NTOSpider, featuring Universal Translator technology, is the only dynamic application security testing (DAST) solution available capable of effectively testing today’s complex web and mobile applications and web services. Available as software or SaaS, NTOSpider delivers more thorough analysis, comprehensive application coverage and sophisticated attack methodologies than any other solution available. Most importantly, NTOSpider delivers the best rates in the industry for the elimination of false positive and false negative findings.

Key Benefits
With NTOSpider, you will have the utmost condence that you are getting the best false positive and false negative rates available. NTOSpider automates as much of the process as possible and more than any other scanner. We have spent 10 years dedicated to building a sophisticated tool that crawls more of your application than any other and attacks it with a sophisticated approach.

Enterprise Ready

NTOSpider is part of a larger suite of products designed to scale for the largest security programs in the world.

Easiest to Use

Sophisticated automation delivers ease of use such that most sites test with a simple point and shoot.

Most Accurate

Sophisticated attack methodologies virtually eliminate false positive and false negative findings.

Best Authentication

Capable of authenticating and staying logged in to even the toughest applications even when other scanners aren’t able to.

Unparalleled Support

Not your typical help desk! Our technical support team provides personal, effective and timely support.

Reduce Configuration & Training Time

NTOSpider auto conducts sophisticated proximity analysis to determine valid data on variable names to get deeper coverage with less tool training.

Scan Applications with XSRF Protection

Uniquely performs XSRF token detection. Then, during attack, NTOSpider collects and uses valid tokens during each attack.

  • Pre-attack analysis conducts recon to isolate attack vectors and determine the best ways to attack them
  • Reflection analysis delivers more intelligent cross- site scripting (XSS) payloads
  • Confirmation is key: NTOSpider’s automated process checks and re-checks vulnerability findings to reduce false positives
Scanners were originally built with a crawl and attack architecture around HTML and Javascript. However, crawling is not a concept that works for web services and other dynamic technologies. NTOSpider can still crawl traditional name=value pair formats like HTML, but it has been re-architected to also understand all of the new formats being used in today’s web and mobile applications as well as web services.

Universal Translator Technology

Only NTOSpider has Universal Translator technology capable of understanding the new formats, protocols and development technologies being used in today’s web services, mobile and modern browser-based applications.

Achieve Broadest Coverage

NTOSpider enables security teams to automatically interpret and scan modern application technologies such as Mobile, JSON, REST, SOAP, HTML5 and AJAX. NTOSpider’s DAST solution includes Universal Translator technology that can automatically detect and attack vulnerabilities that were previously only discoverable by manual testing.

Reduce Manual Testing Time

Comprehensive application coverage achieved through Universal Translator, superior client-side JavaScript testing & innovative pre-attack analysis enables organizations to achieve more testing in less time with less manual work.


NTO is committed to getting NTOSpider authenticating and completing scans on even the toughest custom applications.

Interactive Reports

Speed remediation efforts with organized and clickable HTML reports enabling developers to validate vulns and reproduce attacks in real time.

Innovative Integrations

Provides numerous options for pragmatic, secure software development lifecycles through Jenkins, Selenium, Jira and more.

The most technically advanced web vulnerability scanner capable of delivering the most accurate and comprehensive results even on emerging technologies.

Speak Any Language with Universal Translator Technology

NTOSpider has the ability to understand the new formats, protocols and development technologies being used in today’s mobile and modern browser-based applications. The Universal Translator translates them to a common schema and then launches simulated attacks that penetrate the back-end systems where vulnerabilities and threats exist.

Technologies, Standards and Protocols understood by Universal Translator:

  • REST
  • JSON
  • AJAX
  • HTML4
  • HTML5
  • Google Web Toolkit
  • Flash Remoting (AMF)

Capabilities of Universal Translator:

  • Living in the DOM
  • True Sequence Support
  • XSRF Token Tracking

The Universal Translator translates them to a common schema and then launches simulated attacks that penetrate the back-end systems where vulnerabilities and threats exist.

