As a CISO, I have worked extensively with DAST tools. In my evaluation of the top solutions, I reviewed capabilities such as accuracy, detection performance by severity, and more. See below for a detailed breakdown of my key takeaways:
DAST benchmark results:
1. True & false positive rates
Benchmark environments:
1. Holdout: Two private websites built by the AIMultiple team and explained as part of the methodology. Aims to measure how tools perform in detecting vulnerabilities in custom-built, non-public applications.
2. Holdout (w/o information items): A variant of the private holdout environment where vulnerabilities that represent information disclosure issues (e.g., verbose error messages, stack traces, or header leaks) are removed from the evaluation set. Aims to provide a clearer picture of how tools handle exploitable vulnerabilities only, without the noise of low-severity informational findings.
3. DVWA (Damn Vulnerable Web Application): An open-source vulnerable web application built on PHP/MySQL.1 Aims to benchmark tools against known vulnerabilities and validate detection consistency.
4. Broken Crystals: An open-source web app built with React.2 Aims to evaluate tool effectiveness on vulnerabilities common in frontend-heavy applications.
Key metrics for evaluating DAST tools:
1. Vulnerability coverage: How many real vulnerabilities the tool correctly finds. (Higher coverage means fewer blind spots in your security.)
It is equal to true positives (i.e. correctly identified security vulnerabilities) / total number of vulnerabilities.
2. Inverted False Positive Rate: The share of findings that are not false alarms. It ensures security teams don’t waste time chasing issues that aren’t real. (We invert the rate so higher is always better.)
It’s formula is 1 − (False Positives ÷ Total Findings).
Expert recommendations
Based on our benchmarks experience, we recommend enterprises to:
Make DAST part of every release cycle: Treat DAST as a safety net for your code. Running scans after each release helps you identify recurring vulnerabilities early, before they reach production and become bigger issues.
Don’t rely on DAST alone: While DAST is effective, it can’t cover every angle of application security. To build a stronger defense, complement it with:
- SAST to analyze code directly,
- IAST to monitor vulnerabilities at runtime, and
- Manual testing to catch complex logic flaws.
Together, these approaches close the gaps and give you more reliable protection.
Balance speed with accuracy: The most valuable tools aren’t the ones that produce the longest list of issues. They’re the ones that surface the right vulnerabilities quickly, and give clear guidance on how to fix them. That way, security and development teams can spend less time filtering noise and more time on real remediation.
2. Important vulnerability detection performance
In the analysis below, we excluded vulnerabilities classified as informational (e.g., verbose messages, metadata leaks) to focus only on important vulnerabilities that could materially impact security.
| Product | Vulnerability coverage | Prioritization accuracy | False positive rate |
|---|---|---|---|
| HCL AppScan | 66% | 60% | 2% |
| Invicti Netsparker | 64% | 58% | 23% |
| Zap | 29% | 22% | 15% |
| Acunetix | 27% | 26% | 0% |
| Tenable Nessus | 23% | 17% | 10% |
| Qualys Express | 14% | 5% | 21% |
3. Reporting & other features
| DAST software | Scan time (minutes) | Remediation suggestions | Report quality |
|---|---|---|---|
| HCL AppScan | TBD | ✅ | Medium |
| Invicti Netsparker | 118 | ✅ | High |
| Zap | 9 | ✅ | Low |
| Acunetix | 94 | ✅ | Medium |
| Tenable Nessus | 5 | ❌ | Low |
| Qualys Express | 104 | ✅ | High |
- Scan Time: Speed is especially critical when DAST scans are integrated into CI/CD pipelines. A slow scan delays development cycles and discourages frequent use.
- Remediation Suggestions: Actionable, high-quality remediation guidance helps developers resolve issues quickly. Features such as attack replay further improve efficiency by allowing teams to verify fixes without rerunning an entire scan. (Note: we have not yet formally evaluated the quality of remediation suggestions.)
- Report Quality: Well-structured, easy-to-read reports help security and development teams prioritize, understand, and act on findings more effectively.
4. Vulnerability detection by severity
The performance differences between DAST tools become more visible when detection is broken down by vulnerability severity (e.g., high, medium, low).
This view highlights not just whether tools detect vulnerabilities, but whether they capture the most critical ones:
| HCL AppScan | Invicti Netsparker | Zap | Acunetix | Tenable Nessus | Qualys Express | |
|---|---|---|---|---|---|---|
| Critical | 75% | 50% | 0% | 50% | 0% | 50% |
| High | 50% | 0% | 0% | 25% | 0% | 25% |
| Medium | 21% | 57% | 14% | 36% | 14% | 29% |
| Low | 66% | 50% | 53% | 6% | 16% | 13% |
| Best Practice | 96% | 100% | 13% | 48% | 48% | 0% |
| Informational | 26% | 56% | 11% | 11% | 7% | 15% |
5. Prioritization accuracy
While prioritization is less important than detection, a wrongly prioritized vulnerability can be as dangerous as a not detected priority since a low priority assigned to a critical vulnerability may lead it to be deprioritized.
