Top 10 DAST Tools: Benchmarking Results & Comparison
As a CISO, I have worked extensively with DAST tools. In evaluating the top solutions, I reviewed capabilities such as accuracy, detection performance by severity, and more. See below for a detailed breakdown of my key takeaways:
DAST benchmark results
True and false positive rates
Benchmark environments:
1. Holdout: Two privately built websites are used in the methodology to assess how effectively the tools detect vulnerabilities in custom, non-public applications.
2. Holdout (w/o information items): A variant of the private holdout environment where vulnerabilities related to information disclosure (such as verbose error messages, stack traces, or header leaks) are excluded from the evaluation set. The goal is to provide a clearer understanding of how tools handle exploitable vulnerabilities.
3. DVWA (Damn Vulnerable Web Application): An open-source vulnerable web application built on PHP/MySQL.1 Aims to benchmark tools against known vulnerabilities and validate detection consistency.
4. Broken Crystals: An open-source web app built with React.2 Aims to evaluate tool effectiveness on vulnerabilities common in frontend-heavy applications.
Key metrics for evaluating DAST tools:
1. Vulnerability coverage: How many real vulnerabilities the tool correctly finds. (Higher coverage means fewer blind spots in your security.)
Formula = true positives (i.e. correctly identified security vulnerabilities) / total number of vulnerabilities.
2. Inverted False Positive rate: The share of findings that are not false alarms. It ensures security teams don’t waste time chasing issues that aren’t real. (We invert the rate so higher is always better.)
Formula = 1 − (False Positives ÷ Total Findings).
Our recommendations
Based on our benchmark, we recommend enterprises to:
Make DAST part of every release cycle: Treat DAST as a safety net for your code. Running scans after each release helps you identify recurring vulnerabilities early, before they reach production and become bigger issues.
Don’t rely on DAST alone: While DAST is effective, it can’t cover every angle of application security. To build a stronger defense, complement it with:
- SAST to analyze code directly,
- IAST to monitor vulnerabilities at runtime, and
- Manual testing to catch complex logic flaws.
Together, these approaches close the gaps and give you more reliable protection.
Balance speed with accuracy: The most valuable tools aren’t the ones that produce the longest list of issues. They’re the ones that surface the right vulnerabilities quickly, and give clear guidance on how to fix them. That way, security and development teams can spend less time filtering noise and more time on real remediation.
Holdout benchmark deepdive
We analyzed holdout results in detail going beyond detection to prioritization and reporting:
Important vulnerability detection performance
Vulnerabilities classified as informational (e.g., verbose messages, metadata leaks) have been excluded from the analysis to focus solely on critical vulnerabilities that could impact security.
Reporting and other features
- Scan time: Speed is crucial when DAST scans are integrated into CI/CD pipelines. A slow scan can delay development cycles and discourage frequent use.
- Remediation suggestions: Tools with remediation suggestions can provide actionable, high-quality guidance to help developers quickly resolve security issues. (Note: we have not yet formally evaluated the quality of remediation suggestions.)
- Report quality: We rated the report quality as high, medium, or low based on our experience with the DAST tools tested. High-quality reports were well-structured, easy to read, and provided clear insights.
Vulnerability detection by severity
Tools with higher detection rates (e.g., HCL AppScan at 75%) are more effective.
- Critical vulnerabilities: Severe issues (e.g., remote code execution) that need immediate attention.
- High, medium, and low vulnerabilities: High-severity issues need urgent action, while medium and low are less critical.
- Best practice: Non-critical issues (e.g., insecure configurations) that improve security hygiene.
- Informational: Non-exploitable issues (e.g., verbose errors) that are low priority.
Prioritization accuracy
A score of 100% does not mean that all vulnerabilities were detected. It indicates that, among the subset of vulnerabilities that were detected, all were correctly prioritized.
Benchmark methodology
Holdout set: We set up 2 websites:
- One with all of the OWASP top 10 vulnerabilities deliberately included such as SQL Injection.
- The other included no important vulnerabilities.
The websites are not public. We keep them as a holdout set to ensure that vendors don’t use them in improving their DAST tools which would defeat the purpose of the benchmark: measuring the performance of these tools in real world applications.
Participating DAST solutions: To produce benchmark results, we:
- Got access to 6 top DAST solutions.
- Used each tool as a web DAST scanner to run benchmark tests with the configuration to detect OWASP Top 10.
