AIMultiple ResearchAIMultiple ResearchAIMultiple Research
Security Tools
Updated on Sep 9, 2025

Top 10 DAST Tools: Benchmarking Results & Comparison

As a CISO, I have worked extensively with DAST tools. In my evaluation of the top solutions, I reviewed capabilities such as accuracy, detection performance by severity, and more. See below for a detailed breakdown of my key takeaways:

DAST benchmark results:

1. True & false positive rates

Benchmark environments:

1. Holdout: Two private websites built by the AIMultiple team and explained as part of the methodology. Aims to measure how tools perform in detecting vulnerabilities in custom-built, non-public applications.

2. Holdout (w/o information items): A variant of the private holdout environment where vulnerabilities that represent information disclosure issues (e.g., verbose error messages, stack traces, or header leaks) are removed from the evaluation set. Aims to provide a clearer picture of how tools handle exploitable vulnerabilities only, without the noise of low-severity informational findings.

3. DVWA (Damn Vulnerable Web Application): An open-source vulnerable web application built on PHP/MySQL.1 Aims to benchmark tools against known vulnerabilities and validate detection consistency.

4. Broken Crystals: An open-source web app built with React.2 Aims to evaluate tool effectiveness on vulnerabilities common in frontend-heavy applications.

Key metrics for evaluating DAST tools:

1. Vulnerability coverage: How many real vulnerabilities the tool correctly finds. (Higher coverage means fewer blind spots in your security.)

It is equal to true positives (i.e. correctly identified security vulnerabilities) / total number of vulnerabilities.

2. Inverted False Positive Rate: The share of findings that are not false alarms. It ensures security teams don’t waste time chasing issues that aren’t real. (We invert the rate so higher is always better.)

It’s formula is 1 − (False Positives ÷ Total Findings).

Expert recommendations

Based on our benchmarks experience, we recommend enterprises to:

Make DAST part of every release cycle: Treat DAST as a safety net for your code. Running scans after each release helps you identify recurring vulnerabilities early, before they reach production and become bigger issues.

Don’t rely on DAST alone: While DAST is effective, it can’t cover every angle of application security. To build a stronger defense, complement it with:

  • SAST to analyze code directly,
  • IAST to monitor vulnerabilities at runtime, and
  • Manual testing to catch complex logic flaws.
    Together, these approaches close the gaps and give you more reliable protection.

Balance speed with accuracy: The most valuable tools aren’t the ones that produce the longest list of issues. They’re the ones that surface the right vulnerabilities quickly, and give clear guidance on how to fix them. That way, security and development teams can spend less time filtering noise and more time on real remediation.

2. Important vulnerability detection performance

In the analysis below, we excluded vulnerabilities classified as informational (e.g., verbose messages, metadata leaks) to focus only on important vulnerabilities that could materially impact security.

Updated at 11-24-2024
ProductVulnerability coveragePrioritization accuracyFalse positive rate
HCL AppScan66%60%2%
Invicti Netsparker64%58%23%
Zap29%22%15%
Acunetix27%26%0%
Tenable Nessus23%17%10%
Qualys Express14%5%21%

3. Reporting & other features

Updated at 11-24-2024
DAST softwareScan time (minutes)Remediation suggestionsReport quality
HCL AppScanTBDMedium
Invicti Netsparker118High
Zap9Low
Acunetix94Medium
Tenable Nessus5Low
Qualys Express104High
  • Scan Time: Speed is especially critical when DAST scans are integrated into CI/CD pipelines. A slow scan delays development cycles and discourages frequent use.
  • Remediation Suggestions: Actionable, high-quality remediation guidance helps developers resolve issues quickly. Features such as attack replay further improve efficiency by allowing teams to verify fixes without rerunning an entire scan. (Note: we have not yet formally evaluated the quality of remediation suggestions.)
  • Report Quality: Well-structured, easy-to-read reports help security and development teams prioritize, understand, and act on findings more effectively.

4. Vulnerability detection by severity

The performance differences between DAST tools become more visible when detection is broken down by vulnerability severity (e.g., high, medium, low).