Typical Scanner Coverage

Coverage using NTOSpider with Universal Translator Technology

Product Tour
Data Sheet
NTOSpider Checks For

Server and General HTTP

Data Injection and Manipulation Attacks

Sessions and Authentication

  • AJAX Auditing
  • Detection of Client-Side Technologies
  • Directory Indexing and Enumeration
  • HTTP Response Splitting
  • Canonicalization Attacks
  • Cookie Security
  • Custom Fuzzing
  • Path Manipulation – Traversal
  • Brute Force Authentication Attacks
  • Blind SQL Injection
  • Remote File Include (RFI) Injection
  • Operating System Command Injection
  • Parameter Redirection
  • Persistent XSS
  • DOM-Based XSS
  • Cross-Site Request Forgery
  • SQL Injection
  • Reflected Cross-Site Scripting (XSS)
  • Session Strength
  • Authentication Attacks
  • Insufcient Authentication
  • Path Truncation
  • WebDAV Auditing
  • Web Services Auditing
  • File Enumeration
  • Information Disclosure
  • Directory and Path Traversal
  • Brute Force Authentication Attacks
Automatically Test Application Workflows

NTOSpider is the only web application security scanner capable of accurately testing a complex application workflow like shopping cart or application processing. Complex workflows are different than other areas of applications because they require the functionality to be tested in the prescribed order of the workflow (enter credit card data before it’s submitted) and the workflow must best tested in its entirety (last name may not be submitted to database until credit card is processed). NTOSpider can test a complex workow in order and in its entirety. It’s important to understand that web application security scanners are designed to attack pages randomly because, for most of the application functionality, it’s actually better to attack it randomly. NTOSpider can do both.

Interactive Reports

Higher Confidence of Results Accuracy

Accurate results derived from comprehensive crawl, sophisticated attack techniques and multiple iterations of validation on all vulnerabilities to deliver the best false positive and false negative rates.

Streamline Remediation Efforts

NTOSpider’s sophisticated reports enable you to reduce remediation time and streamline communication with developers. Our reports provide accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most. With one click, you can drill deep
into a vulnerability to get more information.

  • Consolidate findings by attack types (XSS, SQLi, etc.)
  • Enable users to further investigate vulnerabilities by clicking on them
  • Provide the ability to reproduce attacks in real-time
  • Support XML export for import into your tracking system
  • Provide analysis for compliance reporting requirements (PCI, FISMA, OWASP, SOX, HIPAA, GLBA, and more)

Immediately Patch with Custom WAF/IPS Rules

NTODefend leverages NTOSpider’s results to create a truly custom rule based on knowledge of the application, the WAF/IPS and the vulnerability.

Key Integrations


Most enterprise testing teams already use test automation tools & scripts such as Selenium to create repeatable tests that can be executed in conjunction with nightly application builds. It only makes sense to integrate security tests into this as well so that security tests can run automatically every time the application changes. This is a great way to catch web application security vulnerabilities early in the SDLC.

Hudson (Continuous Integration)

Many organizations are pushing development to use Continuous Integration (CI) solutions (such as Hudson, Jenkins or home grown solutions) to streamline QA efforts and to reduce time to market. Security teams are wise to find ways to plug their scanning activity into the CI to ensure that every build is security tested before it goes into production. NTOSpider can fit into your CI environment because it works well in “point and shoot” mode and offers open API’s for
running scans.


NTO and Coverity have partnered to deliver the first Interactive Application Security Testing (IAST) solution built on a “developer-ready” platform. With this integration, the results from NTO’s DAST solution, NTOSpider, are integrated into the development workow of Coverity’s Static Application Security Testing (SAST) solution and then automatically correlated, enabling security teams to find and fix security defects earlier in the lifecycle and improving collaboration between security and development teams.

Jira, Archer, HP Quality Center

NTOSpider is capable of automatically adding tickets to several popular bug tracking systems including Jira, Archer and HP Quality Center.