Best DAST Tools

DAST software, which stands for Dynamic Application Security Testing, probes websites and other internet-facing applications to find security weaknesses. This is a specialized vulnerability scanner that can help you tighten up your protection against cyberattacks.

There are many ways to search out security weaknesses. Vulnerability scanners look at the software that runs on a system and also scans the settings of hardware. These tools use a central registry of discovered weaknesses and look for incidences of them when they scan the sites of their clients. Software checking usually just extends to reading version numbers, which show which updates have been installed. Keeping operating systems patched and software packages updated is one of the major recommendations that cybersecurity experts proffer.

Here is our list of the eleven best DAST tools:

  1. SOOS EDITOR’S CHOICE This cloud-based application testing system can be used for continuous testing in a CI/CD pipeline and also as a domain scanner for operations technicians. Each subscription gets unlimited seats. Access a 30-day free trial.
  2. Invicti An impressive DAST system that lets your IT department keep a check on possible vulnerabilities to attack. This tool is particularly desirable for businesses that need to show compliance to HIPAA or PCI DSS. Available for installation on Windows or Windows Server or as a cloud service.
  3. Acunetix A dashboard of automated DAST that is suitable for use by the IT technicians of medium-sized to large enterprises. Available for Windows, macOS, and Linux.
  4. Appknox A cloud-based vulnerability and penetration testing service that is specially designed to test mobile environments.
  5. Veracode Dynamic Analysis This is an easy-to-use test automation solution that integrates well into the DevOps cycle. It is a cloud-based service with strong person-to-person involvement with service engineers.
  6. Detectify Deep Scan A testing tool supported by ethical hackers that lets small business owners run their own DAST exercises. Delivered from the cloud.
  7. Rapid7 InsightAppSec A cloud-based DAST solution provided by a highly experienced cybersecurity consultancy.
  8. Checkmarx A cloud-based application testing platform that offers DAST. You can also combine this with the Checkmarx SAST to get a full CI/CD security testing suite
  9. HCL AppScan DAST, SAST, and IAST solutions for web apps and services plus processes for mobile apps. Available for Windows and Windows Server or as a cloud-based service.
  10. GitLab Ultimate A suite of CI/CD DevOps support platform that includes a DAST system. Offered as a cloud-based subscription service.
  11. AppCheck An automated application testing platform delivered from the cloud and performance for development projects.

Dynamic Application Security Testing is a little more involved than vulnerability scanning because it watches the software while it runs. This is an automated penetration testing system because DAST systems don’t just wait for users to run the software, they run it in a test and try out combinations of input actions to see where security weaknesses lie.

The main targets of a DAST system are those protocols that drive the World Wide Web: HTTTP and HTML. These two protocols offer a front door to attackers. However, SAST doesn’t just look for a way in; it also tries several different types of attacks, such as SQL injection.

Implementing DAST

DAST systems are usually used on live applications. They help a business to check their websites and backend services to make sure that new attack vectors haven’t managed to damage the security of their already-operational systems. SAST can also be used during the acceptance testing phase for a new Web page.

DAST looks at a Web application while it is running – it approaches from the outside and tries to get in. The reverse strategy to this is to look at the code and try to work out how it could facilitate an attack. Services that perform that inside analysis are called SAST, which stands for Static Application Security Testing. In this guide, we will look at DAST systems and leave SAST for another day.

When operating a DAST strategy, you need to examine how outsiders would try to break through and damage your Web applications. Therefore, the best location to host the testing software is a remote server. DAST is ideally suited to SaaS (Software as a Service) operations. However, if you prefer to buy software and host it yourself, there are on-premises solutions available, too.

For more details on exactly how DAST operates, see the Comparitech guide, What is DAST? Right now, we are going to jump into recommendations of the best DAST tools.

The best DAST tools

Our methodology for selecting a DAST tool

We reviewed the market for dynamic application security testing systems and analyzed the options based on the following criteria:

  • Integration into CI/CD pipelines
  • Continuous testing
  • Black box unit testing
  • Integration testing
  • Issue tracker integration
  • A free trial or a demo package for a no-cost assessment opportunity
  • Value for money, represented by a comprehensive testing system at a fair price

Using this set of criteria, we looked for dynamic application security testing packages that can be used by application development teams and IT operations technicians.

Using this set of criteria, we looked for dynamic application security testing packages that can be used by application development teams and IT operations technicians.

You can read more about each of these options in the following sections.


SOOS Developer Dashboard

SOOS is a dynamic application security testing tool that partners with a software composition analysis system. The package of the DAST and SCA systems provides comprehensive testing facilities for any DevOps environment. The DAST can provide continuous testing in a CI/CD pipeline and it is also available for use by the operations team as a domain scanner.

