Best DAST Tools

DAST probes websites and other internet-facing applications to find security weaknesses. This is a specialized vulnerability scanner that can help you tighten up your protection against cyberattacks.

There are many ways to search out security weaknesses. Vulnerability scanners look at the software that runs on a system and also scans the settings of hardware. These tools use a central registry of discovered weaknesses and look for incidences of them when they scan the sites of their clients. Software checking usually just extends to reading version numbers, which show which updates have been installed. Keeping operating systems patched and software packages updated is one of the major recommendations that cybersecurity experts proffer.

Here is our list of the ten best DAST tools for 2021:

  1. Netsparker An impressive DAST system that lets your IT department keep a check on possible vulnerabilities to attack. This tool is particularly desirable for businesses that need to show compliance to HIPAA or PCI DSS. Available for installation on Windows or Windows Server or as a cloud service.
  2. Acunetix A dashboard of automated DAST that is suitable for use by the IT technicians of medium-sized to large enterprises. Available for Windows, macOS, and Linux.
  3. Appknox A cloud-based vulnerability and penetration testing service that is specially designed to test mobile environments.
  4. Veracode Dynamic Analysis This is an easy-to-use test automation solution that integrates well into the DevOps cycle. It is a cloud-based service with strong person-to-person involvement with service engineers.
  5. Detectify Deep Scan A testing tool supported by ethical hackers that lets small business owners run their own DAST exercises. Delivered from the cloud.
  6. Rapid7 InsightAppSec A cloud-based DAST solution provided by a highly experienced cybersecurity consultancy.
  7. Checkmarx A cloud-based application testing platform that offers DAST. You can also combine this with the Checkmarx SAST to get a full CI/CD security testing suite
  8. HCL AppScan DAST, SAST, and IAST solutions for web apps and services plus processes for mobile apps. Available for Windows and Windows Server or as a cloud-based service.
  9. GitLab Ultimate A suite of CI/CD DevOps support platform that includes a DAST system. Offered as a cloud-based subscription service.
  10. AppCheck An automated application testing platform delivered from the cloud and performance for development projects.

DAST is a little more involved than vulnerability scanning because it watches the software while it runs. This is an automated penetration testing system because DAST systems don’t just wait for users to run the software, they run it in a test and try out combinations of input actions to see where security weaknesses lie.

The main targets of a DAST system are those protocols that drive the World Wide Web: HTTTP and HTML. These two protocols offer a front door to attackers. However, SAST doesn’t just look for a way in; it also tries several different types of attacks, such as SQL injection.

Implementing DAST

DAST systems are usually used on live applications. They help a business to check their websites and backend services to make sure that new attack vectors haven’t managed to damage the security of their already-operational systems. SAST can also be used during the acceptance testing phase for a new Web page.

DAST looks at a Web application while it is running – it approaches from the outside and tries to get in. The reverse strategy to this is to look at the code and try to work out how it could facilitate an attack. Services that perform that inside analysis are called SAST, which stands for Static Application Security Testing. In this guide, we will look at DAST systems and leave SAST for another day.

When operating a DAST strategy, you need to examine how outsiders would try to break through and damage your Web applications. Therefore, the best location to host the testing software is a remote server. DAST is ideally suited to SaaS (Software as a Service) operations. However, if you prefer to buy software and host it yourself, there are on-premises solutions available, too.

For more details on exactly how DAST operates, see the Comparitech guide, What is DAST? Right now, we are going to jump into recommendations of the best DAST tools.

The best DAST tools

You can read more about each of these options in the following sections.

1. Netsparker


Netsparker is a vulnerability scanner that is available in three editions, which makes it suitable for businesses of all sizes.

Small businesses with no technical staff will be able to use the Netsparker Standard edition. Medium-sized businesses with in-house IT support would also benefit from this version. It is useful for verifying custom-built web applications as well as off-the-shelf website builder packages and their components.  This version installs on Windows.

