# Best Dynamic Application Security Testing (DAST) Software for Medium-Sized Businesses

  *By [Lauren Worth](https://research.g2.com/insights/author/lauren-worth)*

   Products classified in the overall Dynamic Application Security Testing (DAST) category are similar in many regards and help companies of all sizes solve their business problems. However, medium-sized business features, pricing, setup, and installation differ from businesses of other sizes, which is why we match buyers to the right Medium-Sized Business Dynamic Application Security Testing (DAST) to fit their needs. Compare product ratings based on reviews from enterprise users or connect with one of G2&#39;s buying advisors to find the right solutions within the Medium-Sized Business Dynamic Application Security Testing (DAST) category.

In addition to qualifying for inclusion in the Dynamic Application Security Testing (DAST) Software category, to qualify for inclusion in the Medium-Sized Business Dynamic Application Security Testing (DAST) Software category, a product must have at least 10 reviews left by a reviewer from a medium-sized business.


## Category Overview

**Total Products under this Category:** 92


## Trust & Credibility Stats

**Why You Can Trust G2's Software Rankings:**

- 30 Analysts and Data Experts
- 3,500+ Authentic Reviews
- 92+ Products
- Unbiased Rankings

G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category.


---

**Sponsored**

### Proscan

Proscan is a unified application security platform designed to help organizations streamline the management of their security tools. By integrating multiple standalone solutions into a single cohesive experience, Proscan provides comprehensive security visibility across the entire software stack. This platform replaces the complexity of managing various tools for static analysis, dynamic testing, and dependency scanning, allowing teams to focus on building secure applications without the hassle of juggling disparate systems. The platform is particularly beneficial for security teams, developers, and engineering leaders who require a consolidated view of application security risks. Proscan combines nine specialized security scanners, including Static Application Security Testing (SAST), which analyzes source code in over 30 programming languages using advanced detection methods. Dynamic Application Security Testing (DAST) further enhances security by testing live applications, identifying vulnerabilities that may only become apparent during runtime. Additionally, Software Composition Analysis (SCA) evaluates open-source dependencies across 196 package ecosystems, helping organizations detect known vulnerabilities before they can impact production environments. Proscan&#39;s capabilities extend beyond code analysis. It includes scanning for hardcoded secrets, misconfigurations in Infrastructure-as-Code, and vulnerabilities in container images. The platform also offers API security testing that validates endpoints against the OWASP API Security Top 10, ensuring robust protection for applications that leverage APIs. For organizations developing AI-powered applications, Proscan features a dedicated AI and LLM security scanner that identifies potential risks associated with prompt injections and other vulnerabilities, utilizing over 4,600 techniques mapped to the OWASP LLM Top 10. Artificial intelligence plays a crucial role in enhancing Proscan&#39;s efficiency and accuracy. The platform employs machine-learning algorithms to reduce false positives and prioritize vulnerabilities based on their potential impact. This intelligent approach allows teams to focus on the most critical security issues while providing clear explanations and actionable remediation guidance. Proscan integrates seamlessly into existing development workflows, offering IDE plugins and native CI/CD integrations that ensure security checks are part of the development process without causing disruptions. Compliance readiness is another key feature of Proscan, as it generates audit-ready reports aligned with major security standards, including OWASP Top 10, PCI DSS, HIPAA, and GDPR. This automated evidence collection simplifies the compliance process, providing organizations with the necessary documentation in various formats. Proscan is designed for security teams looking to consolidate fragmented toolchains, developers needing quick feedback, and managed security service providers managing multiple client environments, making it a versatile solution for modern application security challenges.


[Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&amp;secure%5Bad_slot%5D=category_product_list&amp;secure%5Bcategory_id%5D=1521&amp;secure%5Bdisplayable_resource_id%5D=1521&amp;secure%5Bdisplayable_resource_type%5D=Category&amp;secure%5Bmedium%5D=sponsored&amp;secure%5Bplacement_reason%5D=page_category&amp;secure%5Bplacement_resource_ids%5D%5B%5D=1521&amp;secure%5Bprioritized%5D=false&amp;secure%5Bproduct_id%5D=1777455&amp;secure%5Bresource_id%5D=1521&amp;secure%5Bresource_type%5D=Category&amp;secure%5Bsource_type%5D=category_page&amp;secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fdynamic-application-security-testing-dast&amp;secure%5Btoken%5D=5a146e2c4f78499d3f60ec7a5a435fa3c9fafc98db1ea8c894023f5ce0b2d39e&amp;secure%5Burl%5D=https%3A%2F%2Fwww.proscan.one%2Fdownload&amp;secure%5Burl_type%5D=free_trial&amp;secure%5Bvisitor_segment%5D=180)

---

## Top-Rated Products (Ranked by G2 Score)
### 1. [Burp Suite](https://www.g2.com/products/burp-suite/reviews)
  Burp Suite is a complete ecosystem for web application and API security testing, combining two products: Burp Suite DAST - a best-of-breed, precision DAST solution that automates runtime testing, and Burp Suite Professional - the industry-standard toolkit for manual penetration testing. Developed by PortSwigger, more than 85,000 security professionals rely on Burp Suite to find, verify, and understand vulnerabilities across complex modern web applications. Burp Suite DAST is PortSwigger’s enterprise dynamic application security testing (DAST) solution, purpose-built for continuous, automated scanning of web applications and APIs. Unlike many DAST solutions, which are part of a wider AST offering, Burp Suite DAST is not a bolt-on tool - instead it’s precision-built from over 20 years of dynamic testing experience. Burp Suite DAST reveals the runtime issues that static analysis tools miss, such as authentication flaws, configuration drift, and chained vulnerabilities. Built on the same proprietary scanning engine that powers Burp Suite Professional, it delivers precise, low-noise results that security teams trust. Key capabilities of Burp Suite DAST include: Continuous, automated scanning of web applications and APIs, integration with CI/CD pipelines and vulnerability management tools, flexible deployment across cloud, and on-premise environments, shared scanning logic and configurations between automated and manual testing, accurate, low-noise detection informed by PortSwigger Research. Burp Suite Professional complements DAST with deep manual testing capability. It’s the industry-standard toolkit for penetration testers, consultants, and AppSec engineers who need complete insight and flexibility when validating or exploring vulnerabilities. Findings discovered by DAST can be investigated and verified in Burp Suite Professional, ensuring every result is accurate, contextual, and actionable. Together, Burp Suite DAST and Burp Suite Professional create a unified ecosystem that delivers automation at breadth and manual depth where it counts. Burp Suite is built for AppSec teams who need scalable, trustworthy coverage across web and API environments, enabling a seamless handoff between automated and manual testing.


