What is DAST (Dynamic Application Security Testing)?

A security testing methodology that analyzes running applications by simulating attacks against exposed interfaces to identify vulnerabilities.

DAST (Dynamic Application Security Testing) — Definition & Overview • DeepSource

Dynamic Application Security Testing (DAST) is a black-box security testing approach that probes running applications for vulnerabilities. Unlike SAST, which examines source code, DAST interacts with applications through their external interfaces—HTTP endpoints, APIs, web forms—simulating how an attacker would probe for weaknesses.

How DAST works

DAST tools operate by:

Crawling: Discovering application endpoints, forms, and API routes
Fuzzing: Sending malformed, unexpected, or malicious inputs to each endpoint
Analysis: Observing application responses for signs of vulnerability (error messages, timing differences, unexpected behavior)
Reporting: Documenting confirmed vulnerabilities with reproduction steps

Because DAST tests the actual running application, it catches vulnerabilities that depend on configuration, environment, or runtime behavior that static analysis cannot see.

What DAST detects

DAST excels at finding:

Injection vulnerabilities: SQL injection, command injection, XSS reflected in responses
Authentication issues: Broken authentication, session management flaws
Configuration errors: Exposed debug endpoints, verbose error messages, missing security headers
Access control failures: Privilege escalation, insecure direct object references
Server misconfigurations: Default credentials, unnecessary services, outdated software versions

Advantages of DAST

Runtime accuracy: DAST tests what's actually deployed. There are no false positives from code that's dead, unreachable, or mitigated by runtime protections.

Technology agnostic: DAST doesn't need source code or language-specific analyzers. It works with any application that exposes network interfaces.

Real attack simulation: DAST findings are exploitable by definition—the tool actually triggered the vulnerability.

Limitations

Late in lifecycle: DAST requires a running application, meaning vulnerabilities are found later in development when fixes are more expensive.

Limited coverage: DAST only tests exposed interfaces. Code paths not reachable through external input go untested.

Slower feedback: Scanning a full application can take hours, making DAST impractical for every commit.

No source mapping: DAST reports the vulnerability exists but doesn't show where in the code the fix belongs.

Combining DAST with SAST

Most security programs use DAST alongside SAST to get comprehensive coverage. SAST catches issues early during development; DAST validates that deployed applications are actually secure. Together with SCA for dependency analysis, they form the core of modern application security testing.