This view highlights not just whether tools detect vulnerabilities, but whether they capture the most critical ones:

Updated at 11-24-2024
HCL AppScanInvicti NetsparkerZapAcunetixTenable NessusQualys Express
Critical75%50%0%50%0%50%
High50%0%0%25%0%25%
Medium21%57%14%36%14%29%
Low66%50%53%6%16%13%
Best Practice96%100%13%48%48%0%
Informational26%56%11%11%7%15%

5. Prioritization accuracy

While prioritization is less important than detection, a wrongly prioritized vulnerability can be as dangerous as a not detected priority since a low priority assigned to a critical vulnerability may lead it to be deprioritized.

Below, you can see the share of correctly prioritized issues among all detected issues categorized according to severity levels:

Updated at 11-24-2024
HCL AppScanInvicti NetsparkerZapAcunetixTenable NessusQualys Express
Critical33%50%No detection100%No detection50%
High100%No detectionNo detection0%No detection0%
Medium33%75%50%100%0%0%
Low95%94%76%100%0%25%
Best Practice100%100%0%100%27%No detection
Informational100%100%67%100%100%0%

Note: A score of 100% does not mean that all vulnerabilities were detected. It indicates that, among the subset of vulnerabilities that were detected, all were correctly prioritized.

Benchmark methodology

Holdout set: We set up 2 websites:

  • One with all of the OWASP top 10 vulnerabilities deliberately included such as SQL Injection.
  • The other included no important vulnerabilities.

The websites are not public. We keep them as a holdout set to ensure that vendors don’t use them in improving their DAST tools which would defeat the purpose of the benchmark: measuring the performance of these tools in real world applications.

Participating DAST solutions: To produce benchmark results, we:

  • Got access to 6 top DAST solutions.
  • Used each tool as a web DAST scanner to run benchmark tests with the configuration to detect OWASP Top 10.

DAST solutions used in holdout set are listed below:

  • Acunetix by Invicti’s latest version as of June/2024
  • HCL AppScan Standard 10.5.0
  • Qualys WAS’ latest version as of October/2024
  • Netsparker by Invicti’s latest version as of June/2024
  • Tenable Nessus 10.7.4
  • ZAP 2.15.0

DVWA and Broken Crystals:

Results were taken from Pentest-Tools.com’s benchmark.3

Next steps

Add more open source benchmark results to complement the results from the holdout set. Potential candidates include OWASP Benchmark Project: A Java test suite for evaluating the accuracy, coverage, and speed of automated software vulnerability detection tools.

We are open to including other web vulnerability scanners in the benchmark results. Please leave a note or reach out to us via LinkedIn or email if you represent a DAST solution. We are especially looking to incorporate these in the benchmark:

  • Checkmarx DAST
  • Contrast Assess
  • Indusface WAS
  • PortSwigger Burp Suite

Why are we running DAST benchmarks?

Businesses rely on DAST to keep their data and applications secure as part of their cybersecurity strategy. However, the most important metrics about a DAST tool such as false positive rate are not available.

Businesses should run a Proof of Concept (PoC) before adopting DAST tools however PoCs are not perfect:

  • Applications tested during the PoC may not have certain vulnerabilities and as a result, businesses may not understand the full capabilities of the tools in their PoC.

  • PoCs are costly, businesses may not cover every DAST tool in their PoC and miss out on the best fit solution for their business.

Reviewing benchmark results and selecting their shortlist of vendors for the PoC can help businesses identify the optimal solution for their applications.

Standardized criteria for evaluating web vulnerability scanners

See below some of the criteria that we used and the rationale for selecting them:

  • True positive rate: Automated vulnerability detection is a DAST tool’s main job. It is critical that automated web application security scanners identify vulnerabilities in applications.

  • False positive rate: False positives reduce trust in DAST solutions and slow down security teams. In the graph, we wanted to place higher performing solutions on the top right corner, therefore we inverted the false positive rate.

  • Prioritization accuracy is critical for prioritization. Without this, security teams can get lost in a large list of vulnerabilities.

How should businesses run DAST PoCs?

