# Best Dynamic Application Security Testing (DAST) Software *By [Lauren Worth](https://research.g2.com/insights/author/lauren-worth)* Dynamic application security testing (DAST) tools automate security tests for a variety of real-world threats. These tools typically test HTTP and HTML interfaces of web applications. DAST is a black-box testing method, meaning it is performed from the outside. Companies use these tools to identify vulnerabilities in their applications from an external perspective to better simulate threats most easily accessed by hackers outside their organization. There are similarities between DAST tools and other application security and vulnerability management solutions, but most other technologies perform internal tests and code analysis instead of focusing on black-box testing. [SAST vs DAST](https://research.g2.com/blog/sast-vs-dast) — Learn the difference To qualify for inclusion in the Dynamic Application Security Testing (DAST) category, a product must: - Test applications in their operational state - Perform external black-box security tests - Trace penetrations and exploits to their sources ## Category Overview **Total Products under this Category:** 92 ## Trust & Credibility Stats **Why You Can Trust G2's Software Rankings:** - 30 Analysts and Data Experts - 3,500+ Authentic Reviews - 92+ Products - Unbiased Rankings G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category. ## Best Dynamic Application Security Testing (DAST) Software At A Glance - **Leader:** [Burp Suite](https://www.g2.com/products/burp-suite/reviews) - **Highest Performer:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews) - **Easiest to Use:** [Qodex.ai](https://www.g2.com/products/qodex-ai/reviews) - **Top Trending:** [Aikido Security](https://www.g2.com/products/aikido-security/reviews) - **Best Free Software:** [Tenable Nessus](https://www.g2.com/products/tenable-nessus/reviews) --- **Sponsored** ### Proscan Proscan is a unified application security platform designed to help organizations streamline the management of their security tools. By integrating multiple standalone solutions into a single cohesive experience, Proscan provides comprehensive security visibility across the entire software stack. This platform replaces the complexity of managing various tools for static analysis, dynamic testing, and dependency scanning, allowing teams to focus on building secure applications without the hassle of juggling disparate systems. The platform is particularly beneficial for security teams, developers, and engineering leaders who require a consolidated view of application security risks. Proscan combines nine specialized security scanners, including Static Application Security Testing (SAST), which analyzes source code in over 30 programming languages using advanced detection methods. Dynamic Application Security Testing (DAST) further enhances security by testing live applications, identifying vulnerabilities that may only become apparent during runtime. Additionally, Software Composition Analysis (SCA) evaluates open-source dependencies across 196 package ecosystems, helping organizations detect known vulnerabilities before they can impact production environments. Proscan's capabilities extend beyond code analysis. It includes scanning for hardcoded secrets, misconfigurations in Infrastructure-as-Code, and vulnerabilities in container images. The platform also offers API security testing that validates endpoints against the OWASP API Security Top 10, ensuring robust protection for applications that leverage APIs. For organizations developing AI-powered applications, Proscan features a dedicated AI and LLM security scanner that identifies potential risks associated with prompt injections and other vulnerabilities, utilizing over 4,600 techniques mapped to the OWASP LLM Top 10. Artificial intelligence plays a crucial role in enhancing Proscan's efficiency and accuracy. The platform employs machine-learning algorithms to reduce false positives and prioritize vulnerabilities based on their potential impact. This intelligent approach allows teams to focus on the most critical security issues while providing clear explanations and actionable remediation guidance. Proscan integrates seamlessly into existing development workflows, offering IDE plugins and native CI/CD integrations that ensure security checks are part of the development process without causing disruptions. Compliance readiness is another key feature of Proscan, as it generates audit-ready reports aligned with major security standards, including OWASP Top 10, PCI DSS, HIPAA, and GDPR. This automated evidence collection simplifies the compliance process, providing organizations with the necessary documentation in various formats. Proscan is designed for security teams looking to consolidate fragmented toolchains, developers needing quick feedback, and managed security service providers managing multiple client environments, making it a versatile solution for modern application security challenges. [Visit company website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=paid_promo&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=1521&secure%5Bmedium%5D=sponsored&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=1777455&secure%5Bresource_id%5D=1521&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fdynamic-application-security-testing-dast%3Fopen_modal_url%3D%252Ffr%252Fproducts%252Fbugdazz-api-scanner%252Fwishlists%253Fhost_path%253D%25252Fcategories%25252Fdynamic-application-security-testing-dast%2526source%253Dcategory&secure%5Btoken%5D=e89d972c470cdc49ce91f1308ea2ceb511f99ce81cf00525e78768e86a13791a&secure%5Burl%5D=https%3A%2F%2Fwww.proscan.one%2Fpricing&secure%5Burl_type%5D=paid_promos) --- ## Top-Rated Products (Ranked by G2 Score) ### 1. [Aikido Security](https://www.g2.com/products/aikido-security/reviews) Aikido Security is the developer-first security platform that unifies code, cloud, protection, and attack testing in one suite of best-in-class products. Built by developers for developers, Aikido helps teams of any size ship secure software faster, automate protection, and simulate real-world attacks with AI-driven precision. The platform’s proprietary AI cuts noise by 95%, delivers one-click fixes, and saves developers 10+ hours per week. Aikido Intel proactively uncovers vulnerabilities in open source packages before disclosure, helping secure more than 50,000 organizations worldwide, including Revolut, Niantic, Visma, Montblanc, and GoCardless. **Average Rating:** 4.6/5.0 **Total Reviews:** 139 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.2/10) - **API / Integrations:** 8.3/10 (Category avg: 8.6/10) - **Detection Rate:** 10.0/10 (Category avg: 8.7/10) - **Test Automation:** 10.0/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Aikido Security](https://www.g2.com/sellers/aikido-security) - **Company Website:** https://aikido.dev - **Year Founded:** 2022 - **HQ Location:** Ghent, Belgium - **Twitter:** @AikidoSecurity (6,187 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/aikido-security/ (175 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CTO, Founder - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 71% Small-Business, 17% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (78 reviews) - Security (55 reviews) - Features (52 reviews) - Easy Integrations (47 reviews) - Easy Setup (47 reviews) **Cons:** - Missing Features (19 reviews) - Expensive (17 reviews) - Limited Features (16 reviews) - Pricing Issues (15 reviews) - Lacking Features (14 reviews) ### 2. [Tenable Nessus](https://www.g2.com/products/tenable-nessus/reviews) Built for security practitioners, by security professionals, Nessus products by Tenable are the de-facto industry standard for vulnerability assessment. Nessus performs point-in-time assessments to help security professionals quickly and easily identify and fix vulnerabilities, including software flaws, missing patches, malware, and misconfigurations - across a variety of operating systems, devices, and applications. With features such as pre-built policies and templates, customizable reporting, group “snooze” functionality, and real-time updates, Nessus is designed to make vulnerability assessment simple, easy, and intuitive. The result: less time and effort to assess, prioritize, and