If you want to see the best DAST tools in one place, then you’ll LOVE this (updated) guide. I’ve reviewed 23 free and paid tools.
I’ve been working in DAST industry for almost 5 years and I keep in touch with all the vendors for the last 2 years.
There is a lot that happened during that time; mergers (Acunetix + Netsparker), acquisitions (IBM Appscan -> HCL AppScan) and also market moved from developing single instance tools for pentesters to integration into CI/CD and DevSecOps practices.
I wanted to create a list of all these popular DAST tools to make it easy for teams to choose the right dast tool for their business.
I have used most of these tools myself and have experience with but also I am expecting to hear your thoughts, please feel free to share your ideas in the comment section below.
Also, you can join the CandyShop project to see the security testing performance of the most popular DAST tools.
It is a straight-forward vulnerability scanner with an easy-to-use interface.
Some features: Business Logic Recorder, Multi-platform (Linux, Mac, Windows, SaaS)
License: Commercial
Official Website: https://www.acunetix.com
It was an internal penetration tool in SEC-1 (part of Claranet Group now), and now also offers tailor-made solutions.
It is a automated scanner and pentest platform for SMB ‘s.
Some features: Managed pentest service, resolution center for collaboration, Risk Score
License: Commercial
Official Website: https://www.getastra.com
It is easy to use for non-technical (cybersecurity) users.
Some features: WordPress plugin
License: Commercial (starting from $49/month)
Official Website: https://beaglesecurity.com
Bright is a DAST tool designed for developers. It detects security issues in running web applications and APIs.
Some features: Docker client, working with HTTP Archive File (HAR file)
License: Commercial (Free Limited Edition + starting from $79/month)
Official Website: https://brightsec.com
It is a must tool for manual penetration testing.
Some features: BApp Store (extension directory)
License: Commercial (Free Community Edition + €349/month)
Official Website: https://portswigger.net/burp
It is an effective DAST tool with Crowdsource supported vulnerability database.
Some features: Attack Surface Management
License: Commercial (starting from €70/month)
Official Website: https://detectify.com
It is a mobile application security testing tool (MAST). It executes your applications on real mobile devices and launches attacks to detect failures in self-protection on .apk or .ipa files.
Some features: real device farm, Test Sequence recording, No False Positive
License: Commercial (starting around $10k/year per app)
Official Website: https://eshard.com/eschecker
WebInspect is an Enterprise-level DAST tool capable of scaling to hundreds of applications.
Some features: support for Two Factor Authentication, API testing, CI/CD integrations
License: Commercial
Official Website: https://www.microfocus.com/en-us/cyberres/application-security/webinspect
It is an enterprise-level DAST tool in HCL AppScan security suite.
License: Commercial
Official Website: https://www.hcltechsw.com/appscan
It is a power vulnerability scanner for cybersecurity engineers from Rapid7.
Some features: Universal Translator, Attack Replay
License: Commercial (starting from $166/month per app)
Official Website: https://www.rapid7.com/products/insightappsec/
It is an easy dast tool to start which also offers a monthly subscription.
Some features: Penetration testing service offerings
License: Commercial (starting from €94/month per app)
Official Website: https://www.intruder.io
It is an enterprise-level DAST tool to integrate into SDLC and is highly useful if you need to manage hundreds or thousands of applications.
Some features: Advanced integrations, Proof-based scanning, IAST + SCA capabilities
License: Commercial
Official Website: https://www.invicti.com
It is a very advanced open-source vulnerability scanner with community-supported scanning templates.
Some features: Custom scanning templates
License: Free
Official Website: https://nuclei.projectdiscovery.io/
It is the most popular open-source dynamic application security testing tool.
It is a set of tools for web vulnerability scanning.
Some features: includes many other niche security scanners
License: Commercial (starts from €100/month for 10 targets)
Official Website: https://pentest-tools.com/
It is a DAST scanner designed for security and DevOps teams to work together on reducing security risks on web applications & APIs.
License: Commercial (Free Limited Edition + starts from €49/month per application)
Official Website: https://probely.com/
It is an advance fully-cloud web application security scanner.
It is the DAST tool in the Sentinel security suite. (known as Whitehat)
License: Commercial
Official Website: https://www.whitehatsec.com/platform/dynamic-application-security-testing/
It is a multi-platform supporting DAST tool in Syhunt application security suite.
Some features:
License: Commercial (starting from $4099/year)
Official Website: https://www.syhunt.com/en/index.php?n=Products.SyhuntDynamic
It is the DAST tool in Synopsys application security testing portfolio for enterprises.
Some features:
License: Commercial
Official Website: https://www.synopsys.com/software-integrity/security-testing/web-scanner.html
It is a cloud-based vulnerability scanner powered by Nessus technology.
Some features:
License: Commercial (€4610/year for 5 FQDN)
Official Website: https://www.tenable.com/products/tenable-io
It is the DAST part of the Veracode application security suite that provides the scale necessary to audit hundreds of target applications simultaneously, including APIs.
Some features:
License: Commercial
Official Website: https://www.veracode.com/products/dynamic-analysis-dast
appsecsanta.com is part of CNT Friends Oy registered in Finland. Company No: 2993839-3 | © 2019-2022. All rights reserved.