Key Features:

  • Continuous testing for CI/.CD pipelines
  • On demand domain scanning
  • SCA and DAST
  • Scans Web applications and APIs
  • Integrates with issue trackers

The lower SOOS package is just a software composition analyzer. This looks for open source code and APIs within Web applications and makes sure that they do not have known vulnerabilities. Oftentimes, the developers of any vulnerabilities are aware of the issue and have probably already brought out a new version to shut down the issue. Where this is the case, SOOS will recommend an update to fix security issues.

The DAST part of the upper package provides sandboxing, which occurs in a Docker environment, so you need to make sure that you install Docker before trying to run this tool. The testing software itself operates on the cloud platform of SOOS.

The DAST and SCA services can be plugged into your development management system. The package has integration for a list of development systems, including Azure DevOps, Jenkins, and TeamCity. You can also use it with Bamboo, Bitbucket, Jira, and GitHub Issues for issue tracking.

SOOS continues to be useful when your Web application goes live. Operations technicians get a domain scanner, which they can run on demand or on a schedule to ensure that no new issues arrive with the system.


  • Hosted service that links into your development systems
  • Available for continuous testing with integrations with bug trackers
  • Suitable for use by operations teams for on-demand Web application testing
  • Protects your servers from risk by testing applications in Docker containers
  • Can be integrated into project management tools and code repositories


  • Can’t be self hosted

Both plans of SOOS are subscription services with a monthly free. There is no limit to the number of users that you can place on each company account. Get a look at the SOOS package with a 30-day free trial.


SOOS is our top pick for a DAT tool because it gives you an SCA system as well. That means you don’t have to waste time scanning through ope source-derived elements with your DSAST because that part of the system will already be verified. This system is efficient and can be run continuously, on demand, or on a schedule. It is suitable for use by operations teams, too, for domain scanning.

Official Site:

OS: Cloud-based

2. Invicti


Invicti – formerly Netsparker – is a vulnerability scanner that is available in three editions, which makes it suitable for businesses of all sizes.

Key Features:

  • Cloud-based or on-premises
  • Continuous testing
  • Vulnerability scanning option
  • Suitable for development testing
  • Installs on Windows and Windows Server

Small businesses with no technical staff will be able to use the Invicti Standard edition. Medium-sized businesses with in-house IT support would also benefit from this version. It is useful for verifying custom-built web applications as well as off-the-shelf website builder packages and their components.  This version installs on Windows.

Lager middle-sized companies that pursue their own in-house Agile development of web applications and websites would opt for the Team version. This is a hosted system that includes an asset discovery function to track down all of your software and services that need to be secured. This version is made for IT specialists and includes pen-testing tools as well as automated vulnerability scanning.

The Enterprise edition is a hosted system and there is also an option to install it on-premises on Windows Server. This is more or less the same capacity, except that it has the capacity to monitoring more websites. Both the Team and Enterprise are suitable for DevOps because they allow multiple accounts, including workflow tools, and integrate with project management systems. All versions include auditing and reporting features that conform with HIPAA or PCI DSS requirements.


  • Highly visual interface – great for pen-testing teams, NOCs, or lone administrators
  • Color coding helps teams prioritize remediation with color coding and automatic threat scoring
  • Runs continuously – no need to schedule scans or manually run checks
  • Includes pentesting tools – great for companies with internal “red” teams
  • Comes in multiple packages, making Invicti accessible to any size organization


  • Netsparker is an advanced security tool for professionals, not ideal for home users

Invicti is ideal as a DAST tool because its three editions make it the ideal package for all sizes of business. The brand is a long-established, widely implemented cybersecurity tool, which means that the technology behind it is very stable. This is a good choice for businesses that need to prove compliance with security standards and it integrates well with DevOps project management tools. Access a free demo to figure out your requirements.

3. Acunetix

Acunatix Vulnerability Scanner is another long-standing and widely used DAST system. The service offers a dashboard of tools that will execute vulnerability scans of websites and web services on demand.

Key Features:

  • Development testing
  • Vulnerability scanning
  • Runs on Windows, macOS, and Linux
  • Suitable for small businesses

Although the dashboard tools are very well laid out, making them usable by non-technical operators, the price of this utility probably puts it out of the range of hard-pressed small businesses. This is more a tool that middle-sized and large businesses would use. The package is sold in three editions: Standard, Premium, and Acunetix 360.

Each higher plan has more features with the top edition offering a complete security testing service for DevOps environments. All versions scan for the OSWAP Top 10 and are particularly strong at detecting cross-site scripting and SQL injection.