remediate issues. **Average Rating:** 4.5/5.0 **Total Reviews:** 287 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.7/10 (Category avg: 9.2/10) **Seller Details:** - **Seller:** [Tenable](https://www.g2.com/sellers/tenable) - **Company Website:** https://www.tenable.com/ - **HQ Location:** Columbia, MD - **Twitter:** @TenableSecurity (87,575 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/25452/ (2,357 employees on LinkedIn®) - **Ownership:** NASDAQ: TENB **Reviewer Demographics:** - **Who Uses This:** Security Engineer, Network Engineer - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 40% Mid-Market, 34% Enterprise #### Pros & Cons **Pros:** - Vulnerability Identification (21 reviews) - Vulnerability Detection (19 reviews) - Automated Scanning (18 reviews) - Ease of Use (17 reviews) - Features (15 reviews) **Cons:** - Slow Scanning (8 reviews) - Expensive (6 reviews) - Limited Features (6 reviews) - Complexity (5 reviews) - False Positives (5 reviews) ### 3. [Qodex.ai](https://www.g2.com/products/qodex-ai/reviews) Qodex.ai | AI Powered API Testing and Security Qodex.ai is an AI agent purpose built for API testing and security automation. It helps engineering teams ship faster and safer by turning plain English requests into complete, executable test suites without any manual scripting or QA setup. Think of it as Cursor for APIs. Engineers describe what they want to test, and Qodex.ai instantly generates end to end functional, regression, and security test cases mapped to real workflows. Tests auto execute, stay up to date, and self heal as your code evolves, saving teams hours of maintenance and review time. Already trusted by more than 100 enterprise and mid market companies, Qodex.ai is redefining how modern teams achieve continuous API quality, vulnerability detection, and compliance at scale using the power of AI. **Average Rating:** 4.9/5.0 **Total Reviews:** 60 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.2/10) - **API / Integrations:** 8.3/10 (Category avg: 8.6/10) - **Detection Rate:** 8.3/10 (Category avg: 8.7/10) - **Test Automation:** 10.0/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [QodexAI](https://www.g2.com/sellers/qodexai) - **Company Website:** https://www.qodex.ai/ - **Year Founded:** 2023 - **HQ Location:** San Francisco, California - **LinkedIn® Page:** https://linkedin.com/company/qodexai (12 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 75% Small-Business, 20% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (23 reviews) - Automation (17 reviews) - Testing (17 reviews) - Testing Efficiency (17 reviews) - Helpful (13 reviews) **Cons:** - Slow Loading (6 reviews) - Poor Documentation (5 reviews) - Slow Performance (5 reviews) - Bug Issues (4 reviews) - Bugs (4 reviews) ### 4. [Burp Suite](https://www.g2.com/products/burp-suite/reviews) Burp Suite is a complete ecosystem for web application and API security testing, combining two products: Burp Suite DAST - a best-of-breed, precision DAST solution that automates runtime testing, and Burp Suite Professional - the industry-standard toolkit for manual penetration testing. Developed by PortSwigger, more than 85,000 security professionals rely on Burp Suite to find, verify, and understand vulnerabilities across complex modern web applications. Burp Suite DAST is PortSwigger’s enterprise dynamic application security testing (DAST) solution, purpose-built for continuous, automated scanning of web applications and APIs. Unlike many DAST solutions, which are part of a wider AST offering, Burp Suite DAST is not a bolt-on tool - instead it’s precision-built from over 20 years of dynamic testing experience. Burp Suite DAST reveals the runtime issues that static analysis tools miss, such as authentication flaws, configuration drift, and chained vulnerabilities. Built on the same proprietary scanning engine that powers Burp Suite Professional, it delivers precise, low-noise results that security teams trust. Key capabilities of Burp Suite DAST include: Continuous, automated scanning of web applications and APIs, integration with CI/CD pipelines and vulnerability management tools, flexible deployment across cloud, and on-premise environments, shared scanning logic and configurations between automated and manual testing, accurate, low-noise detection informed by PortSwigger Research. Burp Suite Professional complements DAST with deep manual testing capability. It’s the industry-standard toolkit for penetration testers, consultants, and AppSec engineers who need complete insight and flexibility when validating or exploring vulnerabilities. Findings discovered by DAST can be investigated and verified in Burp Suite Professional, ensuring every result is accurate, contextual, and actionable. Together, Burp Suite DAST and Burp Suite Professional create a unified ecosystem that delivers automation at breadth and manual depth where it counts. Burp Suite is built for AppSec teams who need scalable, trustworthy coverage across web and API environments, enabling a seamless handoff between automated and manual testing. **Average Rating:** 4.8/5.0 **Total Reviews:** 124 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.7/10 (Category avg: 9.2/10) - **API / Integrations:** 8.3/10 (Category avg: 8.6/10) - **Detection Rate:** 7.2/10 (Category avg: 8.7/10) - **Test Automation:** 7.5/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [PortSwigger](https://www.g2.com/sellers/portswigger) - **Company Website:** https://www.portswigger.net - **Year Founded:** 2008 - **HQ Location:** Knutsford, GB - **Twitter:** @Burp_Suite (137,013 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/portswigger-web-security/ (321 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Cyber Security Analyst - **Top Industries:** Computer & Network Security, Information Technology and Services - **Company Size:** 41% Mid-Market, 31% Small-Business #### Pros & Cons **Pros:** - Ease of Use (12 reviews) - User Interface (8 reviews) - Testing Services (7 reviews) - Features (5 reviews) - Clear Interface (4 reviews) **Cons:** - Expensive (5 reviews) - Slow Performance (5 reviews) - High Learning Curve (2 reviews) - Learning Curve (2 reviews) - Limited Customization (2 reviews) ### 5. [Astra Pentest](https://www.g2.com/products/astra-pentest/reviews) Astra is a leading penetration testing company that provides PTaaS and continuous threat exposure management capabilities. Our comprehensive cybersecurity solutions blend automation and manual expertise to run 15,000+ tests and compliance checks, ensuring complete safety, irrespective of the threat and attack location. With a 360° view of an organization’s security posture, continuous proactive insights, real-time reporting, and AI-first defensive strategies, we aim to help CTOs shift left at scale with continuous pentests. The offensive scanner engine, seamless tech stack integrations, and expert support help make pentesting simple, effective and hassle-free for 1000+ businesses worldwide. Moreover, our industry-specific AI test cases, world-class Astranaut Bot, and customizable reports are designed to make your experience smoother while saving you millions of dollars proactively. **Average Rating:** 4.6/5.0 **Total Reviews:** 179 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 9.2/10) - **API / Integrations:** 8.3/10 (Category avg: 8.6/10) - **Detection Rate:** 8.9/10 (Category avg: 8.7/10) - **Test Automation:** 8.8/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [ASTRA IT, Inc.](https://www.g2.com/sellers/astra-it-inc) - **Company Website:** https://www.getastra.com/ - **Year Founded:** 2018 - **HQ Location:** New Delhi, IN - **Twitter:** @getastra (690 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/getastra/ (120 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CTO, CEO - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 65% Small-Business, 30% Mid-Market #### Pros & Cons **Pros:** - Customer Support (65 reviews) - Vulnerability Detection (52 reviews) - Ease of Use (51 reviews) - Pentesting Efficiency (42 reviews) - Vulnerability Identification (38 reviews) **Cons:** - Poor Customer Support (12 reviews) - Poor Interface Design (10 reviews) - Slow Performance (8 reviews) - UX Improvement (7 reviews) - False Positives (6 reviews) ### 6. [Invicti (formerly Netsparker)](https://www.g2.com/products/invicti-formerly-netsparker/reviews) Invicti