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 125

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.7/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.3/10 (Category avg: 8.6/10)
- **Detection Rate:** 7.2/10 (Category avg: 8.7/10)
- **Test Automation:** 7.5/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [PortSwigger](https://www.g2.com/sellers/portswigger)
- **Company Website:** https://www.portswigger.net
- **Year Founded:** 2008
- **HQ Location:** Knutsford, GB
- **Twitter:** @Burp_Suite (137,471 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/portswigger-web-security/ (321 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Cyber Security Analyst
  - **Top Industries:** Computer &amp; Network Security, Information Technology and Services
  - **Company Size:** 41% Mid-Market, 31% Small-Business


#### Pros & Cons

**Pros:**

- Ease of Use (12 reviews)
- User Interface (8 reviews)
- Testing Services (7 reviews)
- Features (5 reviews)
- Clear Interface (4 reviews)

**Cons:**

- Expensive (5 reviews)
- Slow Performance (5 reviews)
- High Learning Curve (2 reviews)
- Learning Curve (2 reviews)
- Limited Customization (2 reviews)

### 2. [Tenable Nessus](https://www.g2.com/products/tenable-nessus/reviews)
  Built for security practitioners, by security professionals, Nessus products by Tenable are the de-facto industry standard for vulnerability assessment. Nessus performs point-in-time assessments to help security professionals quickly and easily identify and fix vulnerabilities, including software flaws, missing patches, malware, and misconfigurations - across a variety of operating systems, devices, and applications. With features such as pre-built policies and templates, customizable reporting, group “snooze” functionality, and real-time updates, Nessus is designed to make vulnerability assessment simple, easy, and intuitive. The result: less time and effort to assess, prioritize, and remediate issues.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 287

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 8.7/10 (Category avg: 9.2/10)


**Seller Details:**

- **Seller:** [Tenable](https://www.g2.com/sellers/tenable)
- **Company Website:** https://www.tenable.com/
- **HQ Location:** Columbia, MD
- **Twitter:** @TenableSecurity (87,651 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/25452/ (2,357 employees on LinkedIn®)
- **Ownership:** NASDAQ: TENB

**Reviewer Demographics:**
  - **Who Uses This:** Security Engineer, Network Engineer
  - **Top Industries:** Information Technology and Services, Computer &amp; Network Security
  - **Company Size:** 40% Mid-Market, 34% Enterprise


#### Pros & Cons

**Pros:**

- Vulnerability Identification (21 reviews)
- Vulnerability Detection (19 reviews)
- Automated Scanning (18 reviews)
- Ease of Use (17 reviews)
- Features (15 reviews)

**Cons:**

- Slow Scanning (8 reviews)
- Expensive (6 reviews)
- Limited Features (6 reviews)
- Complexity (5 reviews)
- False Positives (5 reviews)

### 3. [Aikido Security](https://www.g2.com/products/aikido-security/reviews)
  Aikido Security is the developer-first security platform that unifies code, cloud, protection, and attack testing in one suite of best-in-class products. Built by developers for developers, Aikido helps teams of any size ship secure software faster, automate protection, and simulate real-world attacks with AI-driven precision. The platform’s proprietary AI cuts noise by 95%, delivers one-click fixes, and saves developers 10+ hours per week. Aikido Intel proactively uncovers vulnerabilities in open source packages before disclosure, helping secure more than 50,000 organizations worldwide, including Revolut, Niantic, Visma, Montblanc, and GoCardless.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 139

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.3/10 (Category avg: 8.6/10)
- **Detection Rate:** 10.0/10 (Category avg: 8.7/10)
- **Test Automation:** 10.0/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Aikido Security](https://www.g2.com/sellers/aikido-security)
- **Company Website:** https://aikido.dev
- **Year Founded:** 2022
- **HQ Location:** Ghent, Belgium
- **Twitter:** @AikidoSecurity (6,430 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/aikido-security/ (175 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** CTO, Founder
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 71% Small-Business, 17% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (78 reviews)
- Security (55 reviews)
- Features (52 reviews)
- Easy Integrations (47 reviews)
- Easy Setup (47 reviews)

**Cons:**

- Missing Features (19 reviews)
- Expensive (17 reviews)
- Limited Features (16 reviews)
- Pricing Issues (15 reviews)
- Lacking Features (14 reviews)

### 4. [Invicti (formerly Netsparker)](https://www.g2.com/products/invicti-formerly-netsparker/reviews)
  Invicti is an automated application and API security testing solution that allows enterprise organizations to secure thousands of websites, web apps, and APIs and dramatically reduce the risk of attack. By empowering security teams with the most unique DAST + IAST scanning capabilities on the market, Invicti allows organizations with complicated environments to confidently automate their web application and API security. With Invicti, security teams can: - Automate security tasks and save hundreds of hours each month - Gain complete visibility into all your applications — even those that are lost, forgotten, or hidden - Automatically give developers rapid feedback that trains them to write more secure code — so they create fewer vulnerabilities over time - Feel confident that you are equipped with the most powerful application security scanning tool on the market You have the most demanding security needs, and Invicti is the best-in-class application security solution you deserve.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 65

