AIMultiple ResearchAIMultiple Research

Top 7 DAST Tools in 2024: Analysis of 400+ Reviews

Dynamic Application Security Testing (DAST) tools safeguard web applications by identifying and mitigating security vulnerabilities in applications during their operational phase. As cyber threats continually evolve, the selection of an appropriate DAST tool is critical for organizations keen on maintaining a robust security posture.

With 20+ DAST tools available in the market, choosing the right tool can be a complex undertaking. This article aims to shed light on contemporary DAST solutions, focusing on their capabilities, efficiency, popularity, and integration within existing security frameworks. 

Top 7 DAST tools compared

VendorsReviews*Free Trial**Employee Size***Price
Invicti 4.6 based on 72 reviews300Not shared publicly
PortSwigger Burp Suite4.8 based on 136 reviews190
From $449 to $49,000 per year (Professional edition, per person vs Enterprise edition.) Also has a free “community” version.
4.6 based on 27 reviews900Not shared publicly
Indusface WAS 4.5 based on 50 reviews✅ (14-day)150
Has a free “basic” plan. Advanced plan, priced at $59 per month. A premium plan at $199 per month.
Contrast Assess
4.5 based on 49 reviews300Not shared publicly
Checkmarx DAST
4.2 based on 33 reviews130Not shared publicly
HCL AppScan4.1 based on 49 reviews✅ (30-day)10kNot shared publicly

* Reviews are based on Capterra and G2. Vendors are ranked according to their reviews, except for vendors with links who are sponsors of AIMultiple, which is why they are ranked first.

** Free trial period is included if it is publicly shared.

*** The number of workforce is gathered from the companies’ LinkedIn pages.

How to choose the top DAST tools?

In our evaluation of the top 7 DAST tools, we emphasized two key publicly accessible criteria:

  • Employee Count: Recognizing the link between a company’s revenue and its workforce size, our attention was on firms with a workforce exceeding 100.
  • Reviews on B2B Platforms: We favored solutions that had feedback from at least 20 users on B2B review platforms like G2 and Capterra, as this reflects market presence based on actual user experiences.

Top DAST tools analyzed


Invicti’s Dynamic Application Security Testing (DAST) tool is designed for enterprise-level web application security. It focuses on automating security tasks within the Software Development Life Cycle (SDLC), offering capabilities like identifying critical vulnerabilities and integrating them for remediation. 

The tool aims to provide a comprehensive view of application security, leveraging a dynamic and interactive scanning approach (DAST + IAST) to find vulnerabilities other tools might miss. Invicti emphasizes scalability, allowing teams to manage risks effectively, even in complex infrastructures, and integrates into existing systems and workflows to enhance productivity and security. Invicti’s DAST solution’s deployment is on-prem, public or private cloud and hybrid.


  • Capterra: 4.7 based on 18 reviews1
  • G2: 4.5 based on 54 reviews2


  • Users argue that some of the most promising features of Invicti are its ability to confirm access vulnerabilities, SSL injection vulnerabilities, and its connectors to other security tools. 3
  • Users argue that Invicti’s baseline scanning and incremental scan are valuable features.4
  • Users state that Invicti’s proof-based scanning is impressive and it helps them reduce their time and focus on finding vulnerabilities.5


  • Some users have cited that the solution’s false positive analysis and vulnerability analysis libraries could be improved. 6
  • Some users expressed recommendations about raising the specificity of the reports generated by the tool. 7
  • Some users argue that the licensing model could be improved to be more cost-effective. 8

PortSwigger Burp Suite

PortSwigger’s Burp Suite is a tool designed for web security testing, with a focus on both automated and manual Dynamic Application Security Testing (DAST). Burp Suite offers a blend of automated and manual testing methods. Additionally, Burp Suite incorporates other methods like OAST to enhance its DAST capabilities. Burp Suite is available in different editions, including the Professional, Enterprise, and Community editions, each tailored to specific needs and scales of operation.


  • Capterra: 4.8 based on 24 reviews9
  • G2: 4.8 based on 112 reviews10


  • The solution is noted for its straightforward and simple setup process, as mentioned by multiple reviewers​. 11
  • The tool is noted for its accuracy in comparison to other solutions, reporting fewer false positives.12
  • The automated scan feature is particularly useful for customers needing basic security assurance.13


  • Some users noted stability issues, particularly in terms of high memory usage during scanning. 14
  • Some users feel that it could offer better integration with tools like Jenkins for automating dynamic application security testing (DAST).15
  • There are concerns about the quality of reporting, with some finding it not very informative.16


NowSecure DAST is a tool designed for the testing of mobile applications. It integrates various testing methods, including static, dynamic, and interactive analyses, to provide a holistic view of the security posture of mobile applications. The platform is engineered to meet the unique requirements of modern mobile SDLC, offering security and privacy testing solutions.


  • Capterra: N/A
  • G2: 4.6 based on 27 reviews17


  • Users cite that the platform is easy to integrate and has an intuitive interface. 18
  • Some users argue that reporting capabilities of the tool are impressive. 19


  • Some users cite that testing can be complex and require manual intervention. Additionally, the cost of the service can be a challenge for smaller companies.20
  • Some users argue that customization options are not widely available.21

Indusface WAS 

The Indusface DAST tool is part of the Indusface Web Application Scanning (WAS) suite, designed to identify web application security vulnerabilities during runtime by simulating external attacks. This suite is an all-in-one solution for application security testing and vulnerability scanning, including cloud-based Web Application Firewall (WAF) features.

The tool aims to discover public-facing web assets like domains, subdomains, IPs, mobile apps, data centers, and site types, providing a comprehensive view of the organization’s digital assets. Indusface WAS also includes the ability to immediately identify malware infections or application defacements.