We recommend,

  • Using a wide variety of applications to see how different tools perform in different scenarios.

  • Including benchmarking targets that resemble the end-target applications of the organization as closely as possible.

Top 10 DAST tools compared

SoftwareFor
1.
Web Application Scanning
2.
Pentesting
3.
Identifying & Tracking Vulnerabilities
4.
Network Scanning and Security
5.
Enterprise-grade application vulnerability assessments
Show More (5)
6.
Mobile app scanning
7.
DAST in fast-paced CI/CD environments
8.
Real-time risk mitigation
9.
Analyzing vulnerabilities directly within running applications
10.
Free / open source DAST
1.
Invicti Netsparker logo
Web Application Scanning
2.
PortSwigger Burp Suite logo
3.
InsightVM Rapid 7 logo
Identifying & Tracking Vulnerabilities
4.
Tenable Nessus Professional logo
Network Scanning and Security
5.
HCL Appscan logo
Enterprise-grade application vulnerability assessments
Show More (5)
6.
NowSecure logo
Mobile app scanning
7.
Checkmarx DAST logo
DAST in fast-paced CI/CD environments
8.
Indusface WAS logo
Real-time risk mitigation
9.
Contrast Assess logo
Analyzing vulnerabilities directly within running applications
10.
OWASP Zap logo
Free / open source DAST
Updated at 10-02-2024
VendorsReviews**Free Trial***EmployeesPrice
Invicti 4.6 based on 203 reviews300Not shared publicly
PortSwigger Burp Suite4.7 based on 124 reviews190From $449 to $49,000 per year (Professional edition, per person vs Enterprise edition.) Also has a free “community” version.
InsightVM Rapid7
4.4 based on 94 reviews✅ (30-day) 2,700Pricing is asset-based (at least 512 assets​).4
Tenable Nessus Professional4.6 based on 88 reviews✅ (7-day)2,100Tenable Nessus has 3 pricing edition(s), from $3,590 to $5,290 annually.
HCL AppScan4.0 based on 82 reviews✅ (30-day)10,000Not shared publicly
Contrast Assess
4.5 based on 49 reviews300Not shared publicly
Indusface WAS 4.5 based on 58 reviews✅ (14-day)150Has a free “basic” plan. Advanced plan, priced at $59 per month. A premium plan at $199 per month.
Checkmarx DAST
4.2 based on 34 reviews130Not shared publicly
NowSecure
4.6 based on 26 reviews118Not shared publicly
OWASP ZAP (Zed Attack Proxy)
4.7 based on 11 reviewsOpen SourceN/A****Open Source

** Reviews are based on Capterra and G2.

*** Free trial period is included if it is publicly shared.

**** Community-driven, non-profit foundation

These solutions include both paid and free DAST solutions. If you’re only interested in free solutions, check out free DAST tools.

Integration capabilities of DAST tools

Updated at 07-25-2024
VendorIntegration with SIEM toolsTicketing tool integrations
Invicti SplunkBuilt-in, Jira, ServiceNow
PortSwigger Burp Suite
Built-in, Jira
InsightVM Rapid 7Splunk, McAfee ESM,Sumo LogicBuilt-in, Jira, ServiceNow
Tenable Nessus ProfessionalSplunk, IBM QRadar, McAfee ESMBuilt-in, Jira, ServiceNow
HCL AppScan
IBM Security QRadarJira, ServiceNow
NowSecureJira
Checkmarx DAST
SplunkJira, ServiceNow
Indusface WAS
Sumo Logic, RSA, Splunk, McAfee ESM
Contrast Assess
Azure Sentinel, Datadog, Splunk, Sumo Logic Jira
OWASP ZAP

Features of DAST tools

Updated at 07-25-2024
VendorDeployment optionsDetect XSSDetect SQL injectionOAuth 2.0
Invicti On-Prem, Cloud, Hybrid
PortSwigger Burp Suite
On-Prem, Cloud, Hybrid
InsightVM Rapid 7On-Prem, Cloud, Hybrid
Tenable Nessus ProfessionalOn-Prem, Cloud, Hybrid
HCL AppScan
On-Prem, Cloud, Hybrid
NowSecureOn-Prem, Cloud
Checkmarx DAST
On-Prem, Cloud, Hybrid
Indusface WAS
Cloud
Contrast Assess
On-Prem, Cloud, Hybrid
OWASP ZAP On-Prem

To understand why these differentiating features are important, check the definitions and significance of each feature.