DAST solutions used in holdout set are listed below:
- Acunetix by Invicti’s latest version as of June/2024
- HCL AppScan Standard 10.5.0
- Qualys WAS’ latest version as of October/2024
- Netsparker by Invicti’s latest version as of June/2024
- Tenable Nessus 10.7.4
- ZAP 2.15.0
DVWA and Broken Crystals:
Results were taken from Pentest-Tools.com’s benchmark.3
Next steps
Add more open source benchmark results to complement the results from the holdout set. Potential candidates include OWASP Benchmark Project: A Java test suite for evaluating the accuracy, coverage, and speed of automated software vulnerability detection tools.
We are open to including other web vulnerability scanners in the benchmark results. Please leave a note or reach out to us via LinkedIn or email if you represent a DAST solution. We are especially looking to incorporate these in the benchmark:
- Checkmarx DAST
- Contrast Assess
- Indusface WAS
- PortSwigger Burp Suite
Why are we running DAST benchmarks?
Businesses rely on DAST to keep their data and applications secure as part of their cybersecurity strategy. However, the most important metrics about a DAST tool such as false positive rate are not available.
Businesses should run a Proof of Concept (PoC) before adopting DAST tools however PoCs are not perfect:
Applications tested during the PoC may not have certain vulnerabilities and as a result, businesses may not understand the full capabilities of the tools in their PoC.
PoCs are costly, businesses may not cover every DAST tool in their PoC and miss out on the best fit solution for their business.
Reviewing benchmark results and selecting their shortlist of vendors for the PoC can help businesses identify the optimal solution for their applications.
Standardized criteria for evaluating web vulnerability scanners
See below some of the criteria that we used and the rationale for selecting them:
True positive rate: Automated vulnerability detection is a DAST tool’s main job. It is critical that automated web application security scanners identify vulnerabilities in applications.
False positive rate: False positives reduce trust in DAST solutions and slow down security teams. In the graph, we wanted to place higher performing solutions on the top right corner, therefore we inverted the false positive rate.
Prioritization accuracy is critical for prioritization. Without this, security teams can get lost in a large list of vulnerabilities.
How should businesses run DAST PoCs?
We recommend,
Using a wide variety of applications to see how different tools perform in different scenarios.
Including benchmarking targets that resemble the end-target applications of the organization as closely as possible.
Top 10 DAST tools compared
Review insights come from 5 and 6
Here we listed both paid and free DAST solutions. If you’re only interested in free solutions, check out free DAST tools.
Scan coverage
- Detect XSS: Identifies vulnerabilities where attackers inject malicious scripts that can steal data or hijack user sessions.
- Detect SQL injection: Detects flaws where attackers manipulate SQL queries to access or modify a database.
- OAuth 2.0: Assesses the security of OAuth 2.0 authorization flows, to ensure proper access control .
- Detect command injection: Detects vulnerabilities where attackers inject and execute arbitrary commands on the server or system.
Invicti
Best for: Web application scanning
Invicti is a dynamic application security testing (DAST) and interactive application security testing (IAST) tool designed to identify vulnerabilities in web applications and APIs.
This dual approach allows Invicti to perform real-time, accurate scans of both running applications and their code, providing deeper insights into potential vulnerabilities.
It supports a wide range of security tests, including checks for:
- SQL injection
- XSS (cross-site scripting, a web vulnerability)
- API-related vulnerabilities
Strengths
- High setection accuracy with low false positives: In our benchmark tests, Invicti identified 64% of critical vulnerabilities, including access and SSL injection issues, with a false positive rate of 23%. This performance positions it favorably against competitors like HCL AppScan, which achieved 66% coverage with a 2% false positive rate.
- Baseline and incremental scanning: One of Invicti’s differentiating capability is its baseline scanning for initial vulnerability assessments and incremental scanning to focus on new changes. This approach optimizes ongoing monitoring compared to some other tools that rely solely on full, static scans.
- CI/CD integration: Integrates seamlessly with CI/CD pipelines, enabling automated security scanning during the development process.
Weaknesses
- False positive and vulnerability analysis: While Invicti performs well in vulnerability detection, there is room for improvement in its false positive analysis and overall vulnerability analysis libraries. The current false positive rate of 23% means security teams may still need to spend time validating results
- Limited coverage for GraphQL API: While Invicti is a strong tool for scanning various types of vulnerabilities, its coverage for GraphQL API security is less extensive compared to other specialized API testing solutions. It is effective at testing APIs, including REST, SOAP, and GraphQL, without requiring additional configuration. However, it is less effective in testing complex business logic or providing in-depth analysis for GraphQL APIs compared to other tools designed specifically for those use cases.