  • Capterra: N/A
  • G2: 4.5 based on 50 reviews22


  • Users cite that the tool is capable of running complex workloads. 23
  • Users state that the tools have quick support and timely responsiveness, also stating that the team is knowledgeable and efficient.24


  • Some users argue that the time-out time after inactivity in the portal can be longer.25
  • Some users argue that the portal’s user interface can be made more intuitive and informative for the user, citing concerns that the design looks dated. 26

Contrast Assess

Contrast Security’s tool, known as Contrast Assess, is an application security testing tool primarily using the Interactive Application Security Testing (IAST) approach. Contrast Assess employs an agent that instruments applications with sensors. These sensors analyze data flow in real-time and assess the application from within, providing insights into vulnerabilities in libraries, frameworks, custom code, configuration information, runtime control, data flow, HTTP requests and responses, and back-end connections.


  • Capterra: N/A
  • G2: 4.5 based on 49 reviews27


  • Users state that Contrast Asses is a stable solution.28
  • Users state that the solution is accurate in identifying vulnerabilities. Multiple users also noted that the real-time code evaluation feature is helpful.29


  • Users have argued that the solution should provide more details in the section showing that third-party libraries have CVEs or some vulnerabilities.30
  • Some users cite their concern about the scalability of the solution. 31

Checkmarx DAST

Checkmarx DAST is a tool designed for identifying vulnerabilities and security flaws in web applications and APIs. It simulates real-world attacks to find vulnerabilities during runtime, integrating with CI/CD processes for continuous testing. 

Checkmarx DAST effectively detects server/database misconfigurations, authentication, and encryption issues. It offers real-time analysis, accuracy in identifying legitimate vulnerabilities, comprehensive coverage across web applications and API frameworks, easy integration with existing workflows, and detailed reporting and analytics. 


  • Capterra: N/A 
  • G2: 4.2 based on 33 reviews32


  • Users argue that Checkmarx finds noticeably higher vulnerabilities than free tools.33
  • Some users argue that the centralized reporting functionality is a great feature and aids them with tracking issues.34


  • Some users have reported that Checkmarx has a slightly difficult compilation with the CI/CD pipeline. 35
  • Some users have reported that The interactive application security testing (IAST) part needs improvement.36

HCL AppScan

HCL AppScan offers a range of security testing tools designed to protect businesses and their customers from cyber-attacks. The AppScan suite includes several products (AppScan on Cloud, AppScan 360, AppScan Standard, AppScan Source, and AppScan Enterprise).  

Key features of HCL AppScan include its dynamic analysis (DAST), static analysis (SAST), and interactive application security testing (IAST). Other notable features include integration capabilities with various development and deployment environments, regulatory compliance reporting, and customization through the AppScan Extension Framework. 


  • Capterra: N/A
  • G2: 4.1 based on 59 reviews37


  • Users argued that HCL AppScan has a quick feature request response, ease of use for developers, and effective vulnerability detection with severity grading.38


  • Users argued that HCL AppScan’s dashboard needs improvement, has limited integration with certain container technologies, challenges in CI/CD integration and scalability issues due to licensing restrictions. 39

What is a DAST Tool?

DAST tools are security solutions that detect vulnerabilities in web applications while running in a live environment. They simulate attacks from a malicious user’s perspective to identify potential security issues.

How Do DAST Tools Work?

DAST tools typically interact with an application through its front end, testing for vulnerabilities like SQL injection, cross-site scripting (XSS), and other standard security threats. They do not require access to the source code.

Who Should Use DAST Tools?

DAST tools are essential for security teams, developers, and IT professionals involved in maintaining the security of web applications. They are particularly useful for organizations with dynamic, frequently updated web applications.

What are the Benefits of Using DAST Tools?

The main benefits include the ability to identify real-world attack vectors, ease of use without needing access to source code, and the capacity to test applications in their final running state.

Can DAST Tools Replace Other Security Testing Methods?

No, DAST complements other testing methods like static application security testing (SAST) and interactive application security testing (IAST). A comprehensive security strategy often includes a mix of different testing approaches.

Are There Limitations to DAST Tools?

Yes, DAST tools can miss vulnerabilities that are not exposed through the web interface, and they might generate false positives. They also can’t typically assess the source code for underlying issues.

How Often Should DAST Tools be Used?

It’s recommended to use DAST tools regularly, especially after significant changes to the application or its environment. Continuous integration environments may benefit from more frequent testing.

Can DAST Tools Test Mobile Applications?

Some DAST tools are capable of testing mobile applications, but their effectiveness can vary depending on the tool and the specific application architecture.

Are DAST Tools Suitable for All Web Applications?

DAST tools are versatile, but their effectiveness can vary depending on the complexity and technology of the web application. They are generally more effective for traditional web applications than for single-page applications or services using extensive client-side scripting.

If you have further questions, reach us:

Find the Right Vendors
Access Cem's 2 decades of B2B tech experience as a tech consultant, enterprise leader, startup entrepreneur & industry analyst. Leverage insights informing top Fortune 500 every month.
Cem Dilmegani
Principal Analyst
Follow on

Altay Ataman
Altay is an industry analyst at AIMultiple. He has background in international political economy, multilateral organizations, development cooperation, global politics, and data analysis. He has experience working at private and government institutions. Altay discovered his interest for emerging tech after seeing its wide use of area in several sectors and acknowledging its importance for the future. He received his bachelor's degree in Political Science and Public Administration from Bilkent University and he received his master's degree in International Politics from KU Leuven .

Next to Read


Your email address will not be published. All fields are required.