is an automated application and API security testing solution that allows enterprise organizations to secure thousands of websites, web apps, and APIs and dramatically reduce the risk of attack. By empowering security teams with the most unique DAST + IAST scanning capabilities on the market, Invicti allows organizations with complicated environments to confidently automate their web application and API security. With Invicti, security teams can: - Automate security tasks and save hundreds of hours each month - Gain complete visibility into all your applications — even those that are lost, forgotten, or hidden - Automatically give developers rapid feedback that trains them to write more secure code — so they create fewer vulnerabilities over time - Feel confident that you are equipped with the most powerful application security scanning tool on the market You have the most demanding security needs, and Invicti is the best-in-class application security solution you deserve. **Average Rating:** 4.6/5.0 **Total Reviews:** 65 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.2/10) - **API / Integrations:** 8.2/10 (Category avg: 8.6/10) - **Detection Rate:** 8.6/10 (Category avg: 8.7/10) - **Test Automation:** 8.5/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Invicti Security](https://www.g2.com/sellers/invicti-security-04cb0d3d-fd96-45b2-83dc-2038fc9dac92) - **Company Website:** https://www.invicti.com/ - **Year Founded:** 2018 - **HQ Location:** Austin, Texas - **Twitter:** @InvictiSecurity (2,549 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/invicti-security/people/ (332 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 47% Enterprise, 26% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (9 reviews) - Scanning Technology (7 reviews) - Features (6 reviews) - Reporting Quality (6 reviews) - Vulnerability Detection (6 reviews) **Cons:** - Poor Customer Support (3 reviews) - Slow Performance (3 reviews) - Slow Scanning (3 reviews) - API Issues (2 reviews) - Complex Setup (2 reviews) ### 7. [Intruder](https://www.g2.com/products/intruder/reviews) Intruder is an exposure management platform for scaling to mid-market businesses. Over 3000 companies - across all industries - use Intruder to find critical exposures, respond faster and prevent breaches. Unifying Attack Surface Management, Vulnerability Management and Cloud security into one powerful, easy to use platform, Intruder simplifies the complex task of securing an ever-expanding attack surface. Recognizing no two business are alike, Intruder provides real-time, accurate scanning combined with intelligent risk prioritization, ensuring businesses focus on the exposures that are most relevant to them. And our proactive approach limits the window of risk, continuously monitoring for new threats while eliminating the noise that slows teams down. Whether you're an IT Manager, in DevOps or a CISO, Intruder's easy setup and context-driven approach will free you up to focus on exposures that cause real breaches, not just technical vulnerabilities. Keeping you one step ahead of attackers. **Average Rating:** 4.8/5.0 **Total Reviews:** 206 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.7/10 (Category avg: 9.2/10) - **API / Integrations:** 8.9/10 (Category avg: 8.6/10) - **Detection Rate:** 9.5/10 (Category avg: 8.7/10) - **Test Automation:** 8.8/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Intruder](https://www.g2.com/sellers/intruder) - **Company Website:** https://www.intruder.io - **Year Founded:** 2015 - **HQ Location:** London - **Twitter:** @intruder_io (979 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/6443623/ (84 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CTO, Director - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 57% Small-Business, 36% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (41 reviews) - Vulnerability Detection (30 reviews) - Customer Support (26 reviews) - User Interface (24 reviews) - Vulnerability Identification (24 reviews) **Cons:** - Expensive (10 reviews) - Slow Scanning (8 reviews) - Licensing Issues (7 reviews) - False Positives (6 reviews) - Limited Features (6 reviews) ### 8. [GitLab](https://www.g2.com/products/gitlab/reviews) GitLab is the most comprehensive AI-Powered DevSecOps platform that enables software innovation by empowering development, security, and operations teams to build better software, faster. With GitLab, teams can create, deliver, and manage code quickly and continuously instead of managing disparate tools and scripts. GitLab helps your teams across the complete DevSecOps lifecycle, from developing, securing, and deploying software. What makes us truly different? - Flexibility: Consume as a service or manage your own deployment - Cloud-Agnostic: Deploy anywhere with no vendor lock-in - No rip and replace: Scale to a platform approach at your own pace **Average Rating:** 4.5/5.0 **Total Reviews:** 869 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.2/10) - **API / Integrations:** 9.2/10 (Category avg: 8.6/10) - **Detection Rate:** 9.0/10 (Category avg: 8.7/10) - **Test Automation:** 9.1/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [GitLab Inc.](https://www.g2.com/sellers/gitlab-inc) - **Company Website:** https://about.gitlab.com/ - **Year Founded:** 2014 - **HQ Location:** San Francisco, California - **Twitter:** @gitlab (170,493 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/5101804/ (3,357 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** Software Engineer, Senior Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 38% Mid-Market, 37% Small-Business #### Pros & Cons **Pros:** - Ease of Use (43 reviews) - Features (42 reviews) - CI (36 reviews) - CD Integration (34 reviews) - Integrations (34 reviews) **Cons:** - Complexity (21 reviews) - Difficult Learning (19 reviews) - Confusing Interface (16 reviews) - Complex User Interface (15 reviews) - Learning Curve (13 reviews) ### 9. [Pynt - API Security Testing](https://www.g2.com/products/pynt-api-security-testing/reviews) Pynt is an innovative API Security Testing platform exposing verified API threats through simulated attacks. Hundreds of companies rely on Pynt to continuously monitor, classify and attack poorly secured APIs, before hackers do. **Average Rating:** 4.8/5.0 **Total Reviews:** 44 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 9.2/10) - **API / Integrations:** 9.5/10 (Category avg: 8.6/10) - **Detection Rate:** 9.3/10 (Category avg: 8.7/10) - **Test Automation:** 9.2/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Pynt](https://www.g2.com/sellers/pynt) - **Year Founded:** 2022 - **HQ Location:** Tel Aviv, IL - **Twitter:** @pynt_io (364 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/pynt (19 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Computer & Network Security - **Company Size:** 57% Small-Business, 23% Enterprise #### Pros & Cons **Pros:** - Vulnerability Detection (20 reviews) - Security (19 reviews) - API Management (17 reviews) - Easy Integrations (17 reviews) - Automation (15 reviews) **Cons:** - Complex Setup (12 reviews) - Setup Complexity (7 reviews) - Limited Features (4 reviews) - Poor Interface Design (4 reviews) - UX Improvement (4 reviews) ### 10. [Cobalt](https://www.g2.com/products/cobalt-io-cobalt/reviews) Cobalt is the pioneer in pentesting as a service (PTaaS) and a leader in human-led, AI-powered offensive security services. We are focused on combining talent and technology with speed, scalability, and expertise. Thousands of customers and hundreds of partners rely on the Cobalt Offensive Security Platform, along with 500+ trusted security experts, to find and fix vulnerabilities across their environments. By enabling faster pentest launches, real-time collaboration with pentesters, and seamless integration with remediation workflows, we help organizations identify critical issues and accelerate risk mitigation so they can operate fearlessly and innovate securely. **Average Rating:** 4.5/5.0 **Total Reviews:** 171 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.3/10 (Category avg: 9.2/10) - **API / Integrations:** 8.6/10 (Category avg: 8.6/10) - **Detection Rate:** 8.6/10 (Category avg: 8.7/10) - **Test Automation:** 8.9/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Cobalt](https://www.g2.com/sellers/cobalt-33275b9c-c870-4949-8fd5-a68eb12f96bb) - **Company