Dynamic Application Security Testing
Tests a running web application or API with malicious inputs and analyzes the responses, finding vulnerabilities that appear only when the complete application is deployed.
An application can pass every code review and still fail the moment it meets the internet, because some vulnerabilities only exist once the pieces are actually running together — a misconfigured server, an authentication check that works in isolation but not across two services, a default credential nobody changed. Dynamic application security testing finds these by treating a running application the way an attacker would: sending it malicious input over the network and watching how it responds, with no visibility into the source code behind it.
That black-box approach tests the same interface an actual attacker faces, catching classes of bugs that reading source code alone would never reveal.
The problem it solves
Code that looks correct can still be insecure once it's deployed, integrated with other services, and configured for a real environment. A test built only around source review misses broken authentication across microservices, a security header dropped by a load balancer, or an endpoint that behaves differently under load than in a unit test.
Someone has to test the application the way an outside attacker actually would — probing the live, deployed system — and do it repeatedly, because every deployment can reintroduce a problem a previous scan already cleared.
How it works
A scanner starts by crawling the target, discovering pages, forms, and API endpoints the way a browser or an API client would. It then sends a library of crafted, malicious payloads to each input and inspects the response for signs something went wrong — a leaked internal error, a payload reflected back unescaped, a response time suggesting a query was manipulated.
Testing behind a login is essential, since most real functionality — and risk — lives there, so scanners need valid credentials or a recorded session to crawl authenticated areas. Modern applications talk more through APIs than rendered pages, so scanning REST and GraphQL endpoints directly has become as important as scanning traditional pages. Because dynamic testing produces false alarms from odd-but-harmless behavior, better tools automatically verify a finding is truly exploitable before it reaches a person, and the whole scan can run automatically as a stage in the deployment pipeline.
DAST vs SAST
Dynamic testing attacks a running system with no view of its source; static testing reads the source with no system to attack. DAST finds environment and integration problems invisible to source review, but only within whatever it manages to crawl, and only after the application exists somewhere to attack. It also can't point at a line of code the way static analysis can — a finding has to be traced back by hand. Programs that rely on just one discipline leave a predictable gap; combining both catches what either alone would miss.
Choosing one
Authentication handling is the first filter: a scanner that can't reliably log in and stay logged in will only ever test the small, low-value part of an application that's public. Ask specifically how it handles multi-step logins and modern single-page apps, since that's where scanners most often fail quietly.
Weigh API scanning as seriously as web scanning if APIs make up a meaningful share of the attack surface — many organizations now have far more API endpoints than web pages, and a scanner tuned only for browsable pages will miss most of them. Finally, decide how much automation the scan needs: an occasional security-team scan has different requirements than one meant to gate every deploy, where speed and clean CI/CD integration matter more than exhaustive depth.
Capability taxonomy
What buyers typically evaluate when comparing tools in this category.
- Black-box scanning
- Tests a running application from the outside, without access to source code.
- Authenticated scanning
- Crawls and tests pages that require a logged-in session.
- API scanning
- Tests REST and GraphQL APIs, not just traditional web pages.
- CI/CD scan automation
- Runs scans automatically as part of the build and deploy pipeline.
- Automated finding verification
- Confirms exploitability of findings to cut down false positives.
- OWASP Top 10 coverage
- Tests for the industry-standard set of common web application vulnerability classes.
Tools in this category
8 tools