If you want to see the best DAST tools in one place, then you’ll LOVE this (updated) guide. I’ve reviewed 23 free and paid tools.
I’ve been working in DAST industry for almost 5 years and I keep in touch with all the vendors for the last 2 years.
There is a lot that happened during that time; mergers (Acunetix + Netsparker), acquisitions (IBM Appscan -> HCL AppScan) and also market moved from developing single instance tools for pentesters to integration into CI/CD and DevSecOps practices.
I wanted to create a list of all these popular DAST tools to make it easy for teams to choose the right dast tool for their business.
I have used most of these tools myself and have experience with but also I am expecting to hear your thoughts, please feel free to share your ideas in the comment section below.
Also, you can join the CandyShop project to see the security testing performance of the most popular DAST tools.
It is a straight-forward vulnerability scanner with an easy-to-use interface.
Some features: Business Logic Recorder, Multi-platform (Linux, Mac, Windows, SaaS)
Official Website: https://www.acunetix.com
It was an internal penetration tool in SEC-1 (part of Claranet Group now), and now also offers tailor-made solutions.
Official Website: https://appcheck-ng.com
It is a automated scanner and pentest platform for SMB ‘s.
Some features: Managed pentest service, resolution center for collaboration, Risk Score
Official Website: https://www.getastra.com
It is easy to use for non-technical (cybersecurity) users.
Some features: WordPress plugin
License: Commercial (starting from $49/month)
Official Website: https://beaglesecurity.com
Bright is a DAST tool designed for developers. It detects security issues in running web applications and APIs.
Some features: Docker client, working with HTTP Archive File (HAR file)
License: Commercial (Free Limited Edition + starting from $79/month)
Official Website: https://brightsec.com
It is a must tool for manual penetration testing.
Some features: BApp Store (extension directory)
License: Commercial (Free Community Edition + €349/month)
Official Website: https://portswigger.net/burp
It is an effective DAST tool with Crowdsource supported vulnerability database.
Some features: Attack Surface Management
License: Commercial (starting from €70/month)
Official Website: https://detectify.com
It is a mobile application security testing tool (MAST). It executes your applications on real mobile devices and launches attacks to detect failures in self-protection on .apk or .ipa files.
Some features: real device farm, Test Sequence recording, No False Positive
License: Commercial (starting around $10k/year per app)
Official Website: https://eshard.com/eschecker
WebInspect is an Enterprise-level DAST tool capable of scaling to hundreds of applications.
Some features: support for Two Factor Authentication, API testing, CI/CD integrations
It is an enterprise-level DAST tool in HCL AppScan security suite.
Official Website: https://www.hcltechsw.com/appscan
It is a power vulnerability scanner for cybersecurity engineers from Rapid7.
Some features: Universal Translator, Attack Replay
License: Commercial (starting from $166/month per app)
Official Website: https://www.rapid7.com/products/insightappsec/
It is an easy dast tool to start which also offers a monthly subscription.
Some features: Penetration testing service offerings
License: Commercial (starting from €94/month per app)
Official Website: https://www.intruder.io
It is an enterprise-level DAST tool to integrate into SDLC and is highly useful if you need to manage hundreds or thousands of applications.
Some features: Advanced integrations, Proof-based scanning, IAST + SCA capabilities
Official Website: https://www.invicti.com
It is a very advanced open-source vulnerability scanner with community-supported scanning templates.
Some features: Custom scanning templates
Official Website: https://nuclei.projectdiscovery.io/
It is the most popular open-source dynamic application security testing tool.
Some features: extensive community support
Official Website: https://www.zaproxy.org/
It is a set of tools for web vulnerability scanning.
Some features: includes many other niche security scanners
License: Commercial (starts from €100/month for 10 targets)
Official Website: https://pentest-tools.com/
It is a DAST scanner designed for security and DevOps teams to work together on reducing security risks on web applications & APIs.
License: Commercial (Free Limited Edition + starts from €49/month per application)
Official Website: https://probely.com/
It is an advance fully-cloud web application security scanner.
Official Website: https://www.qualys.com/apps/web-app-scanning/
It is the DAST tool in the Sentinel security suite. (known as Whitehat)
It is a multi-platform supporting DAST tool in Syhunt application security suite.
License: Commercial (starting from $4099/year)
Official Website: https://www.syhunt.com/en/index.php?n=Products.SyhuntDynamic
It is the DAST tool in Synopsys application security testing portfolio for enterprises.
It is a cloud-based vulnerability scanner powered by Nessus technology.
License: Commercial (€4610/year for 5 FQDN)
Official Website: https://www.tenable.com/products/tenable-io
It is the DAST part of the Veracode application security suite that provides the scale necessary to audit hundreds of target applications simultaneously, including APIs.
Official Website: https://www.veracode.com/products/dynamic-analysis-dast