Website:** https://cobalt.io/ - **Year Founded:** 2013 - **HQ Location:** San Francisco, California - **Twitter:** @cobalt_io (8,476 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cobalt_io/ (535 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CTO, Security Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 51% Mid-Market, 23% Small-Business #### Pros & Cons **Pros:** - Pentesting Efficiency (50 reviews) - Customer Support (40 reviews) - Ease of Use (39 reviews) - Communication (31 reviews) - Reporting Quality (28 reviews) **Cons:** - Expensive (14 reviews) - Limited Scope (8 reviews) - Lack of Detail (7 reviews) - Pricing Issues (6 reviews) - Inaccuracy (5 reviews) ### 11. [BugDazz API Scanner](https://www.g2.com/products/bugdazz-api-scanner/reviews) BugDazz API Security Scanner by SecureLayer7 is a comprehensive tool designed to automatically detect vulnerabilities, misconfigurations, and security gaps in API endpoints, aiding security teams in protecting digital assets against increasing API-related threats and potential exploits. It offers real-time scanning capabilities, enabling the automatic detection of vulnerabilities as they arise. It supports authentication and access control management, allowing for the management of API controls within a single platform. BugDazz assists in achieving compliance by accelerating the generation of reports for standards such as PCI DSS and HIPAA. It integrates seamlessly with existing CI/CD pipelines, facilitating the acceleration of product rollouts. The scanner goes beyond standard OWASP Top 10 vulnerabilities, providing comprehensive protection against critical API security risks. **Average Rating:** 4.9/5.0 **Total Reviews:** 11 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.2/10) - **API / Integrations:** 10.0/10 (Category avg: 8.6/10) - **Detection Rate:** 9.3/10 (Category avg: 8.7/10) - **Test Automation:** 10.0/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [SecureLayer7](https://www.g2.com/sellers/securelayer7) - **Year Founded:** 2012 - **HQ Location:** Pune, Maharshtra - **Twitter:** @SecureLayer7 (2,507 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/securelayer7/ (121 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 91% Small-Business, 9% Mid-Market #### Pros & Cons **Pros:** - Accuracy of Results (4 reviews) - CD Integration (4 reviews) - CI (4 reviews) - Ease of Use (4 reviews) - Scanning Technology (4 reviews) **Cons:** - Poor Documentation (2 reviews) - Difficult Learning Curve (1 reviews) - Lack of Guidance (1 reviews) - Lack of Information (1 reviews) - Learning Curve (1 reviews) ### 12. [Jit](https://www.g2.com/products/jit/reviews) Jit is redefining application security by introducing the first Agentic AppSec Platform, seamlessly blending human expertise with AI-driven automation. Designed for modern development teams, Jit empowers organizations to proactively manage security risks across the entire software development lifecycle.​ AI-Powered Agents Jit's AI Agents, such as SERA (Security Evaluation and Remediation Agent) and COTA (Communication, Ops, and Ticketing Agent), collaborate with your teams to automate vulnerability triage, risk assessment, and remediation processes, significantly reducing manual workloads. ​ Comprehensive Security Scanning Achieve full-stack security coverage with integrated scanners for SAST, DAST, SCA, IaC, CSPM, and more. Jit's platform ensures continuous monitoring and immediate feedback on code changes, facilitating rapid identification and resolution of security issues. ​ Developer-Centric Experience With integrations into popular IDEs and CI/CD pipelines, Jit provides developers with contextual security insights directly within their workflows, promoting a shift-left approach without disrupting productivity. ​ Agentic AI for AppSec Teams Risk-Based Prioritization Utilizing the Model Context Protocol (MCP), Jit evaluates vulnerabilities in the context of runtime environments, business impact, and compliance requirements, enabling teams to focus on the most critical risks. ​ Seamless Integrations Jit integrates with a wide array of tools, including GitHub, GitLab, AWS, Azure, GCP, Jira, Slack, and more, ensuring that security processes are embedded within your existing technology stack. ​ **Average Rating:** 4.5/5.0 **Total Reviews:** 43 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.6/10 (Category avg: 9.2/10) - **API / Integrations:** 8.7/10 (Category avg: 8.6/10) - **Detection Rate:** 9.0/10 (Category avg: 8.7/10) - **Test Automation:** 8.5/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [jit](https://www.g2.com/sellers/jit) - **Year Founded:** 2021 - **HQ Location:** Boston, MA - **Twitter:** @jit_io (521 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/jit/ (151 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Financial Services - **Company Size:** 44% Mid-Market, 42% Small-Business #### Pros & Cons **Pros:** - Security (10 reviews) - Easy Integrations (8 reviews) - Ease of Use (7 reviews) - Efficiency (7 reviews) - Integration Support (7 reviews) **Cons:** - Integration Issues (4 reviews) - Limited Features (4 reviews) - Limited Integration (4 reviews) - Poor Documentation (4 reviews) - Complexity (3 reviews) ### 13. [Edgescan](https://www.g2.com/products/edgescan/reviews) What Is Edgescan? Edgescan is a cybersecurity company that helps organizations proactively identify, validate, and prioritize vulnerabilities across their applications, API’s and digital landscape. The company specializes in continuous vulnerability assessment, automated penetration testing, Attack Surface Management and Penetration Testing as a Service (PTaaS). Edgescan combines advanced automation with certified security experts, including professionals holding credentials such as CREST and OSCP, to deliver highly accurate and actionable security testing. This hybrid approach allows organizations to move beyond traditional point-in-time penetration tests and operate a continuous proactive cybersecurity program. The Edgescan platform is designed primarily for web application and API security, enabling organizations to continuously assess their attack surface and identify vulnerabilities throughout the development lifecycle but also delivers “full stack” coverage to detect host layer CVE’s. With a client retention rate of over 90%, Edgescan has built long-term partnerships by delivering measurable improvements in security efficiency, risk visibility, and vulnerability management. Key Features and Capabilities of Edgescan Automated Penetration Testing Edgescan uses intelligent automation to continuously assess applications, APIs, hosts, and cloud environments for vulnerabilities. This enables frequent, scalable security testing across modern and distributed architectures. Human‑Validated Testing Findings are reviewed and manually validated by certified security experts to eliminate false positives and provide deeper insight into real‑world exploitability. Each result is accurate, contextual, and actionable. Penetration Testing as a Service (PTaaS) Edgescan’s PTaaS model extends beyond automated testing by allowing expert testers to focus on vulnerabilities that require human analysis, including: • Business logic flaws • Authentication and authorization weaknesses • Context-dependent exposures • Complex attack chains and privilege escalation paths Cyber Analytics and AI‑Assisted Validation AI-driven analysis enhances detection, verifies exploitability, and increases accuracy. This reduces noise and gives security teams a clearer picture of genuine threats. Integrated Threat Intelligence Edgescan correlates vulnerabilities with real-world threat intelligence, including known exploits and ransomware activity to help organizations prioritize the most dangerous exposures first. Risk‑Based Prioritization Findings are prioritized based on exploitability, severity, threat context, and business impact, ensuring teams focus on the issues that matter most. Primary Value: What Edgescan Solves for Clients Edgescan enables organizations to shift from reactive vulnerability management to a continuous, proactive security model. Traditional scanners and periodic penetration tests frequently produce large volumes of unvalidated findings. This creates noise