The Top 11 Dynamic Application Security Testing (DAST) Tools

Aikido’s surface monitoring platform dynamically tests for common vulnerabilities in your web app’s front end, without reducing performance or breaking any front-end functionality.

Who it’s for: We recommend Aikido for teams looking to implement DAST as part of a broader web application security platform.

What we like: This is a highly secure platform. It performs vulnerability scans within temporary environments that are deleted once scans are complete. Plus, Aikido requires read-only access to your data and therefore cannot edit your source code.

• You can use authenticated DAST checks to test how much access authenticated end users have to sensitive data within the web app.
• The platform automatically scans your application once per day and notifies your team of any vulnerabilities according to custom alerting rules.
• To help reduce strain on your team, Aikio removes false positives, deduplicates, and prioritizes alerts based on severity and context.
• The platform is compatible with all major version control providers, languages, and cloud providers, with seamless deployment into existing security regimes. It’s also SOC 2 Type II and ISO 27001:2022 compliant.

The bottom line: Aikido’s platform offers comprehensive DAST capabilities, as well as open-source dependency scanning, static code analysis, secrets management, infrastructure as code scanning, cloud security posture management, end-of-life runtime monitoring, container scanning, and license scanning.

• Aikido Security was founded in 2022 and is headquartered in Ghent, Belgium.

Designed to protect all internet-facing systems, Intruder is a proactive security monitoring platform that delivers vulnerability scanning and management, attack surface monitoring, DAST, penetration testing, and facilitated remediation.

Who it’s for: Intruder is a strong solution for organizations looking for continuous vulnerability scanning, threat detection, and compliance management.

What we like: Intruder provides a human support team that helps your internal security team to understand and resolve vulnerabilities as they are detected by the system.

• The platform continuously scans digital assets to provide clear visibility of your online attack surface.
• Its vulnerability scans cover network infrastructure, web applications, and APIs, without requiring any infrastructure changes.
• Intruder’s robust alerting system filters out irrelevant alerts.
• You can access concise, audit-ready reports and cyber hygiene scoring to help you demonstrate compliance.

The bottom line: Intruder is a comprehensive threat monitoring platform that combines continuous network monitoring, automated vulnerability scanning, and proactive threat response in a single interface.

• Intruder was founded in 2015 and is headquartered in London, UK.

Invicti is an application security testing tool designed for enterprise environments. It offers automated security testing capabilities that easily integrate into the Software Development Life Cycle (SDLC).

Who it’s for: Invicti is suitable for larger development teams looking for scalable application security testing with lots of automation capabilities to help them manage their security workload efficiently—regardless of the volume of vulnerabilities or their organization’s complexity.

What we like: Through integrations with various tools and workflows, Invicti not only helps identify vulnerabilities, but also educates developers on creating secure code, reducing potential future risks.

• The platform combines DAST and IAST scanning methods to provide a comprehensive view into your application security landscape.
• You can leverage signature- and behavior-based testing to accurately identify a wide range of vulnerabilities with few false positives.
• You can integrate Invicti with a broad range of developer tools and workflows.

The bottom line: Invicti is a strong application security tool that provides powerful security testing that – thanks to its automation capabilities and ease of integration – is still easy to use.

• Invicti Security was founded in 2018, born of a merger between Acunetix and Netsparker. Today, Invicti is headquartered in Austin, Texas, and offers two DAST tools: Invicti and Acunetix.

Acunetix is a web application security solution that combines DAST and IAST scanning to detect over 7,000 different vulnerabilities in web apps, including SQL injections, XSS, misconfigurations, exposed databases, and out-of-band threats.

Who it’s for: Acunetix is well-suited to any development team looking to identify and remediate vulnerabilities more efficiently and promote a shared responsibility for web application security across development teams.

What we like: This tool doesn’t just detect vulnerabilities, but it also helps to remediate them. It offers explicit guidance on remediation, highlighting the exact lines of code that need correction.

• Acunetix automatically identifies all websites, applications, and APIs, ensuring that potential entry points are consistently monitored and not left exposed. It also scans single-page applications, script-heavy sites developed with HTML5 and JavaScript, and hard-to-reach areas like password-protected sections or unlinked files.
• You can access reports into vulnerabilities as soon as they’re detected—even before the full scan has finished.
• To help reduce the strain on your team, the platform eliminates false positives with proof of exploit and facilitates remediation.
• You can integrate Acunetix with popular development tools including CI/CD, issue trackers, and WAFs.