Below, you can see the share of correctly prioritized issues among all detected issues categorized according to severity levels:
| HCL AppScan | Invicti Netsparker | Zap | Acunetix | Tenable Nessus | Qualys Express | |
|---|---|---|---|---|---|---|
| Critical | 33% | 50% | No detection | 100% | No detection | 50% |
| High | 100% | No detection | No detection | 0% | No detection | 0% |
| Medium | 33% | 75% | 50% | 100% | 0% | 0% |
| Low | 95% | 94% | 76% | 100% | 0% | 25% |
| Best Practice | 100% | 100% | 0% | 100% | 27% | No detection |
| Informational | 100% | 100% | 67% | 100% | 100% | 0% |
Note: A score of 100% does not mean that all vulnerabilities were detected. It indicates that, among the subset of vulnerabilities that were detected, all were correctly prioritized.
Benchmark methodology
Holdout set: We set up 2 websites:
- One with all of the OWASP top 10 vulnerabilities deliberately included such as SQL Injection.
- The other included no important vulnerabilities.
The websites are not public. We keep them as a holdout set to ensure that vendors don’t use them in improving their DAST tools which would defeat the purpose of the benchmark: measuring the performance of these tools in real world applications.
Participating DAST solutions: To produce benchmark results, we:
- Got access to 6 top DAST solutions.
- Used each tool as a web DAST scanner to run benchmark tests with the configuration to detect OWASP Top 10.
DAST solutions used in holdout set are listed below:
- Acunetix by Invicti’s latest version as of June/2024
- HCL AppScan Standard 10.5.0
- Qualys WAS’ latest version as of October/2024
- Netsparker by Invicti’s latest version as of June/2024
- Tenable Nessus 10.7.4
- ZAP 2.15.0
DVWA and Broken Crystals:
Results were taken from Pentest-Tools.com’s benchmark.3
Next steps
Add more open source benchmark results to complement the results from the holdout set. Potential candidates include OWASP Benchmark Project: A Java test suite for evaluating the accuracy, coverage, and speed of automated software vulnerability detection tools.
We are open to including other web vulnerability scanners in the benchmark results. Please leave a note or reach out to us via LinkedIn or email if you represent a DAST solution. We are especially looking to incorporate these in the benchmark:
- Checkmarx DAST
- Contrast Assess
- Indusface WAS
- PortSwigger Burp Suite
Why are we running DAST benchmarks?
Businesses rely on DAST to keep their data and applications secure as part of their cybersecurity strategy. However, the most important metrics about a DAST tool such as false positive rate are not available.
Businesses should run a Proof of Concept (PoC) before adopting DAST tools however PoCs are not perfect:
Applications tested during the PoC may not have certain vulnerabilities and as a result, businesses may not understand the full capabilities of the tools in their PoC.
PoCs are costly, businesses may not cover every DAST tool in their PoC and miss out on the best fit solution for their business.
Reviewing benchmark results and selecting their shortlist of vendors for the PoC can help businesses identify the optimal solution for their applications.
Standardized criteria for evaluating web vulnerability scanners
See below some of the criteria that we used and the rationale for selecting them:
True positive rate: Automated vulnerability detection is a DAST tool’s main job. It is critical that automated web application security scanners identify vulnerabilities in applications.
False positive rate: False positives reduce trust in DAST solutions and slow down security teams. In the graph, we wanted to place higher performing solutions on the top right corner, therefore we inverted the false positive rate.
Prioritization accuracy is critical for prioritization. Without this, security teams can get lost in a large list of vulnerabilities.
How should businesses run DAST PoCs?
We recommend,
Using a wide variety of applications to see how different tools perform in different scenarios.
Including benchmarking targets that resemble the end-target applications of the organization as closely as possible.