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.2/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.6/10 (Category avg: 8.7/10)
- **Test Automation:** 8.5/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Invicti Security](https://www.g2.com/sellers/invicti-security-04cb0d3d-fd96-45b2-83dc-2038fc9dac92)
- **Company Website:** https://www.invicti.com/
- **Year Founded:** 2018
- **HQ Location:** Austin, Texas
- **Twitter:** @InvictiSecurity (2,565 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/invicti-security/people/ (332 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 47% Enterprise, 26% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (9 reviews)
- Scanning Technology (7 reviews)
- Features (6 reviews)
- Reporting Quality (6 reviews)
- Vulnerability Detection (6 reviews)

**Cons:**

- Poor Customer Support (3 reviews)
- Slow Performance (3 reviews)
- Slow Scanning (3 reviews)
- API Issues (2 reviews)
- Complex Setup (2 reviews)

### 5. [Astra Pentest](https://www.g2.com/products/astra-pentest/reviews)
  Astra is a leading penetration testing company that provides PTaaS and continuous threat exposure management capabilities. Our comprehensive cybersecurity solutions blend automation and manual expertise to run 15,000+ tests and compliance checks, ensuring complete safety, irrespective of the threat and attack location. With a 360° view of an organization’s security posture, continuous proactive insights, real-time reporting, and AI-first defensive strategies, we aim to help CTOs shift left at scale with continuous pentests. The offensive scanner engine, seamless tech stack integrations, and expert support help make pentesting simple, effective and hassle-free for 1000+ businesses worldwide. Moreover, our industry-specific AI test cases, world-class Astranaut Bot, and customizable reports are designed to make your experience smoother while saving you millions of dollars proactively.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 181

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.3/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.9/10 (Category avg: 8.7/10)
- **Test Automation:** 8.8/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [ASTRA IT, Inc.](https://www.g2.com/sellers/astra-it-inc)
- **Company Website:** https://www.getastra.com/
- **Year Founded:** 2018
- **HQ Location:** New Delhi, IN
- **Twitter:** @getastra (690 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/getastra/ (120 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** CTO, CEO
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 65% Small-Business, 30% Mid-Market


#### Pros & Cons

**Pros:**

- Customer Support (65 reviews)
- Vulnerability Detection (52 reviews)
- Ease of Use (51 reviews)
- Pentesting Efficiency (42 reviews)
- Vulnerability Identification (38 reviews)

**Cons:**

- Poor Customer Support (12 reviews)
- Poor Interface Design (10 reviews)
- Slow Performance (8 reviews)
- UX Improvement (7 reviews)
- False Positives (6 reviews)

### 6. [Qodex.ai](https://www.g2.com/products/qodex-ai/reviews)
  Qodex.ai | AI Powered API Testing and Security Qodex.ai is an AI agent purpose built for API testing and security automation. It helps engineering teams ship faster and safer by turning plain English requests into complete, executable test suites without any manual scripting or QA setup. Think of it as Cursor for APIs. Engineers describe what they want to test, and Qodex.ai instantly generates end to end functional, regression, and security test cases mapped to real workflows. Tests auto execute, stay up to date, and self heal as your code evolves, saving teams hours of maintenance and review time. Already trusted by more than 100 enterprise and mid market companies, Qodex.ai is redefining how modern teams achieve continuous API quality, vulnerability detection, and compliance at scale using the power of AI.


  **Average Rating:** 4.9/5.0
  **Total Reviews:** 60

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.3/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.3/10 (Category avg: 8.7/10)
- **Test Automation:** 10.0/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [QodexAI](https://www.g2.com/sellers/qodexai)
- **Company Website:** https://www.qodex.ai/
- **Year Founded:** 2023
- **HQ Location:** San Francisco, California
- **LinkedIn® Page:** https://linkedin.com/company/qodexai (12 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 75% Small-Business, 20% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (23 reviews)
- Automation (17 reviews)
- Testing (17 reviews)
- Testing Efficiency (17 reviews)
- Helpful (13 reviews)

**Cons:**

- Slow Loading (6 reviews)
- Poor Documentation (5 reviews)
- Slow Performance (5 reviews)
- Bug Issues (4 reviews)
- Bugs (4 reviews)

### 7. [Cobalt](https://www.g2.com/products/cobalt-io-cobalt/reviews)
  Cobalt is the pioneer in pentesting as a service (PTaaS) and a leader in human-led, AI-powered offensive security services. We are focused on combining talent and technology with speed, scalability, and expertise. Thousands of customers and hundreds of partners rely on the Cobalt Offensive Security Platform, along with 500+ trusted security experts, to find and fix vulnerabilities across their environments. By enabling faster pentest launches, real-time collaboration with pentesters, and seamless integration with remediation workflows, we help organizations identify critical issues and accelerate risk mitigation so they can operate fearlessly and innovate securely.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 175

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.3/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.6/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.6/10 (Category avg: 8.7/10)
- **Test Automation:** 8.9/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Cobalt](https://www.g2.com/sellers/cobalt-33275b9c-c870-4949-8fd5-a68eb12f96bb)
- **Company Website:** https://cobalt.io/
- **Year Founded:** 2013
- **HQ Location:** San Francisco, California
- **Twitter:** @cobalt_io (8,484 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cobalt_io/ (535 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** CTO, Security Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 51% Mid-Market, 23% Small-Business


#### Pros & Cons

**Pros:**

- Pentesting Efficiency (50 reviews)
- Customer Support (40 reviews)
- Ease of Use (39 reviews)
- Communication (31 reviews)
- Reporting Quality (28 reviews)

**Cons:**

- Expensive (14 reviews)
- Limited Scope (8 reviews)
- Lack of Detail (7 reviews)
- Pricing Issues (6 reviews)
- Inaccuracy (5 reviews)

### 8. [Bright Security](https://www.g2.com/products/bright-security/reviews)
  Bright Security’s dev-centric DAST platform empowers both developers and AppSec professionals with enterprise-grade security testing capabilities for web applications, APIs, and GenAI and LLM applications. Bright knows how to deliver the right tests, at the right time in the SDLC, in developers and AppSec tools and stacks of choice with minimal false positives and alert fatigue.


