DAST Tools : 23 Best Free and Paid Tools (2022 update)


If you want to see the best DAST tools in one place, then you’ll LOVE this (updated) guide. I’ve reviewed 23 free and paid tools.

Best DAST Tools

I’ve been working in DAST industry for almost 5 years and I keep in touch with all the vendors for the last 2 years.

There is a lot that happened during that time; mergers (Acunetix + Netsparker), acquisitions (IBM Appscan -> HCL AppScan) and also market moved from developing single instance tools for pentesters to integration into CI/CD and DevSecOps practices.

I wanted to create a list of all these popular DAST tools to make it easy for teams to choose the right dast tool for their business.

I have used most of these tools myself and have experience with but also I am expecting to hear your thoughts, please feel free to share your ideas in the comment section below.

Also, you can join the CandyShop project to see the security testing performance of the most popular DAST tools.

It is a straight-forward vulnerability scanner with an easy-to-use interface.

Acunetix Scan Result

Some features: Business Logic Recorder, Multi-platform (Linux, Mac, Windows, SaaS)

License: Commercial 

Official Website: https://www.acunetix.com

It was an internal penetration tool in SEC-1 (part of Claranet Group now), and now also offers tailor-made solutions.

AppCheck Scan Result


License: Commercial 

Official Website: https://appcheck-ng.com

It is a automated scanner and pentest platform for SMB ‘s.

Astra Security Scan Results

Some features: Managed pentest service, resolution center for collaboration, Risk Score

License: Commercial 

Official Website: https://www.getastra.com

It is easy to use for non-technical (cybersecurity) users.

Beagle Security Scan Result

Some features: WordPress plugin

License: Commercial (starting from $49/month)

Official Website: https://beaglesecurity.com

Bright is a DAST tool designed for developers. It detects security issues in running web applications and APIs.

Bright Scan Result

Some features: Docker client, working with HTTP Archive File (HAR file)

License: Commercial (Free Limited Edition + starting from $79/month)

Official Website: https://brightsec.com

It is a must tool for manual penetration testing.

Burp Suite Scan Result

Some features: BApp Store (extension directory)

License: Commercial (Free Community Edition +  €349/month)

Official Website: https://portswigger.net/burp

It is an effective DAST tool with Crowdsource supported vulnerability database.

Detectify Scan Result

Some features: Attack Surface Management

License: Commercial (starting from €70/month)

Official Website: https://detectify.com

It is a mobile application security testing tool (MAST). It executes your applications on real mobile devices and launches attacks to detect failures in self-protection on .apk or .ipa files.

esChecker Report Dashboard

Some features: real device farm, Test Sequence recording, No False Positive

License: Commercial (starting around $10k/year per app)

Official Website: https://eshard.com/eschecker

WebInspect is an Enterprise-level DAST tool capable of scaling to hundreds of applications.

Fortify Webinspect Scan Result

Some features: support for Two Factor Authentication, API testing, CI/CD integrations

License: Commercial 

Official Website: https://www.microfocus.com/en-us/cyberres/application-security/webinspect

It is an enterprise-level DAST tool in HCL AppScan security suite.

HCL AppScan Dashboard

License: Commercial 

Official Website: https://www.hcltechsw.com/appscan

It is a power vulnerability scanner for cybersecurity engineers from Rapid7.

InsightAppsec Scan Result

Some features: Universal Translator, Attack Replay

License: Commercial (starting from $166/month per app)

Official Website: https://www.rapid7.com/products/insightappsec/

It is an easy dast tool to start which also offers a monthly subscription.

Intruder Scan Result

Some features:  Penetration testing service offerings

License: Commercial (starting from €94/month per app)

Official Website: https://www.intruder.io

It is an enterprise-level DAST tool to integrate into SDLC and is highly useful if you need to manage hundreds or thousands of applications.

Invicti Integrations

Some features: Advanced integrations, Proof-based scanning, IAST + SCA capabilities

License: Commercial 

Official Website: https://www.invicti.com

It is a very advanced open-source vulnerability scanner with community-supported scanning templates.


Some features: Custom scanning templates

License: Free 

Official Website: https://projectdiscovery.io/nuclei

It is the most popular open-source dynamic application security testing tool.

OWASP ZAP Scan Result

Some features: extensive community support

License: Free 

Official Website: https://www.zaproxy.org/

It is a set of tools for web vulnerability scanning.

Pentest tools Scan Result

Some features: includes many other niche security scanners

License: Commercial (starts from €100/month for 10 targets) 

Official Website: https://pentest-tools.com/

It is a DAST scanner designed for security and DevOps teams to work together on reducing security risks on web applications & APIs.

Probely Scan Result


License: Commercial (Free Limited Edition + starts from €49/month per application) 

Official Website: https://probely.com/

It is an advance fully-cloud web application security scanner.

Qualys WAS Scan Result


License: Commercial

Official Website: https://www.qualys.com/apps/web-app-scanning/

It is the DAST tool in the Sentinel security suite. (known as Whitehat)

Sentinel Dynamic Scan Result

It is a multi-platform supporting DAST tool in Syhunt application security suite.

Syhunt Dynamic

Some features:

License: Commercial (starting from $4099/year)

Official Website: https://www.syhunt.com/en/index.php?n=Products.SyhuntDynamic

It is the DAST tool in Synopsys application security testing portfolio for enterprises.

Synopsys Web-Scanner Scan Result

Some features:

License: Commercial

Official Website: https://www.synopsys.com/software-integrity/security-testing/web-scanner.html

It is a cloud-based vulnerability scanner powered by Nessus technology.

Tenable IO Scan Result

Some features:

License: Commercial (€4610/year for 5 FQDN)

Official Website: https://www.tenable.com/products/tenable-io

It is the DAST part of the Veracode application security suite that provides the scale necessary to audit hundreds of target applications simultaneously, including APIs.

Veracode DAST Scan Result

Some features:

License: Commercial

Official Website: https://www.veracode.com/products/dynamic-analysis-dast

Top 23 DAST Tools

Leave a Reply

Your email address will not be published. Required fields are marked *