What DAST is (and how it differs from SAST)
DAST tests a running application from the outside, like an attacker — sending crafted requests and observing responses to find injection flaws, authentication issues, misconfigurations, and logic bugs. SAST (Static Application Security Testing) analyzes source code without running it; SCA checks third-party dependencies; IAST instruments the running app for inside-out visibility. DAST's advantage is that it finds real, exploitable, environment-specific issues with low false positives on the flaws it does surface. Its limitation is coverage — it only tests what it can reach and crawl.
The leading DAST & web app testing tools
- PortSwigger Burp Suite — the pentester default. Burp Suite Professional is the manual web-testing standard; Burp Suite Enterprise adds automated, scheduled DAST scanning at scale. If your team does hands-on testing, Burp is almost non-negotiable.
- Invicti (formerly Netsparker) — automated DAST with proof-based scanning that confirms exploitability to cut false positives; strong for CI/CD-integrated scale.
- Acunetix — fast automated DAST, popular in mid-market; shares an engine lineage with Invicti.
- OWASP ZAP — the leading open-source DAST; excellent for CI pipelines and teams that want free, scriptable scanning.
- Rapid7 InsightAppSec — cloud DAST integrated with the Rapid7 platform.
- Detectify — automated external app + attack-surface scanning, crowdsourced payloads.
- Checkmarx and Veracode — full AppSec platforms (SAST+DAST+SCA) if you want one vendor across the whole pipeline.
DAST for APIs is its own problem
Most modern attack surface is APIs, not classic web pages — and traditional DAST crawlers miss undocumented API endpoints. Dedicated API-security testing (Salt Security, Noname/Akamai, StackHawk, 42Crunch, Escape) tests APIs from their specs and traffic, catching the broken-object-level-authorization and business-logic flaws that dominate API breaches. If your app is API-first, budget for API-specific testing on top of web DAST. See the API security category.
How to choose
- Decide manual vs automated. Hands-on pentesting → Burp Suite Pro. Continuous automated scanning in CI/CD → Invicti, Acunetix, ZAP, or Burp Enterprise.
- Check authentication handling — most real app surface is behind login. A DAST tool that cannot reliably authenticate and maintain session tests almost nothing useful.
- Test API coverage against your real specs (OpenAPI/GraphQL). If API-first, add a dedicated API-security tool.
- Measure false-positive rate on your app — proof-based scanning (Invicti) materially reduces triage load.
- Confirm CI/CD integration and how findings route to developers (Jira/GitHub), not a separate security queue.