What DAST is (and how it differs from SAST)

DAST tests a running application from the outside, like an attacker — sending crafted requests and observing responses to find injection flaws, authentication issues, misconfigurations, and logic bugs. SAST (Static Application Security Testing) analyzes source code without running it; SCA checks third-party dependencies; IAST instruments the running app for inside-out visibility. DAST's advantage is that it finds real, exploitable, environment-specific issues with low false positives on the flaws it does surface. Its limitation is coverage — it only tests what it can reach and crawl.

The leading DAST & web app testing tools

  • PortSwigger Burp Suite — the pentester default. Burp Suite Professional is the manual web-testing standard; Burp Suite Enterprise adds automated, scheduled DAST scanning at scale. If your team does hands-on testing, Burp is almost non-negotiable.
  • Invicti (formerly Netsparker) — automated DAST with proof-based scanning that confirms exploitability to cut false positives; strong for CI/CD-integrated scale.
  • Acunetix — fast automated DAST, popular in mid-market; shares an engine lineage with Invicti.
  • OWASP ZAP — the leading open-source DAST; excellent for CI pipelines and teams that want free, scriptable scanning.
  • Rapid7 InsightAppSec — cloud DAST integrated with the Rapid7 platform.
  • Detectify — automated external app + attack-surface scanning, crowdsourced payloads.
  • Checkmarx and Veracode — full AppSec platforms (SAST+DAST+SCA) if you want one vendor across the whole pipeline.

DAST for APIs is its own problem

Most modern attack surface is APIs, not classic web pages — and traditional DAST crawlers miss undocumented API endpoints. Dedicated API-security testing (Salt Security, Noname/Akamai, StackHawk, 42Crunch, Escape) tests APIs from their specs and traffic, catching the broken-object-level-authorization and business-logic flaws that dominate API breaches. If your app is API-first, budget for API-specific testing on top of web DAST. See the API security category.

How to choose

  1. Decide manual vs automated. Hands-on pentesting → Burp Suite Pro. Continuous automated scanning in CI/CD → Invicti, Acunetix, ZAP, or Burp Enterprise.
  2. Check authentication handling — most real app surface is behind login. A DAST tool that cannot reliably authenticate and maintain session tests almost nothing useful.
  3. Test API coverage against your real specs (OpenAPI/GraphQL). If API-first, add a dedicated API-security tool.
  4. Measure false-positive rate on your app — proof-based scanning (Invicti) materially reduces triage load.
  5. Confirm CI/CD integration and how findings route to developers (Jira/GitHub), not a separate security queue.
DAST is necessary but not sufficient. Pair it with SAST/SCA in the pipeline and periodic manual pentesting or a bug-bounty program — automated scanners do not find business-logic flaws the way a skilled human does.