Neil Roseman, CEO, Invicti
In this interview, Neil Roseman, CEO of Invicti, explains how proof-based results, ASPM, and AI-enhanced DAST are helping organizations secure modern applications at scale, without slowing innovation.
What do you see as the most significant threats enterprises face today when it comes to application security, and what best practices should they prioritize to reduce these risks?
AI is accelerating everything, including risk. Enterprises are building and deploying software faster than ever, often with AI-generated code that no one fully reviews or understands. The math is simple: more code means more vulnerabilities, and that’s before factoring in the sometimes questionable quality of AI-supplied code. The best defense is automation that’s deeply embedded in the DevSecOps workflow. You need security scans that run at the same speed as your releases and are automated, continuous, and accurate enough to trust without second-guessing.
How has Application Security Posture Management (ASPM) evolved, and why has it become such an essential component of modern security programs?
As an industry, we’ve gone from chasing vulnerabilities with point tools to drowning in data from dozens of scanners. Everyone demanded automation, and they got it, but automation without prioritization only amplified the noise. That drove the need for ASPM to tie everything together so teams can focus on what actually matters: risk that’s real and exploitable. Today, ASPM isn’t a convenience feature – it’s foundational for any mature AppSec program.
Invicti has been actively embedding AI capabilities into its DAST solutions. How is AI enhancing accuracy, coverage, and remediation speed across your testing processes?
AI is transforming how we test applications. We’re using it to solve the hardest automation challenges, especially “fuzzy” problems like login, authentication, and complex workflows that used to require manual setup. This lets us crawl and test deeper, deliver more accurate results, and drive better correlation and prioritization. What matters is that we’re using AI not as a gimmick but as a force multiplier for our already industry-leading capabilities like proof-based scanning. Unlike some competitors, we’re not pretending it’s a magic box.
How important is it to embed security throughout the developer workflow, and what steps can organizations take to ensure developers become active stakeholders in application security?
You can’t bolt on security anymore, it has to live where developers live. The fastest way to make developers care about security is to make it frictionless. Tools should run in the repo and CI/CD pipeline, not in a separate universe. But the traditional shift-left message has worn thin as static tools flood developers with noise and false positives. That’s why we’re focused on DAST that’s integrated, zero-noise, and proof-based. When you can automatically send a verified ticket that says, “Here’s an exploitable critical issue and here’s how to fix it,” that’s when developers can truly adopt a security mindset.
API-related vulnerabilities have become a major attack vector. How does Invicti approach API security, and what are the biggest challenges organizations face in this area?
Modern applications are really about the backend APIs being called. The biggest challenge now is finding, cataloging, and testing all those APIs, including the shadow and zombie ones nobody knows about. We’ve been steadily expanding Invicti’s API security capabilities, and we now offer something unique in the industry. Invicti combines multi-layered discovery with industry-leading API scanning on one unified platform. Whether through zero-click, sensorless, or agent-based discovery, we help customers find every endpoint and then prove which ones are truly vulnerable.
Invicti has been broadening its product suite in recent years. Can you highlight some of the latest additions or enhancements that expand your value proposition beyond traditional DAST?
Invicti started as the best DAST in the world (and it still is), but today we’re much more than that. We’ve evolved into a full application security platform that covers the entire attack surface, so not just web frontends but also APIs, both in scanning and discovery. We’re adding AI-powered scanning features that move toward automated pentesting. And our acquisition of Kondukto has brought advanced ASPM that connects all this data into one unified risk view. We’re not only delivering accurate, proof-based results but also helping customers see the big picture and manage their overall security posture.
Visibility and prioritization are often challenges for security teams managing hundreds of web assets. How does Invicti help customers gain unified visibility and prioritize vulnerabilities that matter most?
Security teams don’t fail from a lack of data, they fail from too much of it. The problem comes from three areas: too many apps and APIs, too many tools, and too much noise from those tools. Invicti cuts through that chaos with verified results from proof-based scanning, unified within an ASPM platform that centralizes and correlates everything. Our DAST acts as the fact-checker that keeps other tools honest. And our Predictive Risk Scoring highlights the riskiest assets even before scanning, helping teams focus their efforts where they matter most.
As AI-driven development and low-code platforms proliferate, how is Invicti preparing to secure the next generation of rapidly built and deployed web applications?
We’re entering the era of black-box development: code written by AI, deployed by anyone, and running everywhere. In that world, traditional code-based testing can’t keep up because no one knows where the code lives or how it really works. That’s why DAST is becoming more valuable than ever. DAST is tech-agnostic and really the only way to test security from the outside in at scale, without needing source code. No matter how that app is built, who or what wrote it, or how many new apps appear every week, we’re helping customers stay ahead in a world where software builds itself faster than humans can review it.
Leave a reply