  **Average Rating:** 4.7/5.0
  **Total Reviews:** 29

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.3/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.2/10 (Category avg: 8.7/10)
- **Test Automation:** 8.9/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Bright Security ](https://www.g2.com/sellers/bright-security)
- **Year Founded:** 2018
- **HQ Location:** San Rafael
- **Twitter:** @BrightAppSec (1,519 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/brightappsec (118 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer &amp; Network Security, Information Technology and Services
  - **Company Size:** 52% Enterprise, 34% Mid-Market


#### Pros & Cons

**Pros:**

- Accuracy of Results (4 reviews)
- Automated Scanning (4 reviews)
- Ease of Use (4 reviews)
- Detection (3 reviews)
- Easy Integrations (3 reviews)

**Cons:**

- Learning Curve (3 reviews)
- Complex Setup (2 reviews)
- Setup Complexity (2 reviews)
- Complexity (1 reviews)
- Confusing Interface (1 reviews)

### 9. [Akto API Security Platform](https://www.g2.com/products/akto-api-security-platform/reviews)
  Akto is a trusted platform for application security and product security teams to build an enterprise-grade API security program throughout their DevSecOps pipeline. Our industry-leading suite of — API discovery, API security posture management, sensitive data exposure, and API security testing solutions enables organizations to gain visibility in their API security posture. 1,000+ Application Security teams globally trust Akto for their API security needs. Akto use cases: 1. API Discovery 2. API Security Testing in CI/CD 3. API Security Posture Management 4. Authentication and Authorization Testing 5. Sensitive data Exposure 6. Shift left in DevSecOps


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 52

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 9.2/10)
- **API / Integrations:** 9.0/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.1/10 (Category avg: 8.7/10)
- **Test Automation:** 8.8/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Akto.io](https://www.g2.com/sellers/akto-io)
- **Company Website:** https://www.akto.io
- **Year Founded:** 2022
- **HQ Location:** San Francisco, California
- **Twitter:** @Aktodotio (1,350 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/akto-io/ (29 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Financial Services, Information Technology and Services
  - **Company Size:** 45% Mid-Market, 36% Small-Business


#### Pros & Cons

**Pros:**

- Ease of Use (22 reviews)
- API Testing (20 reviews)
- Automation Testing (19 reviews)
- API Management (17 reviews)
- Security (17 reviews)

**Cons:**

- Complex Setup (9 reviews)
- Poor Documentation (8 reviews)
- API Issues (7 reviews)
- Complexity (7 reviews)
- Setup Complexity (7 reviews)

### 10. [StackHawk](https://www.g2.com/products/stackhawk/reviews)
  StackHawk is reimagining AppSec for AI-driven development, where applications are built faster than traditional AppSec tools can keep up. Our AppSec Intelligence Platform combines scalable runtime testing with complete attack surface discovery from source code. We integrate directly into development workflows and provide context-aware remediations to developers, enabling teams to find and fix exploitable vulnerabilities before they reach production. With real-time visibility and centralized program intelligence, AppSec teams can prioritize testing and fixing what matters. Companies like British Airways, ITV, and Norstella trust StackHawk to evaluate application risk, prove program value, and scale testing coverage to match development velocity.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 67

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.8/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.1/10 (Category avg: 8.7/10)
- **Test Automation:** 8.8/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [StackHawk](https://www.g2.com/sellers/stackhawk)
- **Company Website:** https://stackhawk.com
- **Year Founded:** 2019
- **HQ Location:** Denver, CO
- **Twitter:** @StackHawk (1,139 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/40780406/ (44 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 46% Small-Business, 35% Mid-Market


#### Pros & Cons

**Pros:**

- Easy Integrations (10 reviews)
- Customer Support (9 reviews)
- Ease of Use (9 reviews)
- Integrations (7 reviews)
- Scanning Efficiency (5 reviews)

**Cons:**

- Setup Complexity (5 reviews)
- Complex Setup (4 reviews)
- High Learning Curve (3 reviews)
- Lacking Features (3 reviews)
- Limited Scope (3 reviews)

### 11. [Intruder](https://www.g2.com/products/intruder/reviews)
  Intruder is an exposure management platform for scaling to mid-market businesses. Over 3000 companies - across all industries - use Intruder to find critical exposures, respond faster and prevent breaches. Unifying Attack Surface Management, Vulnerability Management and Cloud security into one powerful, easy to use platform, Intruder simplifies the complex task of securing an ever-expanding attack surface. Recognizing no two business are alike, Intruder provides real-time, accurate scanning combined with intelligent risk prioritization, ensuring businesses focus on the exposures that are most relevant to them. And our proactive approach limits the window of risk, continuously monitoring for new threats while eliminating the noise that slows teams down. Whether you&#39;re an IT Manager, in DevOps or a CISO, Intruder&#39;s easy setup and context-driven approach will free you up to focus on exposures that cause real breaches, not just technical vulnerabilities. Keeping you one step ahead of attackers.


  **Average Rating:** 4.8/5.0
  **Total Reviews:** 206

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.7/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.9/10 (Category avg: 8.6/10)
- **Detection Rate:** 9.5/10 (Category avg: 8.7/10)
- **Test Automation:** 8.8/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Intruder](https://www.g2.com/sellers/intruder)
- **Company Website:** https://www.intruder.io
- **Year Founded:** 2015
- **HQ Location:** London
- **Twitter:** @intruder_io (980 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/6443623/ (84 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** CTO, Director
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 57% Small-Business, 36% Mid-Market


#### Pros & Cons

**Pros:**

- Ease of Use (41 reviews)
- Vulnerability Detection (30 reviews)
- Customer Support (26 reviews)
- User Interface (24 reviews)
- Vulnerability Identification (24 reviews)

**Cons:**

- Expensive (10 reviews)
- Slow Scanning (8 reviews)
- Licensing Issues (7 reviews)
- False Positives (6 reviews)
- Limited Features (6 reviews)

### 12. [Indusface WAS](https://www.g2.com/products/indusface-was/reviews)
  Indusface WAS (Web Application Scanner) provides comprehensive managed dynamic application security testing (DAST) solution. It is a zero-touch, non-intrusive cloud-based solution that provides daily monitoring for web applications, checking for systems and application vulnerabilities, and malware. Indusface WAS with its automated scans &amp; manual pentesting done by certified security experts ensures none of the OWASP Top10, business logic vulnerabilities, and malware go unnoticed. With zero false-positive guarantee and comprehensive reporting with remediation guidance, Indusface web app scanning ensures developers to quickly fix vulnerabilities seamlessly.


