Top 10 DAST Tools in 2024: Analysis of 500+ Reviews

Dynamic Application Security Testing (DAST) tools safeguard web applications by identifying and mitigating security vulnerabilities in applications during their operational phase. As cyber threats continually evolve, the selection of an appropriate DAST tool is critical for organizations keen on maintaining a robust security posture.

With 20+ DAST tools available in the market, choosing the right tool can be a complex undertaking. This article aims to shed light on contemporary DAST solutions, focusing on their capabilities, efficiency, popularity, and integration within existing security frameworks.

The solutions below include paid and free DAST solutions that can serve businesses. If you are only looking for free solutions, check out free DAST tools.

Top 10 DAST tools compared

* Based on technical reviewer Adil Hafa’s (CISO of Ödeal) experience.

** Reviews are based on Capterra and G2.

*** Free trial period is included if it is publicly shared.

**** Community-driven, non-profit foundation

Sorting: AIMultiple’s sponsors are listed at the top and have links to their websites. Other vendors are ranked according to their average rating.

How to choose the top DAST tools?

In our evaluation of the top DAST tools, we emphasized two key publicly accessible criteria:

• Employee Count: Recognizing the link between a company’s revenue and its workforce size, our attention was on firms with a workforce exceeding 100.
• Reviews on B2B Platforms: We favored solutions that had feedback from at least 10 users on B2B review platforms like G2 and Capterra, as this reflects market presence based on actual user experiences.

Differentiating features of selected tools

To understand why these differentiating features are important, check the definitions and significance of each feature.

Top DAST tools analyzed

Invicti

Invicti’s Dynamic Application Security Testing (DAST) tool is designed for enterprise-level web application security. It focuses on automating security tasks within the Software Development Life Cycle (SDLC), offering capabilities like identifying critical vulnerabilities and integrating them for remediation. 

The tool aims to provide a comprehensive view of application security, leveraging a dynamic and interactive scanning approach (DAST + IAST) to find vulnerabilities other tools might miss. Invicti emphasizes scalability, allowing teams to manage risks effectively, even in complex infrastructures, and integrates into existing systems and workflows to enhance productivity and security.

Invicti’s DAST solution’s deployment is on-prem, public or private cloud and hybrid. Additionally, Invicti provides Web Application Firewall and Oauth 2.0 integration. It is best known for web application security scanning.

Reviews

• Capterra: 4.7 based on 18 reviews¹
• G2: 4.5 based on 54 reviews²

Pros

• Users argue that some of the most promising features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools. ³
• Users argue that Invicti’s baseline scanning and incremental scan are valuable features.⁴
• Users state that Invicti’s proof-based scanning is impressive and it helps them reduce their time and focus on finding vulnerabilities.⁵

Cons

• Some users have cited that the solution’s false positive analysis and vulnerability analysis libraries could be improved. ⁶
• Some users expressed recommendations about raising the specificity of the reports generated by the tool. ⁷
• Some users argue that the licensing model could be improved to be more cost-effective. ⁸

PortSwigger Burp Suite

PortSwigger’s Burp Suite is a tool designed for web security testing, with a focus on both automated and manual Dynamic Application Security Testing (DAST). Burp Suite offers a blend of automated and manual testing methods. Additionally, Burp Suite incorporates other methods like OAST to enhance its DAST capabilities. Burp Suite is available in different editions, including the Professional, Enterprise, and Community editions, each tailored to specific needs and scales of operation.

PortSwigger is known for its suitability for professionals who seek to enhance their penetration testing. The UI may be complex for users who lack technical expertise. Burp Suite Professional is best known for its pen-testing.

Reviews

• Capterra: 4.8 based on 24 reviews⁹
• G2: 4.8 based on 112 reviews¹⁰

Pros

• The solution is noted for its straightforward and simple setup process, as mentioned by multiple reviewers​. ¹¹
• The tool is noted for its accuracy in comparison to other solutions, reporting fewer false positives.¹²
• The automated scan feature is particularly useful for customers needing basic security assurance.¹³

Cons

• Some users noted stability issues, particularly in terms of high memory usage during scanning. ¹⁴
• Some users feel that it could offer better integration with tools like Jenkins for automating dynamic application security testing (DAST).¹⁵
• There are concerns about the quality of reporting, with some finding it not very informative.¹⁶

OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool designed to identify security vulnerabilities in web applications. It acts as a man-in-the-middle proxy, which allows it to intercept and inspect messages sent between a browser and a web server to find security holes in real time, making it a popular choice for developers and testers to secure their web applications.