The bottom line: Acunetix is a powerful web application security platform that combines DAST, IAST, and expert guidance to not only identify vulnerabilities, but also help remediate them.

• Acunetix was founded in 2005 and acquired by Invicti Security in 2018, though it’s still sold under the Acunetix name. Invicti Security is headquartered in Austin, Texas.

Checkmarx One DAST enables development teams to detect vulnerabilities in live applications by simulating attacks that provide a deep understanding of the application’s behavior.

Who it’s for: We recommend Checkmarx One DAST for large dev teams and complex development environments. However, the end-to-end support offering also make this solution suitable for smaller teams.

What we like: Checkmarx provides DAST and SAST via a single platform, ensuring efficient and thorough vulnerability detection.

• You can seamlessly integrate the platform into your existing software pipelines and CI/CD processes.
• Checkmarx One DAST compiles vulnerability findings from various Checkmarx testing solutions into a single dashboard, offering a comprehensive view of your application risk.
• You can trigger multiple scan types from a single action, providing a thorough assessment of code security. Plus, the platform’s cloud-powered scanning eliminates the need for users to manage scanning infrastructure.
• The platform supports over 75 programming languages, over 100 frameworks, various package managers, and a growing array of IaC templates.

The bottom line: Checkmarx One DAST is full-featured, scalable, and flexible DAST solution. However, thanks to its cloud-based infrastructure, single interface for DAST and SAST, and robust support offering, the tool is still straightforward to navigate and manage.

• Checkmarx was founded in 2006 and is headquartered in Atlanta, Georgia.

HCL AppScan is a DAST tool that automates security scans across web applications, web APIs, and mobile backends to help security professionals and penetration testers to efficiently identify vulnerabilities.

Who it’s for: HCL AppScan is a strong solution for development teams looking for robust reporting capabilities that will help them to better understand the vulnerabilities in their most complex applications.

What we like: This solution can navigate and scan even the most complex applications to assess their risks and help teams identify vulnerabilities.

• You can generate various reports to prove compliance with regulatory frameworks and industry standards such as PCI, HIPAA, and OWASP Top 10. You can also access in-depth reports and insights into scan results and vulnerabilities that have been detected.
• You can use the platform’s advanced configurations and ML components to scan large, complex applications.
• Thanks to the platform’s incremental scanning feature, you can save time and resources by focusing scans solely on new sections of your application.
• By recording and assessing multi-step sequences, the platform can dynamically generate unique data while tracking various headers and tokens.

The bottom line: HCL AppScan is a robust, standalone DAST tool that stands out for its powerful, customizable reporting capabilities.

• AppScan was created in 1997 and acquired by HCL Technologies in 2019. It’s currently owned by HCL Technologies’ product development division, HCL Software. HCL Technologies is headquartered in Noida, India.

NightVision is a web and API scanning tool that enables developers to scan applications on both public and private networks.

Who it’s for: We recommend NightVision as a strong solution for any development team, but particularly those looking for a tool that’s quick to set up and easy to run without the need for extensive training.

What we like: This platform makes it easy for anyone on the development team to start and run a scan by themselves.

• You can integrate NightVision directly into your CI/CD pipeline so you can start a new scan every time you push new code and scan pull requests in minutes.
• NightVision delivers comprehensive, flexible scans, with options for authenticated and unauthenticated scanning and modern greybox crawling to scan even undocumented APIs.
• Thanks to the evidence NightVision provides for each alert, your team can see exactly where the issue lies alongside other useful context, saving them time locating vulnerabilities and choosing the best remediation option.
• You can use the platform’s smart proxy to scan apps on private networks without making infrastructure changes.

The bottom line: NightVision is a comprehensive web and API security testing solution. It offers quick, accurate scans, yet is still straightforward to set up and manage, with little expertise required.

• NightVision was founded in 2022 and is headquartered in Bradenton, Florida.

Fortify WebInspect is a DAST solution designed to identify security vulnerabilities and configuration issues within applications by simulating real-world external security attacks.

Who it’s for: Fortify WebInspect is a strong solution for any development team looking to identify vulnerabilities quickly during the development lifecycle, and particularly those looking for powerful automations that will help boost productivity.

What we like: This solution offers lots of flexible deployment options, including on-prem, SaaS, and AppSec-as-a-Service.