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 63

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.2/10)
- **API / Integrations:** 9.7/10 (Category avg: 8.6/10)
- **Detection Rate:** 9.4/10 (Category avg: 8.7/10)
- **Test Automation:** 9.4/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Indusface](https://www.g2.com/sellers/indusface)
- **Year Founded:** 2012
- **HQ Location:** Vadodara
- **Twitter:** @Indusface (3,480 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/indusface/ (174 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 52% Small-Business, 37% Mid-Market


#### Pros & Cons

**Pros:**

- Vulnerability Detection (19 reviews)
- Vulnerability Identification (16 reviews)
- Customer Support (6 reviews)
- Scanning Efficiency (6 reviews)
- Security (6 reviews)

**Cons:**

- Expensive (2 reviews)
- Confusing Interface (1 reviews)
- Lacking Features (1 reviews)
- Limited Scope (1 reviews)
- Poor Interface Design (1 reviews)

### 13. [GitLab](https://www.g2.com/products/gitlab/reviews)
  GitLab is the most comprehensive AI-Powered DevSecOps platform that enables software innovation by empowering development, security, and operations teams to build better software, faster. With GitLab, teams can create, deliver, and manage code quickly and continuously instead of managing disparate tools and scripts. GitLab helps your teams across the complete DevSecOps lifecycle, from developing, securing, and deploying software. What makes us truly different? - Flexibility: Consume as a service or manage your own deployment - Cloud-Agnostic: Deploy anywhere with no vendor lock-in - No rip and replace: Scale to a platform approach at your own pace


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 871

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.2/10)
- **API / Integrations:** 9.2/10 (Category avg: 8.6/10)
- **Detection Rate:** 9.0/10 (Category avg: 8.7/10)
- **Test Automation:** 9.1/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [GitLab Inc.](https://www.g2.com/sellers/gitlab-inc)
- **Company Website:** https://about.gitlab.com/
- **Year Founded:** 2014
- **HQ Location:** San Francisco, California
- **Twitter:** @gitlab (170,869 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/5101804/ (3,357 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Who Uses This:** Software Engineer, Senior Software Engineer
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 37% Mid-Market, 37% Small-Business


#### Pros & Cons

**Pros:**

- Ease of Use (43 reviews)
- Features (42 reviews)
- CI (36 reviews)
- CD Integration (34 reviews)
- Integrations (34 reviews)

**Cons:**

- Complexity (21 reviews)
- Difficult Learning (19 reviews)
- Confusing Interface (16 reviews)
- Complex User Interface (15 reviews)
- Learning Curve (13 reviews)

### 14. [HCL AppScan](https://www.g2.com/products/hcl-appscan/reviews)
  HCL AppScan is a comprehensive suite of market-leading application security testing solutions (SAST, DAST, IAST, SCA, API), available on-premises and on-cloud. These powerful DevSecOps tools pinpoint application vulnerabilities, allowing for quick remediation in every phase of the software development lifecycle. Fast and Accurate Scanning for Secure DevOps Developers and DevOps teams can quickly and accurately scan code, applications, and APIs for security vulnerabilities while applications are being developed. This allows companies to fix issues at the earliest stages of the software development lifecycle, when it is least costly to the business. Focus on the Fix Continuous monitoring with IAST, along with auto issue correlation with DAST and SAST scan results allows DevOps teams to group and prioritize findings for faster, more streamlined remediation. Enterprise Management for Security Teams Centralized, easy-to-use dashboards provide visibility and oversight of all security scanning and remediation, and allow users to set scan parameters and compliance policies.


  **Average Rating:** 4.1/5.0
  **Total Reviews:** 74

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.1/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.2/10 (Category avg: 8.7/10)
- **Test Automation:** 7.9/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [HCL Technologies](https://www.g2.com/sellers/hcl-technologies)
- **Year Founded:** 1999
- **HQ Location:** Noida, Uttar Pradesh
- **Twitter:** @hcltech (425,575 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/1756/ (251,431 employees on LinkedIn®)
- **Ownership:** NSE - National Stock Exchange of India

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer &amp; Network Security
  - **Company Size:** 54% Enterprise, 28% Small-Business


### 15. [Jit](https://www.g2.com/products/jit/reviews)
  Jit is redefining application security by introducing the first Agentic AppSec Platform, seamlessly blending human expertise with AI-driven automation. Designed for modern development teams, Jit empowers organizations to proactively manage security risks across the entire software development lifecycle.​ AI-Powered Agents Jit&#39;s AI Agents, such as SERA (Security Evaluation and Remediation Agent) and COTA (Communication, Ops, and Ticketing Agent), collaborate with your teams to automate vulnerability triage, risk assessment, and remediation processes, significantly reducing manual workloads. ​ Comprehensive Security Scanning Achieve full-stack security coverage with integrated scanners for SAST, DAST, SCA, IaC, CSPM, and more. Jit&#39;s platform ensures continuous monitoring and immediate feedback on code changes, facilitating rapid identification and resolution of security issues. ​ Developer-Centric Experience With integrations into popular IDEs and CI/CD pipelines, Jit provides developers with contextual security insights directly within their workflows, promoting a shift-left approach without disrupting productivity. ​ Agentic AI for AppSec Teams Risk-Based Prioritization Utilizing the Model Context Protocol (MCP), Jit evaluates vulnerabilities in the context of runtime environments, business impact, and compliance requirements, enabling teams to focus on the most critical risks. ​ Seamless Integrations Jit integrates with a wide array of tools, including GitHub, GitLab, AWS, Azure, GCP, Jira, Slack, and more, ensuring that security processes are embedded within your existing technology stack. ​