  • Designed specifically for application security
  • Integrates with a large number of other tools such as OpenVAS
  • Can detect and alert when misconfigurations are discovered
  • Leverages automation to immediately stop threats and escalate issues based on the severity


  • Would like to see a trial version for testing

The software for all Acunetix editions needs to be downloaded and installed on site. It is available for Windows, macOS, and Linux. You can get a demo of the system to assess its suitability for your business.

4. Appknox


Appknox is specifically designed to test mobile app environments. It is a cloud-based vulnerability and penetration testing service that is specially designed to test mobile environments. This is a DevOps system that supports the creation, testing, release, and maintenance of mobile apps.

Key Features:

  • CI/CD pipeline testing
  • Operations security testing
  • DAST and SAST

The DAST service offered by Appknox is a vulnerability scanner. This is available in three editions, which are all charged for on a subscription per app per month. These plans are called Essential, Professional, and Enterprise. All plans include both static scans (SAST) and dynamic scans (DAST). This is a great combination that is particularly suitable for a CI/CD environment where code can be in constant flux.


  • Offers excellent automated web scanning tools with simple scheduling options
  • Operates in the cloud, no need for an on-premise server
  • Highly visual – great for reporting and big picture insights


  • Would like to have access to a trial rather than a demo version for testing

The Appknox system is hosted, so there is no need to install any software or maintain a host for the testing system. The company also offers source code reviews by cybersecurity experts, security certifications, and SDK testing as added extras. There is also a penetration testing add-on available.

5. Veracode Dynamic Analysis

Veracode dynamic analysis

Veracode Dynamic Analysis is a very easy-to-use DAST service that integrates well into a DevOps environment for web applications and websites. This vulnerability scanner includes a scripting system that lets you set up a test that can get through login screens on your web system.

Key Features:

  • Vulnerability scanner
  • Scripting for test scenarios
  • Scan a web page

In order to start a scan, you just need to enter a URL to test in the console for the DAST service. It is also possible to load up a list of URLs to get a sequenced test that can run without your attendance. It is possible to link a call to the tester into a development workflow, so newly developed code can get tested and rolled out automatically.


  • Offers simple scheduled scans
  • Easy options to stop, pause and resume scans
  • Designed to remove the complexity of vulnerability hunting


  • Must contract sales for pricing

Veracode Dynamic Analysis is a cloud platform and you can assess it on a demo.

6. Detectify Deep Scan

Detectify Deep Scan

Detectify is a team of ethical hackers that put together an automated DAST system, first for their own use, and then for release to the wider business community.

Key Features:

  • Cloud-based
  • Proprietary vulnerability database
  • OWASP top 10

Deep Scan is a vulnerability tester that automatically problems internet-accessible systems for black-box testing, focusing on the OSWAP Top 10. Detectify also maintains its own database of zero-day vulnerabilities that are discovered by all of the test runs that its probing software runs on client systems.

The tool is flexible and can be suitable for a range of environments. Its ease of use makes this cybersecurity tool a good choice for small businesses. It is a cloud platform, so you don’t need to have a host or IT staff to maintain the software. On the other hand, it is also a sought-after tool by DevOps teams that both create and maintain websites and web services.


  • Sleek easy to use interface
  • Automatically scans using OSWAP best practices
  • Highly flexible – great for small to medium-sized businesses


  • Hosted in the EU – might not be the best choice for those in other regions.

Detectify is a subscription service, hosted in Sweden and charged for in Euros. You can access a two-week trial of the system.

7. Rapid7 InsightAppSec

Rapid7 InsightAppSec
Rapid7 has produces a cybersecurity platform that is made up of a suite of tools. It is a cloud-based system, so the processing power and storage needed by these services are all included in the price. InsightAppSec is the DAST module of this collection.

Key Features:

  • Development testing
  • Operations scanning
  • Compliance reporting

The Rapid7 DAST solution checks for the OWASP TOP 10 and more. It looks for more than 95 different vulnerabilities that include cross-site scripting, cross-site request forgery, and SQL injection. The remote location of the system makes it ideal for giving an external view of your web presence. However, it is also able to scan applications that are private within your own system, such as applications that are still under development.

The user interface for this DAST tool is very well presented and the setup process to enroll straightforward. However, this system probably wouldn’t be suitable for small businesses because of its cost. This is a security testing system for businesses that have a lot of web-based applications that need to be kept secure. The standards compliance reporting in Rapid7’s system creates another big attraction for larger companies.


  • Leverages behavioral analytics to detect threats that bypass signature-based detection
  • Uses multiple data streams to have the most up to date threat analysis methodologies
  • Allows for robust automated remediation


  • Pricing is higher than similar tools on the market
  • Not the best option for smaller businesses

Rapid7 offers potential customers the opportunity to use the system for free for 30 days.