• The platform offers comprehensive security scanning. Its functional Application Security Testing (FAST) feature continues crawling even if a functional test misses an aspect; and it scans APIs, including SOAP, Rest, Swagger, OpenAPI, Postman, GraphQL, and gRPC.
• You can access pre-configured policies and reports for compliance regulations related to application security, including PCI DSS, STIG, NIST 800-53, OWASP, ISO 27K, and HIPAA.
• The platform increases scanning speed through horizonal scaling, which uses Kubernetes for parallel JavaScript processing.
• You can leverage the platform’s REST APIs to integrate it seamlessly with OpenText Application Lifecycle Management, Quality Center, and other security systems.

The bottom line: Fortify WebInspect is a highly flexible application security testing solution with lots of deployment options and the option to customize reporting as needed. Thanks to its use of horizontal scaling, it’s not only flexible, but also highly efficient.

• Fortify was founded in 2002 and acquired by Hewlett-Packard in 2010, Micro Focus in 2017, and finally OpenText in 2023. OpenText was founded in 1991 and is headquartered in Waterloo, Ontario.

Rapid7 InsightAppSec employs black-box security testing and DAST to automatically identify and triage vulnerabilities, prioritize actions, and mitigate application risks.

Who it’s for: This solution is well-suited to teams that want accurate, in-depth scanning that’s easy to manage.

What we like: Thanks to its comprehensive attack framework and library, the platform can automatically provide accurate insights that help reduce false positives and cover often-overlooked vulnerabilities.

• InsightAppSec offers flexible, thorough scanning for modern web applications and APIs. Its Universal Translator analyzes various formats, protocols, and development technologies utilized in contemporary mobile and browser applications.
• You can use the Attack Replay to validate vulnerabilities, streamlining the remediation process.
• You can access a range of reports that provide technical details on vulnerabilities and highlight compliance risks related to standards such as PCI-DSS, HIPAA, and the OWASP Top Ten.
• You can leverage both cloud and on-prem scanning engines.

We Recommend: InsightsAppSec is quick to set up and easy to navigate, whilst providing the highest levels of security. 

• Rapid7 was founded in 2000 and is headquartered in Boston, Massachusetts.

Synopsys WhiteHat Dynamic is a cloud-based DAST solution that enables development teams to conduct effective vulnerability assessments on web applications in both QA and production environments.

Who it’s for: This is a strong solution for organizations that prioritizing speed and accuracy in their vulnerability assessments, and those that may benefit from personalized remediation guidance from Synopsys’ web application security consultants.

What We Like: Because its continuous scanning adapts to code changes, WhiteHat Dynamic can reassess risks without starting from scratch, offering businesses an “always on” security appraisal.

• The platform uses AI-enabled verification to minimize false positives and triage time.
• You can use the single score provided by the WhiteHat Security Index to gauge the overall status of web application security, based on varied indicators and industry insights.
• You can identify code changes and vulnerabilities instantly through continuous analysis and perpetual scanning.
• You can access actionable reports and lists of verified vulnerabilities for faster remediation.
• The platform guarantees the security of your data during production assessments by using benign injections in lieu of active code and fine-tuning scans to maintain optimal performance.

The bottom line: WhiteHat Dynamic is a powerful application security testing tool that combines both machine-led security testing with human-led remediation guidance to help you not only identify vulnerabilities, but also fix them quickly and effectively.

• Synopsys was founded in 1986 and is headquartered in Sunnyvale, California.

Veracode identifies vulnerabilities in runtime environments, specifically targeting web applications and APIs.

Who it’s for: Veracode is well-suited to teams looking for a reliable, fast, and scalable DAST tool that can scan multiple applications at once.

What we like: This platform can simultaneously scan multiple applications, even those in pre-production or staging environments situated behind a firewall.

• You can use the platform’s unified crawl and audit feature to simplify the scanning process, and access near-instant results with a <5% false positive rate.
• You can configure granular controls to automate or schedule scans, with support for browser limitation and authentication.
• You can integrate the platform with popular ticketing systems to make sure your team addresses all the vulnerabilities it identifies.
• You can access detailed remediation guidance—including guidance from Veracode’s experts—to help your team interpret scan results and decide on remediation actions.

The bottom line: Veracode is a fast, efficient application security scanning tool that offers lots of customization in terms of scan controls, and provides remediation guidance to help you address vulnerabilities once discovered.

• Veracode was founded in 2006 and is headquartered in Burlington, Massachusetts.