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 43

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.2/10)
- **API / Integrations:** 8.7/10 (Category avg: 8.6/10)
- **Detection Rate:** 9.0/10 (Category avg: 8.7/10)
- **Test Automation:** 8.5/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [jit](https://www.g2.com/sellers/jit)
- **Year Founded:** 2021
- **HQ Location:** Boston, MA
- **Twitter:** @jit_io (523 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jit/ (151 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Financial Services
  - **Company Size:** 44% Mid-Market, 42% Small-Business


#### Pros & Cons

**Pros:**

- Security (10 reviews)
- Easy Integrations (8 reviews)
- Ease of Use (7 reviews)
- Efficiency (7 reviews)
- Integration Support (7 reviews)

**Cons:**

- Integration Issues (4 reviews)
- Limited Features (4 reviews)
- Limited Integration (4 reviews)
- Poor Documentation (4 reviews)
- Complexity (3 reviews)

### 16. [APPCHECK](https://www.g2.com/products/appcheck/reviews)
  AppCheck is a Dynamic Application Security Testing (DAST) and network vulnerability testing solution, developed and supported by experienced penetration testers. We approach security testing as a hacker would, leveraging multiple proprietary crawling engines to analyse target behaviour across both modern and traditional technologies, including Single Page Applications (SPAs), APIs, and complex authentication flows such as SSO, 2FA, and TOTP. Organisations can conduct unlimited security assessments across Web Applications, SPAs, APIs, cloud services, networks, across internal or external assets. Supporting production and UAT testing, AppCheck also helps organisations ‘shift left’ by integrating with CI/CD pipelines and build servers, including ADO, GitHub, Jenkins, TeamCity, CircleCI, TravisCI, Bamboo, and GitLab CI/CD. Allowing automated security testing throughout development, identifying risks as soon as changes are introduced. AppCheck are proud to be part of the CVE Numbering Authority (CNA), contributing to global security research


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 67

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.5/10 (Category avg: 9.2/10)
- **API / Integrations:** 7.9/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.9/10 (Category avg: 8.7/10)
- **Test Automation:** 9.2/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [APPCHECK](https://www.g2.com/sellers/appcheck)
- **Company Website:** https://www.appcheck-ng.com
- **Year Founded:** 2014
- **HQ Location:** Leeds, GB
- **Twitter:** @AppcheckNG (649 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/appcheck-ng-ltd/ (99 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Computer Software, Information Technology and Services
  - **Company Size:** 49% Mid-Market, 30% Small-Business


#### Pros & Cons

**Pros:**

- Vulnerability Detection (7 reviews)
- Ease of Use (6 reviews)
- Features (5 reviews)
- Pentesting Efficiency (5 reviews)
- Automated Scanning (4 reviews)

**Cons:**

- Poor Customer Support (2 reviews)
- UX Improvement (2 reviews)
- API Issues (1 reviews)
- Difficult Customization (1 reviews)
- Difficult Learning Curve (1 reviews)

### 17. [Acunetix by Invicti](https://www.g2.com/products/acunetix-by-invicti/reviews)
  Acunetix (by Invicti) is an automated application security testing tool that enables small security teams to tackle huge application security challenges. With fast scanning, comprehensive results, and intelligent automation, Acunetix helps organizations to reduce risk across all types of web applications, websites, and APIs. With Acunetix, security teams can: - Save time and resources by automating manual security processes - Work more seamlessly with developers, or embrace DevSecOps by integrating directly into development tools - Feel confident that every web application has been crawled entirely thanks to DAST + IAST scanning and intelligent crawling technology - Finally, make web application and API security a priority and not just an add-on with a solution that is dedicated to application and API security 100% of the time You can depend on Acunetix to meet your organization’s needs today and face the challenges of modern web technology together tomorrow.


  **Average Rating:** 4.1/5.0
  **Total Reviews:** 100

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 8.2/10 (Category avg: 9.2/10)
- **API / Integrations:** 7.9/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.7/10 (Category avg: 8.7/10)
- **Test Automation:** 8.1/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Invicti Security](https://www.g2.com/sellers/invicti-security-04cb0d3d-fd96-45b2-83dc-2038fc9dac92)
- **Company Website:** https://www.invicti.com/
- **Year Founded:** 2018
- **HQ Location:** Austin, Texas
- **Twitter:** @InvictiSecurity (2,565 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/invicti-security/people/ (332 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 40% Enterprise, 34% Mid-Market


#### Pros & Cons

**Pros:**

- Vulnerability Detection (7 reviews)
- Ease of Use (6 reviews)
- Security (5 reviews)
- Vulnerability Identification (5 reviews)
- Accuracy of Results (4 reviews)

**Cons:**

- Expensive (4 reviews)
- Complexity (3 reviews)
- Complex Setup (3 reviews)
- Slow Scanning (3 reviews)
- Difficult Customization (2 reviews)

### 18. [SOOS](https://www.g2.com/products/soos/reviews)
  SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web &amp; API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage


  **Average Rating:** 4.6/5.0
  **Total Reviews:** 42

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 9.2/10)
- **API / Integrations:** 7.4/10 (Category avg: 8.6/10)
- **Detection Rate:** 8.9/10 (Category avg: 8.7/10)
- **Test Automation:** 9.4/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [SOOS](https://www.g2.com/sellers/soos)
- **Company Website:** https://soos.io
- **Year Founded:** 2019
- **HQ Location:** Winooski, US
- **Twitter:** @soostech (45 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (26 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 50% Mid-Market, 43% Small-Business


