Checkmarx IAST provides runtime security testing as part of the Checkmarx One unified application security platform.
It monitors applications during execution to identify vulnerabilities that static analysis cannot detect, while correlating findings across SAST, SCA, and DAST to eliminate duplicate issues.
What is Checkmarx IAST?
Checkmarx IAST is an interactive application security testing solution that instruments applications with lightweight agents to monitor code execution in real time.
Unlike traditional DAST scanners that only see HTTP responses, IAST agents observe how data flows through the application internally, providing precise vulnerability detection with code-level context.
The tool operates as part of Checkmarx One, meaning security teams manage all testing types from a single console.
This unified approach reduces tool sprawl and ensures consistent security policies across the development lifecycle.
Key Features
Runtime Vulnerability Detection
The IAST agent monitors application behavior during functional testing, QA cycles, or automated test suites.
It tracks data flow from HTTP requests through business logic to database queries and responses, identifying injection flaws, authentication bypasses, and sensitive data exposure as they occur.
Cross-Scanner Correlation
One of the most valuable capabilities is automatic correlation between IAST, SAST, DAST, and SCA findings.
When the same vulnerability appears across multiple testing types, Checkmarx One consolidates them into a single issue.
This prevents developers from receiving three tickets for the same SQL injection.
API Discovery and Profiling
During testing, the IAST agent automatically discovers and catalogs all APIs the application exposes.
This includes shadow APIs that developers may have forgotten about or undocumented endpoints.
The profiling data feeds into the security dashboard to highlight API attack surface.
Real-Time Security Insights
Results appear immediately in the Checkmarx One dashboard as tests execute.
Security teams and developers see vulnerabilities surface in real time rather than waiting for a batch scan to complete.
How to Use Checkmarx IAST
Agent Deployment
Deploy the IAST agent alongside your application in the testing environment:
# Java applications - add agent to JVM arguments
java -javaagent:/path/to/checkmarx-iast-agent.jar \
-Dcx.iast.server=https://your-checkmarx-server \
-Dcx.iast.project=myproject \
-jar your-application.jar
For .NET applications, configure the agent in your deployment settings:
<!-- web.config for .NET applications -->
<configuration>
<appSettings>
<add key="CxIAST.ServerUrl" value="https://your-checkmarx-server" />
<add key="CxIAST.ProjectName" value="myproject" />
</appSettings>
</configuration>
CI/CD Integration
Integrate IAST testing into your pipeline by running functional tests against the instrumented application:
# GitLab CI example
iast-testing:
stage: test
script:
- docker run -d --name app-under-test \
-e CX_IAST_SERVER=$CX_SERVER \
-e CX_IAST_PROJECT=$CI_PROJECT_NAME \
myapp:iast-instrumented
- npm run integration-tests
- curl -X POST "$CX_SERVER/api/iast/stop-session"
artifacts:
reports:
junit: iast-results.xml
When to Use Checkmarx IAST
Checkmarx IAST is best suited for organizations that have already adopted other Checkmarx products or are evaluating a unified application security platform.
The value proposition centers on consolidated findings and single-console management across testing types.
Consider Checkmarx IAST when you need:
- A single platform for SAST, DAST, SCA, and IAST without managing multiple vendor relationships
- Automatic correlation to reduce duplicate vulnerability tickets
- API discovery capabilities for complex microservices architectures
- Enterprise-grade management features for large development teams
- Integration with existing Checkmarx One deployments
Teams already using standalone IAST solutions may find the migration worthwhile if they value the unified dashboard and cross-scanner correlation capabilities.