Reviews

Capterra: 5.0 based on 3 reviews ¹⁷

G2: 4.7 based on 11 reviews ¹⁸

Pros

• Users argue that the tool is easy to use, especially for an open-source tool.¹⁹.
• Users argue that OWASP ZAP is highly customizable, and integrations are easy. ²⁰

Cons

• Some users argue that it takes a considerable amount of time when anaylzing big applications.²¹.
• Users argue that OWASP ZAP lacks certain features and automation capabilities are not always up to par with other web scanning applications²²

Tenable Nessus Professional

Tenable Nessus Professional is a security tool tailored for scanning vulnerabilities, detecting misconfigurations, and identifying possible security threats across network systems. It conducts thorough vulnerability assessments through both evaluative and agentless scans. For Nessus Professional, multi-year subscriptions are available, encompassing enhanced support services such as telephone, community forums, and live chat assistance. It is best known for its network scanning and security.

Reviews

Capterra: 4.7 based on 84 reviews²³

G2: 4.5 based on 273 reviews²⁴

Pros

• Users report that the tool features a user-friendly graphical interface and boasts superior detection capabilities.²⁵
• Users acknowledge that Nessus provides satisfactory customer support and highlight its dual implementation approach, which includes both agent-based and credentials-based solutions.²⁶
• Users note that the tool’s plugins receive frequent updates to incorporate the most recent vulnerabilities, along with recommendations for remediation.²⁷

Cons

• Some users have mentioned experiencing variability in both the duration of scans and the consistency of results with the tool.. ²⁸
• Some users have reported that retrieving reports over an extended timeframe can be time-consuming, indicating that both the scanning and reporting processes require a significant amount of time.²⁹

NowSecure

NowSecure DAST is a tool designed for the testing of mobile applications. It integrates various testing methods, including static, dynamic, and interactive analyses, to provide a view of the security posture of mobile applications. NowSecure does not provide web application testing; it is a tool focused only on mobile application testing.

Review

• Capterra: N/A
• G2: 4.6 based on 27 reviews³⁰

Pros

• Users cite that the platform is easy to integrate and has an intuitive interface. ³¹
• Some users argue that reporting capabilities of the tool are impressive. ³²

Cons

• Some users cite that testing can be complex and require manual intervention. Additionally, the cost of the service can be a challenge for smaller companies.³³
• Some users argue that customization options are not widely available.³⁴

Indusface WAS 

The Indusface DAST tool is part of the Indusface Web Application Scanning (WAS) suite, designed to identify web application security vulnerabilities during runtime by simulating external attacks. This suite is an all-in-one solution for application security testing and vulnerability scanning, including cloud-based Web Application Firewall (WAF) features. Indusface WAS cannot be deployed on prem, which could be seen as a negative if users wish to avoid using cloud services.

• Capterra: N/A
• G2: 4.5 based on 50 reviews³⁵

Pros

• Users cite that the tool is capable of running complex workloads. ³⁶
• Users state that the tools have quick support and timely responsiveness, also stating that the team is knowledgeable and efficient.³⁷

Cons

• Some users argue that the time-out time after inactivity in the portal can be longer.³⁸
• Some users argue that the portal’s user interface can be made more intuitive and informative for the user, citing concerns that the design looks dated. ³⁹

Contrast Assess

Contrast Security’s tool, known as Contrast Assess, is an application security testing tool primarily using the Interactive Application Security Testing (IAST) approach. Contrast Assess employs an agent that instruments applications with sensors. These sensors analyze data flow in real-time and assess the application from within, providing insights into vulnerabilities in libraries, frameworks, custom code, configuration information, runtime control, data flow, HTTP requests and responses, and back-end connections.