#### Pros & Cons

**Pros:**

- Ease of Use (8 reviews)
- Easy Integrations (6 reviews)
- Integrations (6 reviews)
- Customer Support (5 reviews)
- Vulnerability Detection (5 reviews)

**Cons:**

- Inadequate Reporting (4 reviews)
- Poor Reporting (4 reviews)
- Lacking Features (3 reviews)
- Lack of Guidance (3 reviews)
- Dashboard Issues (2 reviews)

### 19. [Detectify](https://www.g2.com/products/detectify/reviews)
  Detectify sets a new standard for advanced application security testing, challenging traditional DAST by providing evolving coverage of each and every exposed asset across the changing attack surface. AppSec teams trust Detectify to expose how attackers will exploit their Internet-facing applications. The Detectify platform automates continuous real-world, payload-based attacks fuelled by its global community of elite ethical hackers into its own expert-built engines, exposing critical weaknesses before it&#39;s too late. The Detectify solution includes: - Automated discovery of known and unknown digital assets via domain &amp; cloud connectors - Continuous coverage (24/7) of every corner of the attack surface with dynamic testing. Not just predefined targets - 100% payload-based testing fuelled by elite ethical hackers for a high signal-to-noise ratio - Distributed coverage across an unmatched array of relevant technologies - Actionable remediation tips for software development teams - Team functionality to easily share reports - Powerful integrations platform to prioritize and triage vulnerability findings onward to development teams -Advanced API functionality -Capabilities to set custom attack surface security policies


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 49

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.7/10 (Category avg: 9.2/10)
- **API / Integrations:** 7.6/10 (Category avg: 8.6/10)
- **Detection Rate:** 7.9/10 (Category avg: 8.7/10)
- **Test Automation:** 9.0/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Detectify](https://www.g2.com/sellers/detectify)
- **Year Founded:** 2013
- **HQ Location:** Stockholm, Sweden
- **Twitter:** @detectify (11,278 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2850066/ (96 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Computer Software
  - **Company Size:** 47% Small-Business, 35% Mid-Market


#### Pros & Cons

**Pros:**

- Automation (2 reviews)
- Automation Testing (2 reviews)
- Customizability (2 reviews)
- Features (2 reviews)
- Security (2 reviews)

**Cons:**

- Complexity (1 reviews)
- Complex Queries (1 reviews)
- Complex Setup (1 reviews)
- Expensive (1 reviews)
- Inaccuracy (1 reviews)

### 20. [Appknox](https://www.g2.com/products/appknox/reviews)
  Appknox is an on-demand mobile application security platform that helps businesses detect and fix security vulnerabilities using an Automated Security Testing suite. We have been successfully reducing delivery timelines, manpower costs &amp; mitigating security threats for Global Banks and Enterprises in 10 + countries.


  **Average Rating:** 4.5/5.0
  **Total Reviews:** 40

**User Satisfaction Scores:**

- **Has the product been a good partner in doing business?:** 9.8/10 (Category avg: 9.2/10)
- **API / Integrations:** 9.0/10 (Category avg: 8.6/10)
- **Detection Rate:** 9.0/10 (Category avg: 8.7/10)
- **Test Automation:** 8.9/10 (Category avg: 8.7/10)


**Seller Details:**

- **Seller:** [Appknox](https://www.g2.com/sellers/appknox)
- **Year Founded:** 2014
- **HQ Location:** Singapore, Singapore
- **Twitter:** @appknox (3,063 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/3771872/ (80 employees on LinkedIn®)

**Reviewer Demographics:**
  - **Top Industries:** Information Technology and Services, Financial Services
  - **Company Size:** 40% Small-Business, 37% Mid-Market


## Parent Category

[DevSecOps Software](https://www.g2.com/categories/devsecops)


## Related Categories

- [Vulnerability Scanner Software](https://www.g2.com/categories/vulnerability-scanner)
- [Penetration Testing Tools](https://www.g2.com/categories/penetration-testing-tools)
- [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast)


---

## Buyer Guide

### What You Should Know About Dynamic Application Security Testing (DAST)﻿ Software

### What is Dynamic Application Security Testing (DAST) Software?

Dynamic application security testing (DAST) is one of the many technology groupings of security testing solutions. DAST is a form of black-box security testing, meaning it simulates realistic threats and attacks. This differs from other forms of testing such as static application security testing (SAST), a white-box testing methodology used to examine the source code of an application.

DAST includes a number of testing components that operate while an application is running. Security professionals simulate real-world functionality through testing the application for vulnerabilities and then evaluate the effects on application performance. The methodology is often used to find issues near the end of the software development lifecycle. These issues may be tougher to fix than early flaws and bugs are, but those flaws pose a larger threat to critical components of an application.

DAST can also be thought of as a methodology. It’s a different approach than traditional security testing because once a test is completed, there are still tests to be done. It involves periodic inspections as updates are pushed live or changes are made before release. While a penetration test or code scan might serve as a one-off test for specific vulnerabilities or bugs, dynamic testing can be performed continually throughout the lifecycle of an application.

Key Benefits of Dynamic Application Security Testing (DAST) Software

- Simulate realistic attacks and threats
- Discover vulnerabilities not found in source code
- Flexible and customizable testing options
- Comprehensive assessment and scalable testing

### Why Use Dynamic Application Security Testing (DAST) Software?

There are a number of testing solutions necessary for an all-encompassing approach to security testing and vulnerability discovery. Most start in the early stages of software development and help programmers discover bugs in the code and issues with the underlying framework or design. These tests require access to source code and are often used during development and quality assurance (QA) processes.

While early testing solutions approach testing from the standpoint of the developer, DAST approaches testing from the standpoint of a hacker. These tools simulate real threats to a functional, running application. Security professionals can simulate common attacks such as SQL injection and cross-site scripting or customize tests to threats specific to their product. These tools offer a highly customizable solution for testing during the later stages of development and while applications are deployed.