and forces security teams to spend hours determining which issues are real and critical. Edgescan solves this by combining: Automation for continuous testing Human expertise for validation and complex analysis Cyber analytics and AI for accuracy and prioritization Key Benefits Significant efficiency gains: reducing thousands of hours spent on manual validation. Higher accuracy, thanks to expert‑validated findings and reduced false positives. Clear prioritization, using threat intelligence and ransomware insights to highlight the highest‑risk exposures. Continuous security improvement, enabling rapid detection, faster remediation, and scalable vulnerability management. By unifying automation, human expertise, AI, and threat intelligence, Edgescan empowers organizations to maintain a continuous cybersecurity program that strengthens overall security posture while dramatically reducing operational burden. **Average Rating:** 4.7/5.0 **Total Reviews:** 51 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.3/10 (Category avg: 9.2/10) - **API / Integrations:** 8.0/10 (Category avg: 8.6/10) - **Detection Rate:** 9.2/10 (Category avg: 8.7/10) - **Test Automation:** 9.3/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Edgescan](https://www.g2.com/sellers/edgescan) - **Company Website:** https://www.edgescan.com - **Year Founded:** 2017 - **HQ Location:** Dublin, Dublin - **Twitter:** @edgescan (2,265 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2928425/ (88 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 32% Enterprise, 32% Mid-Market #### Pros & Cons **Pros:** - Ease of Use (25 reviews) - Vulnerability Detection (24 reviews) - Customer Support (19 reviews) - Vulnerability Identification (19 reviews) - Features (18 reviews) **Cons:** - Complex UI (5 reviews) - Limited Customization (5 reviews) - Poor Interface Design (5 reviews) - Slow Performance (5 reviews) - UX Improvement (5 reviews) ### 14. [Acunetix by Invicti](https://www.g2.com/products/acunetix-by-invicti/reviews) Acunetix (by Invicti) is an automated application security testing tool that enables small security teams to tackle huge application security challenges. With fast scanning, comprehensive results, and intelligent automation, Acunetix helps organizations to reduce risk across all types of web applications, websites, and APIs. With Acunetix, security teams can: - Save time and resources by automating manual security processes - Work more seamlessly with developers, or embrace DevSecOps by integrating directly into development tools - Feel confident that every web application has been crawled entirely thanks to DAST + IAST scanning and intelligent crawling technology - Finally, make web application and API security a priority and not just an add-on with a solution that is dedicated to application and API security 100% of the time You can depend on Acunetix to meet your organization’s needs today and face the challenges of modern web technology together tomorrow. **Average Rating:** 4.1/5.0 **Total Reviews:** 100 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.2/10 (Category avg: 9.2/10) - **API / Integrations:** 7.9/10 (Category avg: 8.6/10) - **Detection Rate:** 8.7/10 (Category avg: 8.7/10) - **Test Automation:** 8.1/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Invicti Security](https://www.g2.com/sellers/invicti-security-04cb0d3d-fd96-45b2-83dc-2038fc9dac92) - **Company Website:** https://www.invicti.com/ - **Year Founded:** 2018 - **HQ Location:** Austin, Texas - **Twitter:** @InvictiSecurity (2,549 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/invicti-security/people/ (332 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 40% Enterprise, 34% Mid-Market #### Pros & Cons **Pros:** - Vulnerability Detection (7 reviews) - Ease of Use (6 reviews) - Security (5 reviews) - Vulnerability Identification (5 reviews) - Accuracy of Results (4 reviews) **Cons:** - Expensive (4 reviews) - Complexity (3 reviews) - Complex Setup (3 reviews) - Slow Scanning (3 reviews) - Difficult Customization (2 reviews) ### 15. [Bright Security](https://www.g2.com/products/bright-security/reviews) Bright Security’s dev-centric DAST platform empowers both developers and AppSec professionals with enterprise-grade security testing capabilities for web applications, APIs, and GenAI and LLM applications. Bright knows how to deliver the right tests, at the right time in the SDLC, in developers and AppSec tools and stacks of choice with minimal false positives and alert fatigue. **Average Rating:** 4.7/5.0 **Total Reviews:** 29 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.2/10 (Category avg: 9.2/10) - **API / Integrations:** 8.3/10 (Category avg: 8.6/10) - **Detection Rate:** 8.2/10 (Category avg: 8.7/10) - **Test Automation:** 8.9/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Bright Security ](https://www.g2.com/sellers/bright-security) - **Year Founded:** 2018 - **HQ Location:** San Rafael - **Twitter:** @BrightAppSec (1,518 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/brightappsec (118 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer & Network Security, Information Technology and Services - **Company Size:** 52% Enterprise, 34% Mid-Market #### Pros & Cons **Pros:** - Accuracy of Results (4 reviews) - Automated Scanning (4 reviews) - Ease of Use (4 reviews) - Detection (3 reviews) - Easy Integrations (3 reviews) **Cons:** - Learning Curve (3 reviews) - Complex Setup (2 reviews) - Setup Complexity (2 reviews) - Complexity (1 reviews) - Confusing Interface (1 reviews) ### 16. [Akto API Security Platform](https://www.g2.com/products/akto-api-security-platform/reviews) Akto is a trusted platform for application security and product security teams to build an enterprise-grade API security program throughout their DevSecOps pipeline. Our industry-leading suite of — API discovery, API security posture management, sensitive data exposure, and API security testing solutions enables organizations to gain visibility in their API security posture. 1,000+ Application Security teams globally trust Akto for their API security needs. Akto use cases: 1. API Discovery 2. API Security Testing in CI/CD 3. API Security Posture Management 4. Authentication and Authorization Testing 5. Sensitive data Exposure 6. Shift left in DevSecOps **Average Rating:** 4.5/5.0 **Total Reviews:** 51 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 9.2/10) - **API / Integrations:** 9.0/10 (Category avg: 8.6/10) - **Detection Rate:** 8.1/10 (Category avg: 8.7/10) - **Test Automation:** 8.8/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Akto.io](https://www.g2.com/sellers/akto-io) - **Company Website:** https://www.akto.io - **Year Founded:** 2022 - **HQ Location:** San Francisco, California - **Twitter:** @Aktodotio (1,343 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/akto-io/ (29 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Financial Services, Computer Software - **Company Size:** 46% Mid-Market, 35% Small-Business #### Pros & Cons **Pros:** - Ease of Use (22 reviews) - API Testing (20 reviews) - Automation Testing (19 reviews) - API Management (17 reviews) - Security (17 reviews) **Cons:** - Complex Setup (9 reviews) - Poor Documentation (8 reviews) - API Issues (7 reviews) - Complexity (7 reviews) - Setup Complexity (7 reviews) ### 17. [Indusface WAS](https://www.g2.com/products/indusface-was/reviews) Indusface WAS (Web Application Scanner) provides comprehensive managed dynamic application security testing (DAST) solution. It is a zero-touch, non-intrusive cloud-based solution that provides daily monitoring for web applications, checking for systems and application vulnerabilities, and malware. Indusface WAS with its automated scans & manual pentesting done by certified security experts ensures none of the OWASP Top10, business logic vulnerabilities, and malware go unnoticed. With zero false-positive guarantee and comprehensive reporting with remediation guidance, Indusface web app scanning ensures developers to quickly fix vulnerabilities seamlessly. **Average Rating:** 4.6/5.0 **Total Reviews:** 63 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.4/10 (Category avg: 9.2/10) - **API / Integrations:** 9.7/10 (Category avg: 8.6/10) - **Detection Rate:** 9.4/10 (Category avg: 8.7/10) - **Test Automation:** 9.4/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Indusface](https://www.g2.com/sellers/indusface) - **Year Founded:** 2012 - **HQ Location:** Vadodara - **Twitter:** @Indusface (3,470 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/indusface/ (174 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 52% Small-Business, 37% Mid-Market #### Pros & Cons **Pros:** - Vulnerability Detection (19 reviews) - Vulnerability Identification (16 reviews) - Customer Support (6 reviews) - Scanning Efficiency (6 reviews) - Security (6 reviews) **Cons:** - Expensive (2 reviews) - Confusing Interface (1 reviews) - Lacking Features (1 reviews) - Limited Scope (1 reviews) - Poor Interface Design (1 reviews) ### 18. [Veracode Application Security Platform](https://www.g2.com/products/veracode-application-security-platform/reviews) Veracode helps companies that innovate through software deliver secure code on time. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline,empower developers to fix security defects, and scales your program through best practices to achieve your desired outcomes. Veracode covers your all your AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe and mobile apps. **Average Rating:** 3.8/5.0 **Total Reviews:** 24 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 7.9/10 (Category avg: 9.2/10) - **API / Integrations:** 7.9/10 (Category avg: 8.6/10) - **Detection Rate:** 8.0/10 (Category avg: 8.7/10) - **Test Automation:** 9.0/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [VERACODE](https://www.g2.com/sellers/veracode) - **Year Founded:** 2006 - **HQ Location:** Burlington, MA - **Twitter:** @Veracode (21,988 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/27845/ (515 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services - **Company Size:** 72% Enterprise, 28% Mid-Market #### Pros & Cons **Pros:** - Security (2 reviews) - Vulnerability Detection (2 reviews) - Accuracy of Results (1 reviews) - Automated Scanning (1 reviews) - Code Quality (1 reviews) **Cons:** - Expensive (1 reviews) - Licensing Issues (1 reviews) - Pricing Issues (1 reviews) ### 19. [Veracode Dynamic Analysis](https://www.g2.com/products/veracode-dynamic-analysis/reviews) Veracode Dynamic Analysis helps companies scan their web applications for exploitable vulnerabilities at scale. With an ability to test thousands of applications simultaneously and a less than 1% false positive rate coupled with comprehensive remediation guidance, customers are able to rapidly reduce their risk of a breach across their web applications.The solution integrates with Veracode Discovery, which maps your web attack surface, to scan inventoried sites **Average Rating:** 4.3/5.0 **Total Reviews:** 14 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 7.3/10 (Category avg: 9.2/10) - **API / Integrations:** 9.4/10 (Category avg: 8.6/10) - **Detection Rate:** 9.2/10 (Category avg: 8.7/10) - **Test Automation:** 9.4/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [VERACODE](https://www.g2.com/sellers/veracode) - **Year Founded:** 2006 - **HQ Location:** Burlington, MA - **Twitter:** @Veracode (21,988 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/27845/ (515 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 75% Enterprise, 19% Mid-Market ### 20. [StackHawk](https://www.g2.com/products/stackhawk/reviews) StackHawk is reimagining AppSec for AI-driven development, where applications are built faster than traditional AppSec tools can keep up. Our AppSec Intelligence Platform combines scalable runtime testing with complete attack surface discovery from source code. We integrate directly into development workflows and provide context-aware remediations to developers, enabling teams to find and fix exploitable vulnerabilities before they reach production. With real-time visibility and centralized program intelligence, AppSec teams can prioritize testing and fixing what matters. Companies like British Airways, ITV, and Norstella trust StackHawk to evaluate application risk, prove program value, and scale testing coverage to match development velocity. **Average Rating:** 4.6/5.0 **Total Reviews:** 67 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.1/10 (Category avg: 9.2/10) - **API / Integrations:** 8.8/10 (Category avg: 8.6/10) - **Detection Rate:** 8.1/10 (Category avg: 8.7/10) - **Test Automation:** 8.8/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [StackHawk](https://www.g2.com/sellers/stackhawk) - **Company Website:** https://stackhawk.com - **Year Founded:** 2019 - **HQ Location:** Denver, CO - **Twitter:** @StackHawk (1,137 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/40780406/ (44 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 46% Small-Business, 35% Mid-Market #### Pros & Cons **Pros:** - Easy Integrations (10 reviews) - Customer Support (9 reviews) - Ease of Use (9 reviews) - Integrations (7 reviews) - Scanning Efficiency (5 reviews) **Cons:** - Setup Complexity (5 reviews) - Complex Setup (4 reviews) - High Learning Curve (3 reviews) - Lacking Features (3 reviews) - Limited Scope (3 reviews) ### 21. [HCL AppScan](https://www.g2.com/products/hcl-appscan/reviews) HCL AppScan is a comprehensive suite of market-leading application security testing solutions (SAST, DAST, IAST, SCA, API), available on-premises and on-cloud. These powerful DevSecOps tools pinpoint application vulnerabilities, allowing for quick remediation in every phase of the software development lifecycle. Fast and Accurate Scanning for Secure DevOps Developers and DevOps teams can quickly and accurately scan code, applications, and APIs for security vulnerabilities while applications are being developed. This allows companies to fix issues at the earliest stages of the software development lifecycle, when it is least costly to the business. Focus on the Fix Continuous monitoring with IAST, along with auto issue correlation with DAST and SAST scan results allows DevOps teams to group and prioritize findings for faster, more streamlined remediation. Enterprise Management for Security Teams Centralized, easy-to-use dashboards provide visibility and oversight of all security scanning and remediation, and allow users to set scan parameters and compliance policies. **Average Rating:** 4.1/5.0 **Total Reviews:** 74 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 8.8/10 (Category avg: 9.2/10) - **API / Integrations:** 8.1/10 (Category avg: 8.6/10) - **Detection Rate:** 8.2/10 (Category avg: 8.7/10) - **Test Automation:** 7.9/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [HCL Technologies](https://www.g2.com/sellers/hcl-technologies) - **Year Founded:** 1999 - **HQ Location:** Noida, Uttar Pradesh - **Twitter:** @hcltech (425,421 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/1756/ (251,431 employees on LinkedIn®) - **Ownership:** NSE - National Stock Exchange of India **Reviewer Demographics:** - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 54% Enterprise, 28% Small-Business ### 22. [Beagle Security](https://www.g2.com/products/beagle-security/reviews) Beagle Security helps you identify vulnerabilities in your web applications, APIs, GraphQL and remediate them with actionable insights before hackers harm you in any manner. With Beagle Security, you can integrate automated penetration testing into your CI/CD pipeline to identify security issues earlier in your development lifecycle and ship safer web applications. Major features: - Checks your web apps & APIs for 3000+ test cases to find security loopholes - OWASP & SANS standards - Recommendations to address security issues - Security test complex web apps with login - Compliance reports (GDPR, HIPAA & PCI DSS) - Test scheduling - DevSecOps integrations - API integration - Team access - Integrations with popular tools like Slack, Jira, Asana, Trello & 100+ other tools **Average Rating:** 4.7/5.0 **Total Reviews:** 85 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.5/10 (Category avg: 9.2/10) - **API / Integrations:** 7.9/10 (Category avg: 8.6/10) - **Detection Rate:** 9.2/10 (Category avg: 8.7/10) - **Test Automation:** 9.7/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Beagle Security](https://www.g2.com/sellers/beagle-security) - **Year Founded:** 2020 - **HQ Location:** San Francisco, US - **Twitter:** @beaglesecure (209 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/beaglesecurity/ (43 employees on LinkedIn®) **Reviewer Demographics:** - **Who Uses This:** CEO, Director - **Top Industries:** Marketing and Advertising, Information Technology and Services - **Company Size:** 91% Small-Business, 7% Mid-Market #### Pros & Cons **Pros:** - Reporting Quality (1 reviews) - Setup Ease (1 reviews) ### 23. [Contrast Security](https://www.g2.com/products/contrast-security-contrast-security/reviews) Contrast Security is the global leader in Application Detection and Response (ADR), empowering organizations to see and stop attacks on applications and APIs in real time. Contrast embeds patented threat sensors directly into the software, delivering unmatched visibility and protection. With continuous, real-time defense, Contrast uncovers hidden application layer risks that traditional solutions miss. Contrast’s powerful Runtime Security technology equips developers, AppSec teams and SecOps with one platform that proactively protects and defends applications and APIs against evolving threats. **Average Rating:** 4.5/5.0 **Total Reviews:** 49 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.0/10 (Category avg: 9.2/10) - **API / Integrations:** 8.7/10 (Category avg: 8.6/10) - **Detection Rate:** 8.2/10 (Category avg: 8.7/10) - **Test Automation:** 8.3/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [Contrast Security](https://www.g2.com/sellers/contrast-security) - **Company Website:** https://contrastsecurity.com - **Year Founded:** 2014 - **HQ Location:** Pleasanton, CA - **Twitter:** @contrastsec (5,480 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/contrast-security/ (224 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Insurance, Information Technology and Services - **Company Size:** 67% Enterprise, 20% Mid-Market #### Pros & Cons **Pros:** - Accuracy of Findings (2 reviews) - Accuracy of Results (2 reviews) - Vulnerability Detection (2 reviews) - Automated Scanning (1 reviews) - Automation (1 reviews) **Cons:** - Complex Setup (1 reviews) - Difficult Setup (1 reviews) - Performance Issues (1 reviews) - Problematic Updates (1 reviews) - Setup Complexity (1 reviews) ### 24. [APPCHECK](https://www.g2.com/products/appcheck/reviews) AppCheck is a Dynamic Application Security Testing (DAST) and network vulnerability testing solution, developed and supported by experienced penetration testers. We approach security testing as a hacker would, leveraging multiple proprietary crawling engines to analyse target behaviour across both modern and traditional technologies, including Single Page Applications (SPAs), APIs, and complex authentication flows such as SSO, 2FA, and TOTP. Organisations can conduct unlimited security assessments across Web Applications, SPAs, APIs, cloud services, networks, across internal or external assets. Supporting production and UAT testing, AppCheck also helps organisations ‘shift left’ by integrating with CI/CD pipelines and build servers, including ADO, GitHub, Jenkins, TeamCity, CircleCI, TravisCI, Bamboo, and GitLab CI/CD. Allowing automated security testing throughout development, identifying risks as soon as changes are introduced. AppCheck are proud to be part of the CVE Numbering Authority (CNA), contributing to global security research **Average Rating:** 4.6/5.0 **Total Reviews:** 67 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.5/10 (Category avg: 9.2/10) - **API / Integrations:** 7.9/10 (Category avg: 8.6/10) - **Detection Rate:** 8.9/10 (Category avg: 8.7/10) - **Test Automation:** 9.2/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [APPCHECK](https://www.g2.com/sellers/appcheck) - **Company Website:** https://www.appcheck-ng.com - **Year Founded:** 2014 - **HQ Location:** Leeds, GB - **Twitter:** @AppcheckNG (649 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/appcheck-ng-ltd/ (99 employees on LinkedIn®) **Reviewer Demographics:** - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 49% Mid-Market, 30% Small-Business #### Pros & Cons **Pros:** - Vulnerability Detection (7 reviews) - Ease of Use (6 reviews) - Features (5 reviews) - Pentesting Efficiency (5 reviews) - Automated Scanning (4 reviews) **Cons:** - Poor Customer Support (2 reviews) - UX Improvement (2 reviews) - API Issues (1 reviews) - Difficult Customization (1 reviews) - Difficult Learning Curve (1 reviews) ### 25. [NowSecure](https://www.g2.com/products/nowsecure/reviews) NowSecure Inc., based in Oak Park, Illinois, was formed in 2009 with a mission to advance mobile security worldwide. We help secure mobile devices, enterprises and mobile apps. **Average Rating:** 4.6/5.0 **Total Reviews:** 27 **User Satisfaction Scores:** - **Has the product been a good partner in doing business?:** 9.3/10 (Category avg: 9.2/10) - **API / Integrations:** 7.8/10 (Category avg: 8.6/10) - **Detection Rate:** 8.3/10 (Category avg: 8.7/10) - **Test Automation:** 7.2/10 (Category avg: 8.7/10) **Seller Details:** - **Seller:** [NowSecure](https://www.g2.com/sellers/nowsecure) - **Year Founded:** 2009 - **HQ Location:** Chicago, Illinois - **Twitter:** @nowsecuremobile (6,389 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/nowsecure (104 employees on LinkedIn®) **Reviewer Demographics:** - **Company Size:** 41% Mid-Market, 37% Enterprise ## Parent Category [DevSecOps Software](https://www.g2.com/categories/devsecops) ## Related Categories - [Vulnerability Scanner Software](https://www.g2.com/categories/vulnerability-scanner) - [Penetration Testing Tools](https://www.g2.com/categories/penetration-testing-tools) - [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast) --- ## Buyer Guide ### What You Should Know About Dynamic Application Security Testing (DAST) Software ### What is Dynamic Application Security Testing (DAST) Software? Dynamic application security testing (DAST) is one of the many technology groupings of security testing solutions. DAST is a form of black-box security testing, meaning it simulates realistic threats and attacks. This differs from other forms of testing such as static application security testing (SAST), a white-box testing methodology used to examine the source code of an application. DAST includes a number of testing components that operate while an application is running. Security professionals simulate real-world functionality through testing the application for vulnerabilities and then evaluate the effects on application performance. The methodology is often used to find issues near the end of the software development lifecycle. These issues may be tougher to fix than early flaws and bugs are, but those flaws pose a larger threat to critical components of an application. DAST can also be thought of as a methodology. It’s a different approach than traditional security testing because once a test is completed, there are still tests to be done. It involves periodic inspections as updates are pushed live or changes are made before release. While a penetration test or code scan might serve as a one-off test for specific vulnerabilities or bugs, dynamic testing can be performed continually throughout the lifecycle of an application. Key Benefits of Dynamic Application Security Testing (DAST) Software - Simulate realistic attacks and threats - Discover vulnerabilities not found in source code - Flexible and customizable testing options - Comprehensive assessment and scalable testing ### Why Use Dynamic Application Security Testing (DAST) Software? There are a number of testing solutions necessary for an all-encompassing approach to security testing and vulnerability discovery. Most start in the early stages of software development and help programmers discover bugs in the code and issues with the underlying framework or design. These tests require access to source code and are often used during development and quality assurance (QA) processes. While early testing solutions approach testing from the standpoint of the developer, DAST approaches testing from the standpoint of a hacker. These tools simulate real threats to a functional, running application. Security professionals can simulate common attacks such as SQL injection and cross-site scripting or customize tests to threats specific to their product. These tools offer a highly customizable solution for testing during the later stages of development and while applications are deployed. **Flexibility —** Users