Top 10 Dynamic Application Security Testing (DAST) Tools for 2024

OWASP ZAP is a free and open-source tool actively maintained by a dedicated international team of volunteers. It provides features like active scanning, alerts, anti-CSRF tokens, authentication methods, breakpoints, and passive scanning.

• Passively scan traffic and actively probe for vulnerabilities automatically
• Detect an extensive array of vulnerabilities, including SQL injection, XSS, and insecure direct object references
• Tailor scans to specific needs using ZAP's scripting engine and pre-built add-ons
• Generate comprehensive reports on identified vulnerabilities such as risk levels, exploit information, and remediation recommendations
• Record and replay web application sessions for testing purposes

"Owasp zap proxy is the best recon and penetration testing tool, which contains all things from manual testing to automation testing. For me especially, automatic testing is the best with Ajax Spider, and active scanning performs all the vulnerability tests, which is really good." 

—Jay P.

While not specifically a DAST tool, Jit is a DevSecOps platform that orchestrates DAST tools such as OWASP ZAP and other security testing tools such as SAST and SCA across your CI/CD pipeline. It enables DevOps-oriented teams to establish and automate a security plan, making it easier to implement and manage security controls across the entire SSDLC. Jit users also get real-time remediation suggestions and enriched findings based on reports from other tools in a single dashboard. 

• Fast and automated scanning within GitHub
• Only scans newly introduced code so developers can focus on vulnerabilities relevant to their change
• Measure security performance metrics like MTTR and vulnerabilities in production
• Easily plug any tool into Jit’s extensible orchestration framework
• Jit’s Context Engine determines whether a vulnerability is actually exploitable in production, preventing alert fatigue

“I love the notion of Jit providing as-code security plans, which are minimal and viable. The fact that Jit also automates the selection of relevant security tools and unifies the experience around them is super valuable.”

—Director of Engineering & CISO @ SaaS platform

Veracode is a comprehensive cloud-native platform that reduces risk across all modern software components, from proprietary code to APIs and infrastructure as code (IaC). It can scan hundreds of web apps and APIs simultaneously, providing accurate alerts in its dashboard that developers can delve into.

• Launch dynamic scans with a few clicks to rapidly find and fix runtime vulnerabilities
• Scan running applications to identify vulnerabilities at runtime, including web apps, APIs, and mobile apps
• Provides comprehensive reports with vulnerability details, risk scoring, and actionable remediation guidance
• Automate security tasks and workflows throughout the SDLC

"Easy to set scans to monitor risks on applications. Informative dashboards to help monitor remediations."

—Verified User in Consumer Goods

Checkmarx’s significant features include real-time analysis, which evaluates running apps, and timely alerts that might arise due to recent changes in the code base. It can also be integrated into existing development and security workflows.

• Reduce risk across all components of modern software, such as proprietary code, open source code, APIs, and infrastructure as code
• Enhances vulnerability detection accuracy and prioritization with additional testing options
• Helps you focus on the most important issues by correlating findings from different security assessments
• Easy integration with your preferred development tools and platforms
• Access to training resources designed to help developers build more secure code

“The most valuable features are the easy-to-understand interface and it's very user-friendly. Reduce the code using cxsast plugin. It will scan code line by line and find most of the vulnerabilities. Very easy to use. Vulnerability report is awesome.”

—Pankaj W., Associate Security Consultant

Although not specifically a DAST tool, as part of Cloud Guard, Spectral offers DAST testing. Driven by AI, this can strengthen your security posture and mitigate risks by making it easy for developers to uncover blind spots and detect issues as early as the pre-commit stage.

• Automate the processes of secret protection at build time
• Monitor and detect API keys, tokens, credentials, security misconfiguration, and other threats in real-time
• Continuously uncover and monitor public blind spots, supply chain gaps, and proprietary code assets across multiple data sources
• Seamlessly integrate your own playbooks, build your own detectors, and implement mitigation policies throughout your software development lifecycle
• Advanced AI-backed technology with over 2000 detectors to uncover data breaches before they happen
• Get real-time slack alerts and workflow with JIRA tickets

“It helps us with fixing open code and key security issues in public and private repos. I like the daily scan of all our repositories; it helps us to fix important security issues in the code. Also the support team is very good.”