Top 10 DAST tools compared
| Software | For | |
|---|---|---|
1. | Web Application Scanning | |
2. | Pentesting | |
3. | Identifying & Tracking Vulnerabilities | |
4. | Network Scanning and Security | |
5. | Enterprise-grade application vulnerability assessments | |
6. | Mobile app scanning | |
7. | DAST in fast-paced CI/CD environments | |
8. | Real-time risk mitigation | |
9. | Analyzing vulnerabilities directly within running applications | |
10. | Free / open source DAST | |
| Vendors | Reviews** | Free Trial*** | Employees | Price |
|---|---|---|---|---|
| Invicti | 4.6 based on 203 reviews | ✅ | 300 | Not shared publicly |
| PortSwigger Burp Suite | 4.7 based on 124 reviews | ✅ | 190 | From $449 to $49,000 per year (Professional edition, per person vs Enterprise edition.) Also has a free “community” version. |
| InsightVM Rapid7 | 4.4 based on 94 reviews | ✅ (30-day) | 2,700 | Pricing is asset-based (at least 512 assets).4 |
| Tenable Nessus Professional | 4.6 based on 88 reviews | ✅ (7-day) | 2,100 | Tenable Nessus has 3 pricing edition(s), from $3,590 to $5,290 annually. |
| HCL AppScan | 4.0 based on 82 reviews | ✅ (30-day) | 10,000 | Not shared publicly |
| Contrast Assess | 4.5 based on 49 reviews | ❌ | 300 | Not shared publicly |
| Indusface WAS | 4.5 based on 58 reviews | ✅ (14-day) | 150 | Has a free “basic” plan. Advanced plan, priced at $59 per month. A premium plan at $199 per month. |
| Checkmarx DAST | 4.2 based on 34 reviews | ❌ | 130 | Not shared publicly |
| NowSecure | 4.6 based on 26 reviews | ✅ | 118 | Not shared publicly |
| OWASP ZAP (Zed Attack Proxy) | 4.7 based on 11 reviews | Open Source | N/A**** | Open Source |
** Reviews are based on Capterra and G2.
*** Free trial period is included if it is publicly shared.
**** Community-driven, non-profit foundation
These solutions include both paid and free DAST solutions. If you’re only interested in free solutions, check out free DAST tools.
Integration capabilities of DAST tools
| Vendor | Integration with SIEM tools | Ticketing tool integrations |
|---|---|---|
| Invicti | Splunk | Built-in, Jira, ServiceNow |
| PortSwigger Burp Suite | Built-in, Jira | |
| InsightVM Rapid 7 | Splunk, McAfee ESM,Sumo Logic | Built-in, Jira, ServiceNow |
| Tenable Nessus Professional | Splunk, IBM QRadar, McAfee ESM | Built-in, Jira, ServiceNow |
| HCL AppScan | IBM Security QRadar | Jira, ServiceNow |
| NowSecure | Jira | |
| Checkmarx DAST | Splunk | Jira, ServiceNow |
| Indusface WAS | Sumo Logic, RSA, Splunk, McAfee ESM | |
| Contrast Assess | Azure Sentinel, Datadog, Splunk, Sumo Logic | Jira |
| OWASP ZAP |
Features of DAST tools
| Vendor | Deployment options | Detect XSS | Detect SQL injection | OAuth 2.0 |
|---|---|---|---|---|
| Invicti | On-Prem, Cloud, Hybrid | ✅ | ✅ | ✅ |
| PortSwigger Burp Suite | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
| InsightVM Rapid 7 | On-Prem, Cloud, Hybrid | ❌ | ❌ | ❌ |
| Tenable Nessus Professional | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
| HCL AppScan | On-Prem, Cloud, Hybrid | ✅ | ✅ | ✅ |
| NowSecure | On-Prem, Cloud | ❌ | ❌ | ❌ |
| Checkmarx DAST | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
| Indusface WAS | Cloud | ✅ | ✅ | ❌ |
| Contrast Assess | On-Prem, Cloud, Hybrid | ✅ | ✅ | ❌ |
| OWASP ZAP | On-Prem | ✅ | ✅ | ✅ |
To understand why these differentiating features are important, check the definitions and significance of each feature.
Invicti
Best for: Web application scanning
Invicti’s Dynamic Application Security Testing (DAST) tool leverages a dynamic and interactive scanning approach (DAST + IAST). Invicti’s DAST solution’s
- Deployment can be on-prem, public or private cloud and hybrid.
- Features include Web Application Firewall and Oauth 2.0 integration.
- Best known for web application security scanning, which can scan internal or external websites.
Pros
- Most promising features of Invicti are:
- its ability to confirm access vulnerabilities and SSL injection vulnerabilities,
- its connectors to other security tools.
- Users argue that Invicti’s baseline scanning and incremental scan are valuable features.
- Invicti’s proof-based scanning helps reduce vulnerability validation time so users can focus on finding more complex vulnerabilities.
Cons
- False positive analysis and vulnerability analysis libraries could be improved.