Reviews

• Capterra: N/A
• G2: 4.5 based on 49 reviews⁴⁰

Pros

• Users state that Contrast Asses is a stable solution.⁴¹
• Users state that the solution is accurate in identifying vulnerabilities. Multiple users also noted that the real-time code evaluation feature is helpful.⁴²

Cons

• Users have argued that the solution should provide more details in the section showing that third-party libraries have CVEs or some vulnerabilities.⁴³
• Some users cite their concern about the scalability of the solution. ⁴⁴

InsightVM Rapid 7

InsightVM from Rapid7 is designed as a vulnerability management solution to detect potential threats in IT environments. Utilizing Rapid7’s extensive vulnerability research, insights into global attacker activities, and comprehensive internet scanning data, it also includes integration with Rapid7’s Metasploit for confirming exploits. This platform provides capabilities like real-time monitoring and evaluations of cloud, virtual, and container assets, which makes it adaptable for varied and evolving IT settings.

Reviews

Capterra: 4.4 based on 17 reviews.⁴⁵

G2: 4.4 based on 77 reviews.⁴⁶

Pros

• Users find the agent-based platform of the tool beneficial as it allows them to concentrate on making enhancements while managing underlying dependencies with ease. ⁴⁷
• Users argue that the tool clearly highlights vulnerabilities and prioritizes remediation efforts, making it extremely useful for managing vulnerabilities and patches.⁴⁸
• Users suggest that the tool’s approach, which uses real risk scores, along with features like agent and engine support, SCCM-assisted patching, hardening checks, remediation projects, and SLAs, is highly effective.. ⁴⁹

Cons

• Some users mention that the tool occasionally consumes a lot of memory. ⁵⁰
• Some users criticize the tool for having an immature and inconsistent graphical user interface (GUI), and they also find the query builder to be limited.⁵¹
• Users point out that bugs in complex vulnerability checks sometimes take a long time to resolve. They also mention that setting up reports to be concise can be challenging.⁵²

Checkmarx DAST

Checkmarx DAST is a tool designed for identifying vulnerabilities and security flaws in web applications and APIs. It simulates real-world attacks to find vulnerabilities during runtime, integrating with CI/CD processes for continuous testing. 

Checkmarx DAST detects server/database misconfigurations, authentication, and encryption issues. It offers real-time analysis, accuracy in identifying legitimate vulnerabilities, comprehensive coverage across web applications and API frameworks, easy integration with existing workflows, and detailed reporting and analytics. 

Reviews

• Capterra: N/A 
• G2: 4.2 based on 33 reviews⁵³

Pros

• Users argue that Checkmarx finds noticeably higher vulnerabilities than free tools.⁵⁴
• Some users argue that the centralized reporting functionality is a great feature and aids them with tracking issues.⁵⁵

Cons

• Some users have reported that Checkmarx has a slightly difficult compilation with the CI/CD pipeline. ⁵⁶
• Some users have reported that The interactive application security testing (IAST) part needs improvement.⁵⁷

HCL AppScan

HCL AppScan offers a range of security testing tools designed to protect businesses and their customers from cyber-attacks. The AppScan suite includes several products (AppScan on Cloud, AppScan 360, AppScan Standard, AppScan Source, and AppScan Enterprise).  

Key features of HCL AppScan include its dynamic analysis (DAST), static analysis (SAST), and interactive application security testing (IAST). Other notable features include integration capabilities with various development and deployment environments, regulatory compliance reporting, and customization through the AppScan Extension Framework. 

Reviews

• Capterra: N/A
• G2: 4.1 based on 59 reviews⁵⁸

Pros

• Users argued that HCL AppScan has a quick feature request response, ease of use for developers, and effective vulnerability detection with severity grading.⁵⁹

Cons

• Users argued that HCL AppScan’s dashboard needs improvement, has limited integration with certain container technologies, challenges in CI/CD integration and scalability issues due to licensing restrictions. ⁶⁰

Why are the differentiating features important?

Integration with SIEM Tools

SIEM (Security Information and Event Management) systems analyze real-time security alerts from network devices and applications. Integrations with them are valuable for DAST tools as they provide a centralized view for monitoring and responding to security threats detected during dynamic scans.

Ticketing Tool

In the context of DAST tools, a ticketing tool is an integrated or connected system that helps manage and track issues found during security tests. For example, when a DAST tool identifies a vulnerability, such as SQL injection or cross-site scripting (XSS), it can automatically create tickets for these issues within the ticketing tool. This helps organizations track the status of each vulnerability from discovery to resolution.