—Ofer L., DevOps Tech Lead

Acunetix provides dynamic application security testing against various web application attacks to identify vulnerabilities and assess their behavior. It features a fully automated crawler that can crawl complex custom HTML5 websites and web applications, including client-side single-page applications (SPAs), making it easier to implement zero-trust security.

• Lightning-fast scans that reveal your vulnerabilities the instant they’re found
• Scan multiple environments at the same time
• See the exact lines of code that need to be fixed so you don’t have to search for them
• Standard and premium support available
• Add unlimited users at no extra cost

"It assists in identifying and repairing website flaws, reducing the likelihood of attacks and data theft. The scanning tool is extremely intelligent and can identify even the most complex security issues."

—Ken C., Chief Media Officer and Managing Partner

AppCheck offers in-depth automated testing for ad-hoc, scheduled, and continuous security testing. It provides full OWASP vulnerability coverage, including injection, XSS, RCE, zero days, plus 100,000+ known security flaws.

• Scan APIs, SPAs, infrastructure & modern web apps
• Powerful browser-based crawler
• Dynamic fuzzing technology allows visibility of the true and deeper attack surface
• Unlimited scans and unlimited users
• Powerful DAST testing coupled with hourly updates
• Detect hidden issues which can only be identified through advanced out-of-band detection techniques

"We used to have a manual pen test, used the free trial to compare, and AppCheck blew it out of the water. Then it occurred to me that manual testers just use automated tools anyway, so why not save time and cost.”

—Verified User in Photography

Intruder’s web app vulnerability scanner crawls through a site or app, looking for vulnerabilities and security flaws. This solution lets you assess your risk level and helps you prioritize remediation efforts based on the severity of detected vulnerabilities.

• Keeps track of your attack surface, showing where and how your company may be vulnerable
• Set up Intruder and begin scanning within minutes
• Continuous network scanning
• Great customer support team
• Integrate easily into your CI/CD pipeline to streamline DevOps

"This platform enables my team not to waste time testing against known vulnerabilities and focus on hardening our services and solutions. Intruder also provides a huge benefit in proactive Change detection, where it will advise when new instances or hosts are detected and any vulnerabilities it may have, allowing for more agile change management.”

—Ben C., Mid-Market

SOOS SCA + DAST combines SCA and DAST in one platform. You can simultaneously use the features of SCA, such as finding and fixing open-source vulnerabilities, and DAST, which scans your web apps and APIs based on OpenAPI, SOAP, or GraphQL standards. The combined dashboard makes continuous monitoring, license issues, and policy violations accessible in a single interface.

• Patented deep tree scanning happens in seconds so that you can find, research, and fix open source vulnerabilities on every build
• Manage, suppress, and provide attestations for issues across all of your projects and branches
• Automate the tracking of your open source license exposure
• Manage your SBOMs in Software Package Data Exchange (SPDX) or CycloneDX formats
• Integrated dashboard to manage your projects’ security issues (SCA, DAST, Containers, SAST, IaC, & SBOMs)
• Simple CI/CD and Issue Manager Integration

"With the integration we have in our pipelines, the ability to provide continuous assessment of software security as changes are made to the application and new dependencies are added has been very useful. Additionally, SOOS has been of great importance for our certification processes (Hitrust, SOC2).”

—Brallan G., SRE & DevOps Engineer

Detectify is a cloud-based EASM platform specializing in surface monitoring and application scanning. The automated discovery and continuous monitoring features help DevSecOps teams discover and remedy vulnerabilities easily integrated into Slack, Jira, and Splunk workflow tools.

• 99.7% accurate vulnerability assessments
• Continuously discover and monitor all internet-facing assets that you host
• Cover your entire public DNS footprint, including ports
• Render and crawl a custom-built application for in-depth findings
• Dedicated customer success manager

"From the discoveries of new subjects, and for the ease of use, I also really like the integration of notifications and detailing the vulnerabilities and how to perform their corrections."

—Matheus W., Mid-Market Security Analyst