- Specificity of the reports generated by the tool could be improved
- Licensing model could be more cost-effective.
PortSwigger Burp Suite
Best for: Pentesting
PortSwigger’s Burp Suite focuses on both automated and manual Dynamic Application Security Testing (DAST). Burp Suite incorporates methods like out-of-band testing (OAST). Burp Suite is available in different editions, including the Professional, Enterprise, and Community editions.
Professionals who seek to enhance their penetration testing use PortSwigger. The UI may be complex for users who lack technical expertise.
The community edition can scan or crawl web apps internally or externally, while the paid version provides additional capabilities for enterprises that seek a more complex tool.
Pros
- Straightforward setup process, as mentioned by multiple reviewers.
- Accuracy in comparison to other solutions, reporting fewer false positives.
- The automated scan feature is particularly useful for customers needing basic security assurance.
Cons
- Stability issues, particularly in terms of high memory usage while scanning.
- Integrations: It could offer better integration with tools like Jenkins for automating dynamic application security testing (DAST).
- Reporting: There are concerns about the quality of reporting, with some finding it not very informative.
InsightVM Rapid7
Best for: Identifying and tracking vulnerabilities
InsightVM from Rapid7 is not a DAST tool but a vulnerability management solution to detect threats in IT environments. It utilizes Rapid7’s vulnerability research, insights into global attacker activities, and internet scanning data.
It also includes integration with Rapid7’s Metasploit to confirm exploits. The platform provides capabilities like real-time monitoring and evaluations of cloud, virtual, and container assets, which makes it adaptable for varied and evolving IT settings.
This integration also makes it a suitable option for penetration testing. InsightVM has strong SIEM, tracking of vulnerabilities, and live observation with endpoint agents.
Pros
- Agent-based platform of the tool allows users to concentrate on making enhancements while managing underlying dependencies with ease.
- It clearly highlights vulnerabilities and prioritizes remediation efforts, making it useful for managing vulnerabilities and patches.
- Its use of real risk scores, along with features like agent and engine support, SCCM-assisted patching, hardening checks, remediation projects, and SLAs, is effective.
Cons
- Memory consumption can be high
- Immature and inconsistent graphical user interface (GUI). and Query builder is limited.
- Bugs in complex vulnerability checks sometimes take a long time to resolve. Setting up reports to be concise can be challenging.
Tenable Nessus Professional
Best for: Network scanning and security
Tenable Nessus Professional conducts vulnerability assessments through evaluative and agentless scans. Multi-year subscriptions are available for Nessus Professional, which encompass enhanced support services such as telephone, community forums, and live chat assistance.
Tenable Nessus has a more expensive version, Tenable Nessus Expert, which adds features such as web application scanning and external attack surface scanning.
We discussed the pricing of dast tools and more in the “DAST Pricing: Comparison of Vendor’s Fees” article.
Pros
- User-friendly graphical interface and superior detection capabilities.
- Satisfactory customer support
- Dual implementation approach, which includes both agent-based and credentials-based solutions.
- Frequent updates to incorporate the most recent vulnerabilities, along with recommendations for remediation.
Cons
- Some users have mentioned experiencing variability in both the duration of scans and the consistency of results with the tool.
- Retrieving reports over an extended timeframe can be time-consuming, indicating that both the scanning and reporting processes require a significant amount of time.
If you are already using Tenable Nessus and looking for alternatives, you can read our article “Tenable Nessus Alternatives”.
HCL AppScan
The AppScan suite includes several products (AppScan on Cloud, AppScan 360, AppScan Standard, AppScan Source, and AppScan Enterprise).
HCL AppScan includes integration capabilities with various development and deployment environments, regulatory compliance reporting, and customization through the AppScan Extension Framework.
Pros
- Among the top 2 performers in our DAST benchmark with a
- high true positive rate
- low false positive rate
- high accuracy rate in assigning severity to issues
- Quick responses to feature requests.
- Clear remediation suggestions facilitate ease of use for developers
Cons
- In our view, dashboard and overview section in reports lag behind other commercial DAST tools.
- has limited integration with some of the container technologies
- CI/CD integration and scalability can be challenging due to
- Licensing restrictions
- Slow scan duration. It had the slowest scan time in our benchmark.
NowSecure
Best for: Mobile app scanning
NowSecure DAST is focused only on mobile application testing, it does not provide web application testing.
Since the mobile app scanning market is limited, few tools are focused solely on mobile app scanning. NowSecure could be a suitable option for businesses that
- Test only mobile applications.
- Can afford a dedicated tool for mobile app scanning.
Pros
- Users cite that the platform is easy to integrate and has an intuitive interface.