Invicti

Best for: Web application scanning

Invicti’s Dynamic Application Security Testing (DAST) tool leverages a dynamic and interactive scanning approach (DAST + IAST). Invicti’s DAST solution’s

  • Deployment can be on-prem, public or private cloud and hybrid.
  • Features include Web Application Firewall and Oauth 2.0 integration.
  • Best known for web application security scanning, which can scan internal or external websites.

Pros

  • Most promising features of Invicti are:
    • its ability to confirm access vulnerabilities and SSL injection vulnerabilities,
    • its connectors to other security tools.
  • Users argue that Invicti’s baseline scanning and incremental scan are valuable features.
  • Invicti’s proof-based scanning helps reduce vulnerability validation time so users can focus on finding more complex vulnerabilities.

Cons

  • False positive analysis and vulnerability analysis libraries could be improved.
  • Specificity of the reports generated by the tool could be improved
  • Licensing model could be more cost-effective.
Choose Invicti for web app scanning
Visit Invicti’s website

PortSwigger Burp Suite

Best for: Pentesting

PortSwigger’s Burp Suite focuses on both automated and manual Dynamic Application Security Testing (DAST). Burp Suite incorporates methods like out-of-band testing (OAST). Burp Suite is available in different editions, including the Professional, Enterprise, and Community editions.

Professionals who seek to enhance their penetration testing use PortSwigger. The UI may be complex for users who lack technical expertise.

The community edition can scan or crawl web apps internally or externally, while the paid version provides additional capabilities for enterprises that seek a more complex tool.

Pros

  • Straightforward setup process, as mentioned by multiple reviewers​.
  • Accuracy in comparison to other solutions, reporting fewer false positives.
  • The automated scan feature is particularly useful for customers needing basic security assurance.

Cons

  • Stability issues, particularly in terms of high memory usage while scanning.
  • Integrations: It could offer better integration with tools like Jenkins for automating dynamic application security testing (DAST).
  • Reporting: There are concerns about the quality of reporting, with some finding it not very informative.

InsightVM Rapid7

Best for: Identifying and tracking vulnerabilities

InsightVM from Rapid7 is not a DAST tool but a vulnerability management solution to detect threats in IT environments. It utilizes Rapid7’s vulnerability research, insights into global attacker activities, and internet scanning data.

It also includes integration with Rapid7’s Metasploit to confirm exploits. The platform provides capabilities like real-time monitoring and evaluations of cloud, virtual, and container assets, which makes it adaptable for varied and evolving IT settings.

This integration also makes it a suitable option for penetration testing. InsightVM has strong SIEM, tracking of vulnerabilities, and live observation with endpoint agents.

Pros

  • Agent-based platform of the tool allows users to concentrate on making enhancements while managing underlying dependencies with ease.
  • It clearly highlights vulnerabilities and prioritizes remediation efforts, making it useful for managing vulnerabilities and patches.
  • Its use of real risk scores, along with features like agent and engine support, SCCM-assisted patching, hardening checks, remediation projects, and SLAs, is effective.

Cons

  • Memory consumption can be high
  • Immature and inconsistent graphical user interface (GUI). and Query builder is limited.
  • Bugs in complex vulnerability checks sometimes take a long time to resolve. Setting up reports to be concise can be challenging.

Tenable Nessus Professional

Best for: Network scanning and security

Tenable Nessus Professional conducts vulnerability assessments through evaluative and agentless scans. Multi-year subscriptions are available for Nessus Professional, which encompass enhanced support services such as telephone, community forums, and live chat assistance.

Tenable Nessus has a more expensive version, Tenable Nessus Expert, which adds features such as web application scanning and external attack surface scanning.