- Specificity of reports: The specificity of reports generated by Invicti could be improved by providing more detailed contextual information, clearer remediation guidance, and better prioritization clarity.
PortSwigger Burp Suite
Best for: Pentesting
Burp Suite supports both automated and manual Dynamic Application Security Testing (DAST)). In our benchmark, it achieved 29% coverage of critical vulnerabilities, making it effective for both automated and manual vulnerability testing.
Available in different editions, including the Professional, Enterprise, and Community editions.
The community edition can scan or crawl web apps internally or externally, while the paid version provides additional capabilities for enterprises that seek a more complex tool.
Strengths
- Accuracy: In our benchmark, Burp Suite showed a 15% false positive rate, which is lower compared to other tools like Invicti, which had a 23% false positive rate.
- Straightforward Setup: The setup process is simple and user-friendly.
Weaknesses
- High memory usage: During scans, particularly with larger applications, Burp Suite uses significant memory, which impact performance.
- Limited integrations: Burp Suite lacks more extensive integrations with tools like Jenkins for automating DAST scans, limiting its usefulness in continuous integration/continuous deployment (CI/CD) workflows.
- Reporting quality: Burp Suite had low for report quality. And, the remediation guidance provided was often too general.
InsightVM Rapid7
Best for: Identifying and tracking vulnerabilities
InsightVM from Rapid7 is not a DAST tool but a vulnerability management solution to detect threats in IT environments. It utilizes Rapid7’s vulnerability research, insights into global attacker activities, and internet scanning data.
It also includes integration with Rapid7’s Metasploit to confirm exploits. The platform provides capabilities like real-time monitoring and evaluations of cloud, virtual, and container assets, which makes it adaptable for varied and evolving IT settings.
This integration also makes it a suitable option for penetration testing. InsightVM has strong SIEM, tracking of vulnerabilities, and live observation with endpoint agents.
Strengths
- Vulnerability management and tracking: Provides real-time asset evaluations for cloud, virtual, and container environments, integrating with Metasploit for exploit confirmation.
- Risk assessment and prioritization: The platform uses real world risk scores to prioritize vulnerabilities and supports agent-based management for efficient patching.
Weaknesses
- High memory consumption: During scans, especially with large environments, InsightVM can consume high memory, which may impact system performance and lead to stability issues.
- Immature Graphical User Interface (GUI): The GUI is inconsistent and lacks maturity, which can make navigation and configuration more difficult for users, especially those without technical expertise.
- Limited query builder: The query builder is limited, restricting the ability to customize complex queries or reports, which can make data extraction and report setup more challenging.
- Delayed bug fixes: Bugs in complex vulnerability checks sometimes take a long time to resolve, which can delay vulnerability assessments and remediation efforts.
Tenable Nessus Professional
Best for: Network scanning
Tenable Nessus Professional is primarily focused on network vulnerability scanning rather than traditional web application security testing.
It conducts agentless and evaluative scans to assess vulnerabilities across network assets, making it suitable for organizations that need comprehensive IT environment security assessments.
It does not specialize in web application security, but it provides frequent updates to identify the latest vulnerabilities and includes remediation recommendations.
For those who require more enterprise-grade scanning features, such as web application scanning and external attack surface scanning, Tenable offers Nessus Expert as a higher-tier option.
We discussed the pricing of dast tools and more in the “DAST Pricing: Comparison of Vendor’s Fees” article.
Strengths
- Network scanning: Offers agentless and evaluative scans for thorough assessments across a range of assets.
- Dual implementation approach: Nessus supports both agent-based and credentials-based scanning solutions, providing flexibility depending on the organization’s needs.
Weaknesses
- Inconsistent scan duration and results: Variability in scan duration and inconsistency in results, which can affect the tool’s reliability in large or complex environments.
If you are already using Tenable Nessus and looking for alternatives, you can read our article “Tenable Nessus Alternatives”.
HCL AppScan
Best for: Enterprise-grade application vulnerability management
The AppScan suite includes several products (AppScan on Cloud, AppScan 360, AppScan Standard, AppScan Source, and AppScan Enterprise).
HCL AppScan includes integration capabilities with various development and deployment environments, regulatory compliance reporting, and customization through the AppScan Extension Framework.
Strengths
- Accuracy: Among the top 2 performers in our DAST benchmark, HCL AppScan demonstrated:
- High true positive rate: 66% true positive rate for critical vulnerabilities.
- Low false positive rate: 2% false positive rate.
- High accuracy in assigning severity to issues: Demonstrated 60% accuracy in assigning the correct severity level to vulnerabilities.