- Reporting capabilities of the tool are advanced
Cons
- Testing can be complex and require manual intervention.
- Cost of the service can be a challenge for smaller companies.
- Customization options are not widely available.
Checkmarx DAST
Checkmarx DAST can be deployed on-prem, hybrid, or cloud. It offers SQL injection detection and XSS detection.
Checkmarx DAST is part of the Checkmarx One platform, which consolidates various application security tools (such as SAST, API Security, Container Security, etc.) into a single platform.
Pros
- Checkmarx finds noticeably higher vulnerabilities than free tools.
- Centralized reporting functionality can be helpful with tracking issues.
Cons
- Some users have reported that Checkmarx has a slightly difficult compilation with the CI/CD pipeline.
- Some users have reported that the interactive application security testing (IAST) part needs improvement.
Indusface WAS
The Indusface DAST provides cloud-based Web Application Firewall (WAF) features. Indusface WAS cannot be deployed on prem, which could be seen as a negative if users wish to avoid using cloud services.
Pros
- The tool is capable of running complex workloads.
- Support: Users state that the tools have quick support and timely responsiveness, also stating that the team is knowledgeable and efficient.
Cons
- Time-out time after inactivity in the portal can be longer.
- User interface can be made more intuitive and informative for the user. The design looks dated.
Contrast Assess
Contrast Security’s tool, Contrast Assess, primarily uses an Interactive Application Security Testing (IAST) approach.
Pros
- Users state that Contrast Asses is a stable solution.
- Users state that the solution is accurate in identifying vulnerabilities. Multiple users also noted that the real-time code evaluation feature is helpful.
Cons
- Users have argue that the solution should provide more details in the section showing that third-party libraries have CVEs or some vulnerabilities.
- Some users cite their concern about the scalability of the solution.
OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool. It acts as a man-in-the-middle proxy, which allows it to intercept and inspect messages sent between a browser and a web server to find security holes in real-time.
During our experience with the tool, we identified these:
Pros
- Low false positive rate
- Easy to use, especially for an open-source tool.
- Integrations to DevSecOps tools like DefectDojo.5
Cons
- Limited vulnerability detection rate.
- It takes considerable time to analyze big applications but it can be fast for small applications
- In terms of integrations ZAP lags behind commercial web scanning applications which can also lead to more manual work.
FAQ
What is a DAST Tool?
DAST tools are application security solutions that detect vulnerabilities in web applications while running in a live environment. They simulate attacks from a malicious user’s perspective to identify potential security issues. They can also be considered a part of vulnerability scanning tools.
How Do DAST Tools Work?
DAST tools typically interact with an application through its front end, testing for vulnerabilities like SQL injection, cross-site scripting (XSS), and other standard security threats. They do not require access to the source code.
Who Should Use DAST Tools?
DAST tools are essential for security teams, developers, and IT professionals involved in maintaining the security of web applications. They are particularly useful for organizations with dynamic, frequently updated web applications.
What are the Benefits of Using DAST Tools?
The main benefits include the ability to identify real-world attack vectors, ease of use without needing access to source code, and the capacity to test applications in their final running state.
Can DAST Tools Replace Other Security Testing Methods?
No, DAST complements other testing methods like static application security testing (SAST) and interactive application security testing (IAST). A comprehensive security strategy requires a mix of different testing approaches.
Are There Limitations to DAST Tools?
Yes, DAST tools can miss vulnerabilities that are not exposed through the web interface, and they might generate false positives. They also can’t typically assess the source code for underlying issues.
How Often Should DAST Tools be Used?
It’s recommended to use DAST tools regularly, especially after significant changes to the application or its environment. Continuous integration environments may benefit from more frequent testing.
Can DAST Tools Test Mobile Applications?
Some DAST tools are capable of testing mobile applications, but their effectiveness can vary depending on the tool and the specific application architecture.
Are DAST Tools Suitable for All Web Applications?
DAST tools are versatile, but their effectiveness can vary depending on the complexity and technology of the web application. They are generally more effective for traditional web applications than for single-page applications or services using extensive client-side scripting.
External Links
- 1. GitHub - digininja/DVWA: Damn Vulnerable Web Application (DVWA).
- 2. GitHub - NeuraLegion/brokencrystals: A Broken Application - Very Vulnerable!.
- 3. Benchmarking our Website Vulnerability Scanner and 5 others | Pentest-Tools.com Blog. Pentest-Tools.com
- 4. "Burp Suite Enterprise Edition plans". PortSwigger. Retrieved on June 9, 2024
- 5. ZAP – Third Party Products and Services.
Comments
Your email address will not be published. All fields are required.