**Flexibility —** Users can schedule tests as they please or perform them continuously throughout an application’s or website’s lifecycle. Security professionals can modify environments to simulate their resources and infrastructure to ensure a realistic test and evaluation. They’re often scalable, as well, to see if increased traffic or usage would affect vulnerabilities and protection.

Industries with more specific threats may require more specific testing. Security professionals may identify a threat specific to the health care industry or financial sector and alter tests to simulate the threats most common to them. If performed correctly, these tools offer some of the most realistic and customizable solutions to the threats present in real-world situations.

**Comprehensiveness —** Threats are continuously evolving and expanding, making the ability to simulate multiple tests more necessary. DAST offers a versatile approach to testing, wherein security professionals can simulate and analyze each threat or attack type individually. These tests deliver comprehensive feedback and actionable insights that security and development teams use to remediate any issues, flaws, and vulnerabilities.

These tools will first perform an initial crawl, or examination, of applications and websites from a third-party perspective. They interact with applications using HTTP, allowing the tools to examine applications built with any programming language or on any framework. The tool will then test for misconfigurations, which expose a greater attack surface than internal vulnerabilities. Additional tests can be run, depending on the solution, but all the results and discoveries can be stored for actionable remediation.

**Continuous assessment —** Agile teams and other companies relying on frequent updates to applications should use DAST products with continuous assessment capabilities. SAST tools will provide more direct solutions for issues related to continuous integration processes, but DAST tools will provide a better view of how updates and changes will be seen from an outside perspective. Each new update may pose a new threat or unveil a new vulnerability; it is therefore crucial to continue testing even after applications have been completed and deployed.

Unlike SAST, DAST also requires less access to potentially sensitive source code within the application. DAST approaches the situation from an outside perspective as simulated threats attempt to gain access to vulnerable systems or sensitive information. This can make it easier to perform tests continuously without requiring individuals to access source code or other internal systems.

### What are the Common Features of Dynamic Application Security Testing (DAST) Software?

Standard functionality is included in most dynamic application security testing (DAST) solutions:

**Compliance testing —** Compliance testing gives users the ability to test for various requirements from regulatory bodies. This can help ensure information is stored securely and protected from hackers.

**Test automation —** Test automation is the feature powering continuous testing processes. This functionality operates by running prescripted tests as frequently as required without the need for hands-on or manual testing.

**Manual testing —** Manual testing gives the user complete control over individual tests. These features allow users to perform hands-on live simulations and penetration tests.

**Command-line tools —** The command-line interface (CLI) is the language interpreter of a computer. CLI capabilities will allow security testers to simulate threats directly from the terminal host system and input command sequences.

**Static code analysis —** Static code analysis and static security testing is used to test from the inside out. These tools help security professionals examine application source code for security flaws without executing it.

**Issue tracking —** Issue tracking helps security professionals and developers document flaws or vulnerabilities as they are discovered. Proper documentation will make it easier to organize the actionable insights provided by the DAST tool.

**Reporting and analytics —** Reporting capabilities are important to DAST tools because they provide the information necessary to remediate any recently discovered vulnerabilities. Reporting and analytics features can also give teams a better idea of how attacks may affect application availability and performance.

**Extensibility —** Many applications offer the ability to expand functionality through the use of integrations, APIs, and plugins. These extensible components provide the ability to extend the platform beyond its native feature set to include additional features and functionalities.

### Potential Issues with Dynamic Application Security Testing (DAST) Software

**Testing coverage —** While DAST technologies have come a long way, DAST tools alone are unable to discover the majority of vulnerabilities. This is why most experts suggest pairing them with SAST solutions. Combining the two can decrease the rate at which false positives occur. They can also be used to simplify the continuous testing process for agile teams. While no tool will detect every vulnerability, DAST may be less efficient than other testing tools if used alone.

**Late-stage issues —** DAST tools will require code to be compiled for each individual test because they rely on simulated functionality to test responses. This can be a roadblock for agile teams constantly integrating new code into an application. Reports are usually static and result from single tests. For agile teams, those reports can become outdated and lose value very quickly. This is just one more reason DAST tools should be used as a component of an all-encompassing security testing stack rather than a standalone solution.

**Testing capabilities —** Because DAST tools do not access an application&#39;s underlying source code, there are a number of flaws DAST tools will be unable to detect. For example, DAST tools are most effective at simulating reflection, or call-and-response, attacks where they can simulate an input and receive a response. They are not, however, highly effective in discovering smaller vulnerabilities or flaws in areas of the application that are rarely touched by users. These issues, as well as vulnerabilities in the original source code, will need to be addressed by additional security testing technologies.

### Software and Services Related to Dynamic Application Security Testing (DAST) Software

Most security software focuses on the vulnerabilities of networks and devices. Not all, but some, are used specifically for testing. But there are many different ways to tackle the topic, and using a combination of tools and testing methods is always more effective than relying on one tool alone. These are a few security tools used for various testing purposes.

[**Static application security testing (SAST) software**](https://www.g2.com/categories/static-application-security-testing-sast) **—** SAST tools are used to inspect the underlying source code of an application, making them the perfect complement to DAST tools. Using the tools in tandem is often referred to as interactive application security testing (IAST). This can help combine the black-box nature of DAST and the white-box nature of SAST to both find errors in source code as well as errors in functionality and third-party components of an application.

[**Vulnerability scanners**](https://www.g2.com/categories/vulnerability-scanner) **—** Some people use the term vulnerability scanner to describe DAST tools, but in reality DAST is just one component of most vulnerability scanners. DAST tools are application-specific, while vulnerability scanners typically provide a larger set of features for vulnerability management, risk assessment, and continuous testing.

[**Static code analysis software**](https://www.g2.com/categories/static-code-analysis) **—** Static code analysis tools are more similar to SAST than DAST, in that they’re used to evaluate an application’s source code. These tools are less directed towards security but may provide SAST capabilities. They’re typically used to scan code for a number of flaws that include bugs, security vulnerabilities, performance issues, and any other issue that may present itself if source code is not tested and optimized.