS, SQLi, etc.)
  • Enable users to further investigate vulnerabilities by clicking on them
  • Provide the ability to re-produce attacks in real-time
  • Support XML export for import into your tracking system
  • Provide analysis for compliance reporting requirements (PCI, FISMA, OWASP, SOX, HIPAA, GLBA, and more)

Automatic WAF/IPS Rule Generation
NTODefend integration enables automatic WAF & IPS custom rule generation from NTOSpider results.

Watch NTOSpider Product Tour

Watch NTOSpider Product Tour

Download NTOSpider Data Sheet

Download NTOSpider Data Sheet