Fortify WebInspect 2026: Enterprise DAST by OpenText

Fortify WebInspect is an enterprise DAST scanner from OpenText that tests running web applications and APIs for security vulnerabilities. It has been through three owners — HP, then Micro Focus, then OpenText — but remains one of the more established enterprise DAST tools on the market.

Fortify WebInspect dashboard showing scan progress and vulnerability findings

The scanner handles modern SPAs (React, Angular, Vue) and includes Kubernetes-based horizontal scaling for organizations with large scan workloads. Pre-configured compliance policies for PCI DSS, NIST, HIPAA, and ISO 27K ship out of the box.

Key features at a glance

Feature	Detail
SPA Support	React, Angular, AngularJS, Vue, GWT, Dojo, Backbone
Web Technologies	HTML5, JSON, AJAX, JavaScript
FAST Testing	Functional + security testing combined
Scaling	Kubernetes horizontal scaling for parallel JS processing
Compliance Policies	PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP, HIPAA
API Testing	REST, SOAP endpoints
Deployment	On-premises, SaaS, managed service
Reporting	Line-of-code details with stack traces
Platform	Part of Fortify suite (SAST + DAST + SCA)
Ownership	OpenText (acquired from Micro Focus, 2023)

What is Fortify WebInspect?

WebInspect performs black-box security testing by crawling and attacking running web applications. It simulates real-world external attacks to find SQL injection, XSS, authentication flaws, and other runtime vulnerabilities.

The tool specifically targets modern client-side frameworks. It detects and crawls SPAs built with React, Angular, AngularJS, Vue, GWT, Dojo, and Backbone — parsing the JavaScript to map application states that static crawlers would miss.

Ownership history

WebInspect started as an HP product, moved to Micro Focus when HP split its enterprise software business in 2017, and then to OpenText when it acquired Micro Focus in 2023. Feature development has continued through each transition.

FAST Testing

Functional Application Security Testing runs security checks alongside functional tests. Unlike standalone IAST, FAST continues crawling during functional test execution, which catches vulnerabilities outside the test path.

Kubernetes Scaling

Horizontal scaling via Kubernetes containers enables parallel JavaScript processing. Useful for large scan workloads — splits the work across multiple containers to cut scan duration.

Compliance Policies

Ships with pre-configured policies for PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP Top 10, and HIPAA. Reports map each finding to specific control requirements for auditor review.

Enterprise Deployment

Available on-premises, as SaaS, or as a managed service. On-prem is important for organizations in regulated industries where scan data can’t leave the network.

FAST testing

Functional Application Security Testing is WebInspect’s approach to combining functional tests with security scanning. Most IAST tools depend on functional test coverage to find vulnerabilities — if the test doesn’t hit a code path, the IAST misses bugs there.

FAST works differently. It hooks into functional test execution but also continues crawling the application independently. This means it tests code paths that functional tests don’t cover, which increases vulnerability coverage without requiring more test cases.

SPA and JavaScript handling

WebInspect’s JavaScript engine processes client-side code to discover application states and routes. For React, Angular, and Vue apps, this means it can follow client-side navigation, handle dynamic form rendering, and test AJAX-driven interactions.

Kubernetes containerization splits the JavaScript processing across multiple workers. For large SPAs with hundreds of routes, this parallel processing measurably reduces scan time compared to single-threaded approaches.

Developer remediation

WebInspect provides line-of-code details and return stack trace information for each finding. Developers get specific pointers to the vulnerable code path rather than just a generic vulnerability description.

How to use Fortify WebInspect

Choose deployment model — Select on-premises installation, SaaS (Fortify on Demand), or managed service based on your data residency and operational requirements.

Configure scan targets — Add web application URLs, set authentication credentials, and define scan scope boundaries.

Select compliance policies — Enable the relevant compliance templates (PCI DSS, NIST, HIPAA, etc.) to get mapped findings in scan reports.

Run and review — Execute scans manually or via CI/CD integration. Review findings with line-of-code details and stack traces for remediation.

CI/CD integration

# GitHub Actions
name: Fortify WebInspect DAST
on: [push]

jobs:
  webinspect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run WebInspect Scan
        uses: fortify/github-action@v1
        with:
          ssc-url: ${{ secrets.SSC_URL }}
          ssc-token: ${{ secrets.SSC_TOKEN }}
          scan-type: 'dast'
          target-url: 'https://staging.example.com'

WebInspect also integrates with Jenkins (via Fortify plugin), Azure DevOps, and Bamboo.

Integrations

CI/CD & DevOps

GitHub Actions

Jenkins

Azure DevOps

Bamboo

Jira

When to use Fortify WebInspect

WebInspect fits enterprises that need DAST with compliance reporting and flexible deployment. The on-premises option is critical for regulated industries — finance, healthcare, government — where scan data must stay on-network.

Good fit when you need:

SPA scanning for React, Angular, or Vue applications
Pre-configured compliance policies (PCI DSS, NIST, HIPAA, ISO 27K)
On-premises deployment for regulated environments
Kubernetes scaling for large scan workloads
Integration with existing Fortify SAST and SCA tools

The ownership changes (HP → Micro Focus → OpenText) are worth tracking. So far, OpenText has continued investing in the product. Organizations already in the Fortify ecosystem get the most value from WebInspect since it shares the same management console and reporting as Fortify Static Code Analyzer.

Cloud-native teams without compliance requirements may find lighter DAST tools like StackHawk or Bright Security easier to get started with.

Note: Now under OpenText. Ownership: HP → Micro Focus → OpenText.

Frequently Asked Questions

What is Fortify WebInspect?

Fortify WebInspect is an enterprise DAST tool now owned by OpenText. It scans running web applications and APIs for vulnerabilities, with support for modern SPAs built in React, Angular, and Vue, plus Kubernetes-based scaling for large scan workloads.

Is Fortify WebInspect free or commercial?

WebInspect is a commercial enterprise product available through OpenText with on-premises, SaaS, and managed service deployment options. It was previously sold by HP and Micro Focus.

What is FAST testing in WebInspect?

Functional Application Security Testing (FAST) combines functional test coverage with dynamic security scanning. Unlike standalone IAST, FAST continues crawling the application during functional testing to catch vulnerabilities outside the functional test path.

What compliance standards does WebInspect support?

WebInspect ships with pre-configured compliance policies for PCI DSS, DISA STIG, NIST 800-53, ISO 27K, OWASP Top 10, and HIPAA. Reports map findings directly to specific control requirements.

How does WebInspect handle modern SPAs?

WebInspect detects and crawls SPAs built with React, Angular, AngularJS, Vue, GWT, Dojo, and Backbone. Kubernetes containerization enables parallel JavaScript processing to speed up SPA scanning.