8. Checkmarx


Checkmarx runs an integrated application security testing (IAST) platform. It is an automated testing system that can be integrated into the CI/CD pipeline and includes DAST and SAST functions. The company offers its DAST and SAST services as standalone modules as well. The IAST system is a cloud-based service that is pricey and is probably only accessible for larger application development businesses.

Key Features:

  • Cloud-based
  • DAST and SAST
  • OWASP top 10

The dynamic testing processes of Checkmarx will run new code and check for OWASP Top 10 vulnerabilities. The service then cycles faulty code back through the development workflow or pushes it onto the production path depending on the outcome of the security tests. Vulnerabilities that the system looks for include SQL injection, cross-site scripting, cross-site request forgery, and path traversal. This is a cloud-based system.


  • Excellent user interface – sleek reporting and dashboard graphics
  • Leverages automated testing and audits to keep systems secure
  • Offers both DAST and SAST functionality


  • Must contract sales for pricing

9. HCL AppScan

HCL AppScan

The DAST service of HCL AppScan assists compliance to HIPAA and PCI DSS and it is available in three versions: AppScan Standard and AppScan Enterprise for installation and AppScan Cloud, which is a SaaS system.

Key Features:

  • On-premises for Windows and Windows Server
  • Problem prioritization
  • HIPAA and PCI DSS compliance

AppScan Standard gives you access to the DAST system itself. There is also a SAST version of AppScan Standard. The AppScan Enterprise bundle includes DAST and IAST and the AppScan on Cloud system includes DAST, SAST, IAST, plus other services.

AppScan Standard is intended for use by cybersecurity experts rather than system administrators. The IAST services of AppScan Enterprise and AppScan on Cloud can be bundled into the CI/CD pipeline to automate code testing and release.

The service looks for OWASP Top 10 vulnerabilities. After a scan completes, the DAST system lists any problems that it found in order of urgency and also recommends solutions for each vulnerability that it finds. This is a useful tool for busy cybersecurity consultancies that support many websites and applications.


  • Focuses on compliance reporting (HIPAA, PCI DSS, etc.)
  • Offers prioritized remediation post-scan
  • Includes DAST, SAST, and IAST features


  • Only available as an on-premise solution

AppScan Standard installs on Windows and Windows Server and it is available for a 30-day free trial.

10. GitLab Ultimate

GitLab Ultimate

GitLab is a cloud-based support system for DevOps CI/CD pipelines. The package of services is available in three editions: Free, Premium, and Ultimate. There is a long list of features for all versions, with successively higher plans including more utilities. The DAST service of GitLab is only included with the top plans, which is the Ultimate package.

Key Features:

  • CI/CD pipeline testing
  • API scanning
  • On-demand or scheduled

The DAST system in GitLab includes API scanning and can be launched on-demand or integrated into a schedule. The system also has a SAST code analysis service, which is also the only vibe in the ultimate package. GitLab is offered on a 30-day free trial.


  • Integrates well with Docker and other containerized environments
  • Offers testing prior to release
  • Great for building frameworks for larger releases


  • Requires two deployment tools for testing and deployment

11. AppCheck


AppCheck is a security testing platform that was developed by a pen testing consultancy. This is a flexible system that would be suitable for all types of website management scenarios and could be used directly by system administrators for on-demand security checks.

Key Features:

  • Cloud-based
  • Integrates with JIRA and TeamCity
  • On-demand or automated

The AppCheck system includes a high degree of testing automation and it can be integrated into DevOps workflows managed by CI/CD project management tools, such as JIRA and Team City. Once you pay for a license, there is no limit to the number of tests you can run and the system is available around the clock. Scans don’t just check the security of websites and services. Tests are performed through a browser, not just HTML scanning and they are capable of spotting zero-day vulnerabilities. They also probe all access points and look for weaknesses in the entire software and hardware infrastructure of your system.


  • Uses simple yet intuitive graphs and dashboards
  • Offers a wide range of integrations into platforms like JIRA
  • Supports both on-demand and automated remediation/alerting


  • Better suited for larger companies

This is a very flexible utility that is delivered from the Cloud. You can try out the system with a free scan.

DAST tool FAQs

What are the DAST tools?

Dynamic Application Security Testing (DAST) tools preview newly created Web applications before they go live. The testing system runs the packages and examines how they react given certain inputs. This is like a vulnerability scanner because the input attempted in these tests are the type of exploits that hackers are known to try.

What makes a DAST tool effective?

DAST tools are only effective if they are provided with a list of hacks to look for. The tester needs to run the new Web application in an environment that is as close to how the application will operate once live. This involves setting up all of the services that the application depends upon and the other applications that rely upon it.