Deployment

On-Prem Deployment

On-prem DAST tools are installed and managed within an organization’s own infrastructure. This model provides the highest level of control over the security and maintenance of the tools and the data they process. It’s particularly beneficial for industries with stringent compliance requirements, such as financial services, healthcare, and government sectors. These organizations often require full oversight of their security tools due to the sensitive nature of their data.

While this deployment model can lead to higher upfront costs due to the necessary investment in hardware and personnel, it offers reduced latency and potentially higher performance, essential for organizations with large, complex applications.

Cloud-Based Deployment

Cloud-based DAST solutions are hosted on the provider’s servers and accessed over the internet. This model offers scalability, allowing organizations to easily increase or decrease their testing capacity based on current needs without the need for physical infrastructure changes.

It is cost-effective as it typically operates on a subscription basis, eliminating large upfront investments and ongoing hardware maintenance costs. Cloud deployment also enhances accessibility, enabling security teams to conduct tests from anywhere, which is an advantage for companies with remote teams or multiple locations. However, it involves trusting a third-party provider with sensitive data, which may not be suitable for all types of businesses.

Hybrid Deployment

Hybrid deployment models combine on-prem and cloud-based components. Hybrid models provide flexibility in data handling and tool deployment, enabling sensitive data to be processed on-premises while less critical operations can be managed in the cloud. This approach helps balance the need for control and customization with the benefits of scalability and cost reduction.

XSS Detection

Cross-site scripting (XSS) detection is a crucial feature for DAST tools due to the prevalence and impact of XSS vulnerabilities in web applications. XSS vulnerabilities exploit how browsers parse HTML and JavaScript, enabling attackers to inject malicious scripts into web pages viewed by other users. This can lead to various security breaches, including data theft, session hijacking, and malicious redirection, thereby compromising user trust and data integrity.

The complexity and variability of XSS attacks necessitate sophisticated detection mechanisms. DAST tools address this need by actively testing web applications from an outside perspective, mimicking the actions of a potential attacker. By simulating attempts to exploit XSS and other vulnerabilities, DAST tools help organizations identify and mitigate security risks promptly, maintaining the security and integrity of their web applications. This capability is integral to ensuring the comprehensive security coverage needed in today’s cybersecurity landscape.

SQL injection detection

SQL Injection detection is a critical capability for Dynamic Application Security Testing (DAST) tools due to the severe impact SQL Injection attacks can have on an organization. These attacks allow an attacker to interfere with the queries that an application makes to its database, potentially enabling unauthorized viewing of user lists, deletion of entire tables, and, in some cases, gaining administrative rights to a database system.

Given the ubiquity of SQL databases in web applications and the potential for significant data breaches or loss, the ability to detect SQL Injection vulnerabilities early in the software development lifecycle is imperative. By simulating attack patterns used in SQL Injection, DAST tools can identify vulnerable spots in applications where unsanitized user input might be incorrectly executed as SQL commands, thereby helping to prevent potential exploits.

OAuth 2.0 integration

OAuth 2.0 integration in DAST tools is pivotal for assessing the security of modern web applications that utilize this standard for delegated authorization. By simulating authenticated sessions and testing the application’s OAuth 2.0 implementation, DAST tools can uncover vulnerabilities in authorization flows, token handling, and other critical areas that could lead to unauthorized data access or breaches.

This integration ensures that DAST tools can effectively evaluate the security of applications in real-world scenarios, where OAuth 2.0 plays a fundamental role in user authentication and access control, thereby maintaining the integrity and confidentiality of sensitive information in an increasingly interconnected digital landscape.

Core features of DAST tools

Vulnerability Scanning

DAST tools automatically scan web applications for a wide range of known vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). They use automated techniques to send various inputs to the application and observe the responses to detect potential vulnerabilities.

For an in-depth look at vulnerability scanning:

• “Top Vulnerability Scanning Tools
• “Ultimate Guide to Vulnerability Scanning Automation”
• “Vulnerability Testing: Importance, Process & 6 Use Cases in”

Dynamic Crawling

DAST tools can dynamically crawl through the application, automatically discovering content and functionality. This includes navigating through forms, links, and other interactive elements to map out the application’s structure and identify potential attack surfaces.