can schedule tests as they please or perform them continuously throughout an application’s or website’s lifecycle. Security professionals can modify environments to simulate their resources and infrastructure to ensure a realistic test and evaluation. They’re often scalable, as well, to see if increased traffic or usage would affect vulnerabilities and protection. Industries with more specific threats may require more specific testing. Security professionals may identify a threat specific to the health care industry or financial sector and alter tests to simulate the threats most common to them. If performed correctly, these tools offer some of the most realistic and customizable solutions to the threats present in real-world situations. **Comprehensiveness —** Threats are continuously evolving and expanding, making the ability to simulate multiple tests more necessary. DAST offers a versatile approach to testing, wherein security professionals can simulate and analyze each threat or attack type individually. These tests deliver comprehensive feedback and actionable insights that security and development teams use to remediate any issues, flaws, and vulnerabilities. These tools will first perform an initial crawl, or examination, of applications and websites from a third-party perspective. They interact with applications using HTTP, allowing the tools to examine applications built with any programming language or on any framework. The tool will then test for misconfigurations, which expose a greater attack surface than internal vulnerabilities. Additional tests can be run, depending on the solution, but all the results and discoveries can be stored for actionable remediation. **Continuous assessment —** Agile teams and other companies relying on frequent updates to applications should use DAST products with continuous assessment capabilities. SAST tools will provide more direct solutions for issues related to continuous integration processes, but DAST tools will provide a better view of how updates and changes will be seen from an outside perspective. Each new update may pose a new threat or unveil a new vulnerability; it is therefore crucial to continue testing even after applications have been completed and deployed. Unlike SAST, DAST also requires less access to potentially sensitive source code within the application. DAST approaches the situation from an outside perspective as simulated threats attempt to gain access to vulnerable systems or sensitive information. This can make it easier to perform tests continuously without requiring individuals to access source code or other internal systems. ### What are the Common Features of Dynamic Application Security Testing (DAST) Software? Standard functionality is included in most dynamic application security testing (DAST) solutions: **Compliance testing —** Compliance testing gives users the ability to test for various requirements from regulatory bodies. This can help ensure information is stored securely and protected from hackers. **Test automation —** Test automation is the feature powering continuous testing processes. This functionality operates by running prescripted tests as frequently as required without the need for hands-on or manual testing. **Manual testing —** Manual testing gives the user complete control over individual tests. These features allow users to perform hands-on live simulations and penetration tests. **Command-line tools —** The command-line interface (CLI) is the language interpreter of a computer. CLI capabilities will allow security testers to simulate threats directly from the terminal host system and input command sequences. **Static code analysis —** Static code analysis and static security testing is used to test from the inside out. These tools help security professionals examine application source code for security flaws without executing it. **Issue tracking —** Issue tracking helps security professionals and developers document flaws or vulnerabilities as they are discovered. Proper documentation will make it easier to organize the actionable insights provided by the DAST tool. **Reporting and analytics —** Reporting capabilities are important to DAST tools because they provide the information necessary to remediate any recently discovered vulnerabilities. Reporting and analytics features can also give teams a better idea of how attacks may affect application availability and performance. **Extensibility —** Many applications offer the ability to expand functionality through the use of integrations, APIs, and plugins. These extensible components provide the ability to extend the platform beyond its native feature set to include additional features and functionalities. ### Potential Issues with Dynamic Application Security Testing (DAST) Software **Testing coverage —** While DAST technologies have come a long way, DAST tools alone are unable to discover the majority of vulnerabilities. This is why most experts suggest pairing them with SAST solutions. Combining the two can decrease the rate at which false positives occur. They can also be used to simplify the continuous testing process for agile teams. While no tool will detect every vulnerability, DAST may be less efficient than other testing tools if used alone. **Late-stage issues —** DAST tools will require code to be compiled for each individual test because they rely on simulated functionality to test responses. This can be a roadblock for agile teams constantly integrating new code into an application. Reports are usually static and result from single tests. For agile teams, those reports can become outdated and lose value very quickly. This is just one more reason DAST tools should be used as a component of an all-encompassing security testing stack rather than a standalone solution. **Testing capabilities —** Because DAST tools do not access an application's underlying source code, there are a number of flaws DAST tools will be unable to detect. For example, DAST tools are most effective at simulating reflection, or call-and-response, attacks where they can simulate an input and receive a response. They are not, however, highly effective in discovering smaller vulnerabilities or flaws in areas of the application that are rarely touched by users. These issues, as well as vulnerabilities in the original source code, will need to be addressed by additional security testing technologies. ### Software and Services Related to Dynamic Application Security Testing (DAST) Software Most security software focuses on the vulnerabilities of networks and devices. Not all, but some, are used specifically for testing. But there are many different ways to tackle the topic, and using a combination of tools and testing methods is always more effective than relying on one tool alone. These are a few security tools used for various testing purposes. [**Static application security testing (SAST) software**](https://www.g2.com/categories/static-application-security-testing-sast) **—** SAST tools are used to inspect the underlying source code of an application, making them the perfect complement to DAST tools. Using the tools in tandem is often referred to as interactive application security testing (IAST). This can help combine the black-box nature of DAST and the white-box nature of SAST to both find errors in source code as well as errors in functionality and third-party components of an application. [**Vulnerability scanners**](https://www.g2.com/categories/vulnerability-scanner) **—** Some people use the term vulnerability scanner to describe DAST tools, but in reality DAST is just one component of most vulnerability scanners. DAST tools are application-specific, while vulnerability scanners typically provide a larger set of features for vulnerability management, risk assessment, and continuous testing. [**Static code analysis software**](https://www.g2.com/categories/static-code-analysis) **—** Static code analysis tools are more similar to SAST than DAST, in that they’re used to evaluate an application’s source code. These tools are less directed towards security but may provide SAST capabilities. They’re typically used to scan code for a number of flaws that include bugs, security vulnerabilities, performance issues, and any other issue that may present itself if source code is not tested and optimized.