Lager middle-sized companies that pursue their own in-house Agile development of web applications and websites would opt for the Team version. This is a hosted system that includes an asset discovery function to track down all of your software and services that need to be secured. This version is made for IT specialists and includes pen-testing tools as well as automated vulnerability scanning.

The Enterprise edition is a hosted system and there is also an option to install it on-premises on Windows Server. This is more or less the same capacity, except that it has the capacity to monitoring more websites. Both the Team and Enterprise are suitable for DevOps because they allow multiple accounts, including workflow tools, and integrate with project management systems. All versions include auditing and reporting features that conform with HIPAA or PCI DSS requirements.


Netsparker is easily our top pick to recommend as a DAST tool because its three editions make it the ideal package for all sizes of business. The brand is a long-established, widely implemented cybersecurity tool, which means that the technology behind it is very stable. This is a good choice for businesses that need to prove compliance with security standards and it integrates well with DevOps project management tools.

Get a demo:

OS: Windows, Windows Server, or hosted.

2. Acunetix


Acunatix Vulnerability Scanner is another long-standing and widely used DAST system. The service offers a dashboard of tools that will execute vulnerability scans of websites and web services on demand.

Although the dashboard tools are very well laid out, making them usable by non-technical operators, the price of this utility probably puts it out of the range of hard-pressed small businesses. This is more a tool that middle-sized and large businesses would use. The package is sold in three editions: Standard, Premium, and Acunetix 360.

Each higher plan has more features with the top edition offering a complete security testing service for DevOps environments. All versions scan for the OSWAP Top 10 and are particularly strong at detecting cross-site scripting and SQL injection.

The software for all Acunetix editions needs to be downloaded and installed on site. It is available for Windows, macOS, and Linux. You can get a demo of the system to assess its suitability for your business.

3. Appknox


Appknox is specifically designed to test mobile app environments. It is a cloud-based vulnerability and penetration testing service that is specially designed to test mobile environments. This is a DevOps system that supports the creation, testing, release, and maintenance of mobile apps.

The DAST service offered by Appknox is a vulnerability scanner. This is available in three editions, which are all charged for on a subscription per app per month. These plans are called Essential, Professional, and Enterprise. All plans include both static scans (SAST) and dynamic scans (DAST). This is a great combination that is particularly suitable for a CI/CD environment where code can be in constant flux.

The Appknox system is hosted, so there is no need to install any software or maintain a host for the testing system. The company also offers source code reviews by cybersecurity experts, security certifications, and SDK testing as added extras. There is also a penetration testing add-on available.

4. Veracode Dynamic Analysis

Veracode dynamic analysis

Veracode Dynamic Analysis is a very easy to use DAST service that integrates well into a DevOps environment for web applications and websites. This vulnerability scanner includes a scripting system that lets you set up a test that can get through login screens on your web system.

In order to start a scan, you just need to enter a URL to test in the console for the DAST service. It is also possible to load up a list of URLs to get a sequenced test that can run without your attendance. It is possible to link a call to the tester into a development workflow, so newly developed code can get tested and rolled out automatically.

Veracode Dynamic Analysis is a cloud platform and you can assess it on a demo.

5. Detectify Deep Scan

Detectify Deep Scan

Detectify is a team of ethical hackers that put together an automated DAST system, first for their own use, and then for release to the wider business community.

Deep Scan is a vulnerability tester that automatically problems internet-accessible systems for black-box testing, focusing on the OSWAP Top 10. Detectify also maintains its own database of zero-day vulnerabilities that are discovered by all of the test runs that its probing software runs on client systems.

The tool is flexible and can be suitable for a range of environments. Its ease of use makes this cybersecurity tool a good choice for small businesses. It is a cloud platform, so you don’t need to have a host or IT staff to maintain the software. On the other hand, it is also a sought-after tool by DevOps teams that both create and maintain websites and web services.

Detectify is a subscription service, hosted in Sweden and charged for in Euros. You can access a two-week trial of the system.

