What is Dynamic Analysis?

Dynamic analysis, also called dynamic code analysis, is the process of analyzing computer software by executing the program in real-time. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline—in contrast to static analysis.

When applied specifically to security testing, dynamic analysis is known as Dynamic Application Security Testing (DAST).

What kind of problems can dynamic analysis find?

Dynamic analysis excels at finding issues that only manifest when code actually runs:

1. Memory errors — leaks, buffer overflows, use-after-free (see Memory Safety)
2. Concurrency bugs — race conditions, deadlocks, thread safety violations
3. Performance bottlenecks — slow functions, inefficient algorithms under real load
4. Security vulnerabilities — injection flaws, authentication bypasses, exposed endpoints
5. Code coverage gaps — untested paths, unreachable code in practice

How dynamic analysis works

Dynamic analysis tools instrument running programs to observe their behavior:

• Profilers measure execution time, memory usage, and call frequency
• Sanitizers detect memory errors, undefined behavior, and data races
• Fuzzers generate random inputs to find crash-inducing edge cases
• Security scanners probe applications for exploitable vulnerabilities

Static vs dynamic analysis

Dynamic analysis in security

DAST tools perform dynamic analysis on web applications by:

• Crawling the application to discover endpoints
• Sending malicious inputs to test for vulnerabilities
• Analyzing responses for signs of exploitation

Unlike SAST, DAST finds vulnerabilities that are actually exploitable in the running application, but it can only test exposed interfaces and requires a deployed environment.

See also: DAST, Static Analysis, Memory Safety, Continuous Quality