API Coverage

API coverage in DAST tools is vital because APIs are often the backbone of modern web applications, serving as gateways to functionalities and data. As such, they are a prime target for security breaches. Comprehensive API coverage in DAST ensures that potential vulnerabilities are identified and remediated before they can be exploited, enhancing the application’s overall security posture.

Security Reporting

After scanning, DAST tools generate detailed reports highlighting the vulnerabilities discovered, including their severity and potential impact, and often provide guidance on how to remediate the issues. This is crucial for developers and security teams to prioritize and address security weaknesses.

Authentication Handling

Many DAST tools can handle authenticated sessions, allowing them to test parts of the application that are only accessible after logging in effectively. This feature is critical for thoroughly testing applications with user-specific functionality or restricted areas.

If you have further questions, reach us:

External Links

• 1. “Invicti”. Capterra
• 2. “Invicti”. G2
• 3. “Invicti Review by Amr Abdelnaser ” PeerSpot
• 4. “Invicti Review by Akshay Waghmere” PeerSpot
• 5. “Invicti Review by Berk Onur” PeerSpot
• 6. “Invicti Review by Akshay Waghmere” PeerSpot
• 7. “Invicti Review by Amr Abdelnaser ” PeerSpot
• 8. “Invicti Review by Berk Onur” PeerSpot
• 9. “PortSwigger” Capterra
• 10. “PortSwigger” G2
• 11. “PortSwigger Reviews” PeerSpot
• 12. “PortSwigger Reviews” PeerSpot
• 13. “PortSwigger Reviews” PeerSpot
• 14. “PortSwigger Reviews” PeerSpot
• 15. “PortSwigger Reviews” PeerSpot
• 16. “PortSwigger Reviews” PeerSpot
• 17. “OWASP ZAP” Capterra.
• 18. “OWASP ZAP” G2
• 19. “OWASP ZAP” Review 9075770
• 20. “OWASP ZAP” Review 8841585
• 21. “OWASP ZAP” Review 9075770
• 22. “OWASP ZAP” Review 8841585
• 23. “Nessus” Capterra
• 24. “Tenable Nessus” G2
• 25. “Tenable Nessus Review 8655293” G2
• 26. “Tenable Nessus Review 8641911” G2
• 27. “Tenable Nessus Review 8100291” G2
• 28. “Tenable Nessus Review 8655293” G2
• 29. “Tenable Nessus Review 8374769” G2
• 30. “NowSecure” G2
• 31. “NowSecure Reviews #8741524” G2
• 32. “NowSecure Reviews #8741524” G2
• 33. “GitLab Review by Manar S” G2
• 34. “NowSecure Reviews #8901553” G2
• 35. “Indusface WAS” G2
• 36. “Indusface WAS Reviews #8509220” G2
• 37. “Indusface WAS Reviews #8656652” G2
• 38. “Indusface WAS Reviews #8509220” G2
• 39. “Indusface WAS Reviews #7320115” G2
• 40. “Contrast Assess” G2
• 41. “Contrast Assess Reviews by Paolo Da Los” PeerSpot
• 42. “Contrast Assess Reviews by Reviewer 1605099” PeerSpot
• 43. “Contrast Assess Reviews by Bhavnagarwala” PeerSpot
• 44. “Contrast Assess Reviews by Paolo da Rod” PeerSpot
• 45. “InsightVM” Capterra
• 46. “InsightVM (Nexpose)” G2
• 47. “InsightVM Review by Ravi C.” G2
• 48. “InsightVM Review by Mayank J.” G2
• 49. “InsightVM Review by René T.” G2
• 50. “InsightVM Review by Pranay M.” G2
• 51. “InsightVM Review by René T.” G2
• 52. “InsightVM Review by Rick H.” G2
• 53. “Checkmarx” G2
• 54. “Checkmarx Reviews by Marcelo Carrasco” PeerSpot
• 55. “Checkmarx Reviews by Ganesan” PeerSpot
• 56. “Checkmarx Reviews by Biswas” PeerSpot
• 57. “Checkmarx Reviews by Scott Denton” PeerSpot
• 58. “HCL AppScan” G2
• 59. “HCL AppScan Reviews” PeerSpot
• 60. “HCL AppScan Reviews” PeerSpot