6. Rapid7 InsightAppSec

Rapid7 InsightAppSec
Rapid7 has produces a cybersecurity platform that is made up of a suite of tools. It is a cloud-based system, so the processing power and storage needed by these services are all included in the price. InsightAppSec is the DAST module of this collection.

The Rapid7 DAST solution checks for the OWASP TOP 10 and more. It looks for more than 95 different vulnerabilities that include cross-site scripting, cross-site request forgery, and SQL injection. The remote location of the system makes it ideal for giving an external view of your web presence. However, it is also able to scan applications that are private within your own system, such as applications that are still under development.

The user interface for this DAST tool is very well presented and the setup process to enroll straightforward. However, this system probably wouldn’t be suitable for small businesses because of its cost. This is a security testing system for businesses that have a lot of web-based applications that need to be kept secure. The standards compliance reporting in Rapid7’s system creates another big attraction for larger companies.

Rapid7 offers potential customers the opportunity to use the system for free for 30 days.

7. Checkmarx


Checkmarx runs an integrated application security testing (IAST) platform. It is an automated testing system that can be integrated into the CI/CD pipeline and includes DAST and SAST functions. The company offers its DAST and SAST services as standalone modules as well. The IAST system is a cloud-based service that is pricey and is probably only accessible for larger application development businesses.

The dynamic testing processes of Checkmarx will run new code and check for OWASP Top 10 vulnerabilities. The service then cycles faulty code back through the development workflow or pushes it onto the production path depending on the outcome of the security tests. Vulnerabilities that the system looks for include SQL injection, cross-site scripting, cross-site request forgery, and path traversal. This is a cloud-based system.

8. HCL AppScan

HCL AppScan

The DAST service of HCL AppScan assists compliance to HIPAA and PCI DSS and it is available in three versions: AppScan Standard and AppScan Enterprise for installation and AppScan Cloud, which is a SaaS system.

AppScan Standard gives you access to the DAST system itself. There is also a SAST version of AppScan Standard. The AppScan Enterprise bundle includes DAST and IAST and the AppScan on Cloud system includes DAST, SAST, IAST, plus other services.

AppScan Standard is intended for use by cybersecurity experts rather than system administrators. The IAST services of AppScan Enterprise and AppScan on Cloud can be bundled into the CI/CD pipeline to automate code testing and release.

The service looks for OWASP Top 10 vulnerabilities. After a scan completes, the DAST system lists any problems that it found in order of urgency and also recommends solutions for each vulnerability that it finds. This is a useful tool for busy cybersecurity consultancies that support many websites and applications.

AppScan Standard installs on Windows and Windows Server and it is available for a 30-day free trial.

9. GitLab Ultimate

GitLab Ultimate

GitLab is a cloud-based support system for DevOps CI/CD pipelines. The package of services is available in three editions: Free, Premium, and Ultimate. There is a long list of features for all versions, with successively higher plans including more utilities. The DAST service of GitLab is only included with the top plans, which is the Ultimate package.

The DAST system in GitLab includes API scanning and can be launched on-demand or integrated into a schedule. The system also has a SAST code analysis service, which is also the only vibe in the ultimate package. GitLab is offered on a 30-day free trial.

10. AppCheck


AppCheck is a security testing platform that was developed by a pen testing consultancy. This is a flexible system that would be suitable for all types of website management scenarios and could be used directly by system administrators for on-demand security checks.

The AppCheck system includes a high degree of testing automation and it can be integrated into DevOps workflows managed by CI/CD project management tools, such as JIRA and Team City. Once you pay for a license, there is no limit to the number of tests you can run and the system is available around the clock. Scans don’t just check the security of websites and services. Tests are performed through a browser, not just HTML scanning and they are capable of spotting zero-day vulnerabilities. They also probe all access points and look for weaknesses in the entire software and hardware infrastructure of your system.

This is a very flexible utility that is delivered from the Cloud. You can try out the system with a free scan.