Weaknesses
- Dashboard and reporting: The dashboard and overview section in reports lag behind other commercial DAST tools.
- Limited container integration: Not a good fit for containerized applications in certain environments.
- CI/CD integration: Not an effective tools for continouous CI/CD integration due to licensing restrictions
- Slow scan duration: HCL AppScan had the slowest scan time in our benchmark.
NowSecure
Best for: Mobile app scanning
NowSecure DAST is focused only on mobile application testing, it does not provide web application testing.
Since the mobile app scanning market is limited, few tools are focused solely on mobile app scanning. NowSecure could be a suitable option for businesses that
- Test only mobile applications.
- Can afford a dedicated tool for mobile app scanning.
Strengths
- Mobile app scanning: Supports automated scanning for mobile applications.
Weaknesses
- Complex testing and manual intervention: Some testing scenarios require manual intervention, especially for custom login flows or complex mobile app configurations.
- Customization limitations: Customization options for reporting and specific testing configurations are limited.
- Scan duration: Scan durations can be long.
Checkmarx DAST
Bet for: Application security in fast-paced CI/CD environments
Checkmarx DAST can be deployed on-prem, hybrid, or cloud. It offers SQL injection detection and XSS detection.
Checkmarx DAST is part of the Checkmarx One platform, which consolidates various application security tools (such as SAST, API Security, Container Security, etc.) into a single platform.
Strengths
- Detailed vulnerability tracking: The tool categorizes vulnerabilities based on the risk associated. It also supports delta-scan features, which enable efficient re-scanning of only the parts of the code that have changed.
- Scanning capabilities: Offers a wide range of scanning capabilities, including SAST, and API scanning.
Weaknesses
- False Positives: High number of false positives, especially in large application code bases.
- Customization limitations: Customization options are limited, particularly in terms of custom reporting and creating new widgets for the dashboard.
- Complex Jenkins integration: While Checkmarx integrates with CI/CD pipelines, Jenkins code snippet difficult to implement.
Indusface WAS
Best for: Web application security testing
The Indusface DAST provides cloud-based Web Application Firewall (WAF) features. Indusface WAS cannot be deployed on prem, which could be seen as a negative if users wish to avoid using cloud services.
Strengths
- Scanning coverage: Combines web application security scanning with OS-level vulnerabilities and malware scanning.
- Automated and manual scanning: The platform supports both automated scans and manual VAPT (Vulnerability Assessment and Penetration Testing).
Weaknesses
- User Interface (UI) improvements needed: UI layout and navigation can be enhanced for easier access to security reports and scanning features.
- Limited customization: Lacks customization options for more tailored security tests.
- Scan duration: Scanning process is slower for large-scale applications.
Contrast Assess
Best for: Analyzing vulnerabilities directly within running applications
Contrast Security’s tool, Contrast Assess, primarily uses an Interactive Application Security Testing (IAST) approach.
Strengths
- IAST integration: Contrast combines SAST and DAST. This integrated approach reduces false positives compared to traditional SAST scans and identifies vulnerabilities in both custom code and open-source libraries.
- Vulnerability insights: Provides clear explanations for each detected vulnerability, outlining the risk, cause, and how to fix the issue.
- Ease of integration: Seamless integration with CI/CD pipelines.
Weaknesses
- Limited language support: The language support for IAST testing is somewhat limited for legacy applications or older programming languages.
- False Positives/Negatives: False positives and false negatives are reported, requires manual verification and adjustments.
OWASP ZAP
Best for: Open-source web application security
A free and open-source tool, ZAP is highly customizable and supports web apps and APIs. It’s widely used in DevSecOps and CI/CD pipelines. While it doesn’t have the same level of business logic testing as others, it’s still a solid tool that can be enhanced with plugins and integrations.
It acts as a man-in-the-middle proxy, which allows it to intercept and inspect messages sent between a browser and a web server to find security holes in real-time.
Strengths
- Ease of use: Has an well-structured basic user interface.
- Integrations: Integrates easily with CI/CD tools like Jenkins, seamlessly. Also integrates with DevSecOps tools like DefectDojo.7
- Pentesting efficiency: Effective for penetration testing, combining both manual and automated testing features to identify vulnerabilities.
Weaknesses
- False positives: Flags non-exploitable issues as vulnerabilities during automated tests.
- Poor documentation: Documentation is insufficient.
- Limited scope: Lacks automation features like dynamic scanning of APIs. It also does not fully support containerized applications.
FAQ
Reference Links
Be the first to comment
Your email address will not be published. All fields are required.