We discussed the pricing of dast tools and more in the “DAST Pricing: Comparison of Vendor’s Fees” article.

Pros

  • User-friendly graphical interface and superior detection capabilities.
  • Satisfactory customer support
  • Dual implementation approach, which includes both agent-based and credentials-based solutions.
  • Frequent updates to incorporate the most recent vulnerabilities, along with recommendations for remediation.

Cons

  • Some users have mentioned experiencing variability in both the duration of scans and the consistency of results with the tool.
  • Retrieving reports over an extended timeframe can be time-consuming, indicating that both the scanning and reporting processes require a significant amount of time.

If you are already using Tenable Nessus and looking for alternatives, you can read our article “Tenable Nessus Alternatives”.

HCL AppScan

The AppScan suite includes several products (AppScan on Cloud, AppScan 360, AppScan Standard, AppScan Source, and AppScan Enterprise). 

HCL AppScan includes integration capabilities with various development and deployment environments, regulatory compliance reporting, and customization through the AppScan Extension Framework. 

Pros

  • Among the top 2 performers in our DAST benchmark with a
    • high true positive rate
    • low false positive rate
    • high accuracy rate in assigning severity to issues
  • Quick responses to feature requests.
  • Clear remediation suggestions facilitate ease of use for developers

Cons

  • In our view, dashboard and overview section in reports lag behind other commercial DAST tools.
  • has limited integration with some of the container technologies
  • CI/CD integration and scalability can be challenging due to
    • Licensing restrictions
    • Slow scan duration. It had the slowest scan time in our benchmark.

NowSecure

Best for: Mobile app scanning

NowSecure DAST is focused only on mobile application testing, it does not provide web application testing.

Since the mobile app scanning market is limited, few tools are focused solely on mobile app scanning. NowSecure could be a suitable option for businesses that

  • Test only mobile applications.
  • Can afford a dedicated tool for mobile app scanning.

Pros

  • Users cite that the platform is easy to integrate and has an intuitive interface.
  • Reporting capabilities of the tool are advanced

Cons

  • Testing can be complex and require manual intervention.
  • Cost of the service can be a challenge for smaller companies.
  • Customization options are not widely available.

Checkmarx DAST

Checkmarx DAST can be deployed on-prem, hybrid, or cloud. It offers SQL injection detection and XSS detection.

Checkmarx DAST is part of the Checkmarx One platform, which consolidates various application security tools (such as SAST, API Security, Container Security, etc.) into a single platform.

Pros

  • Checkmarx finds noticeably higher vulnerabilities than free tools.
  • Centralized reporting functionality can be helpful with tracking issues.

Cons

  • Some users have reported that Checkmarx has a slightly difficult compilation with the CI/CD pipeline.
  • Some users have reported that the interactive application security testing (IAST) part needs improvement.

Indusface WAS

The Indusface DAST provides cloud-based Web Application Firewall (WAF) features. Indusface WAS cannot be deployed on prem, which could be seen as a negative if users wish to avoid using cloud services.

Pros

  • The tool is capable of running complex workloads.
  • Support: Users state that the tools have quick support and timely responsiveness, also stating that the team is knowledgeable and efficient.

Cons

  • Time-out time after inactivity in the portal can be longer.
  • User interface can be made more intuitive and informative for the user. The design looks dated.

Contrast Assess

Contrast Security’s tool, Contrast Assess, primarily uses an Interactive Application Security Testing (IAST) approach.

Pros

  • Users state that Contrast Asses is a stable solution.
  • Users state that the solution is accurate in identifying vulnerabilities. Multiple users also noted that the real-time code evaluation feature is helpful.

Cons

  • Users have argue that the solution should provide more details in the section showing that third-party libraries have CVEs or some vulnerabilities.
  • Some users cite their concern about the scalability of the solution.

OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is an open-source DAST tool. It acts as a man-in-the-middle proxy, which allows it to intercept and inspect messages sent between a browser and a web server to find security holes in real-time.

During our experience with the tool, we identified these:

Pros

  • Low false positive rate
  • Easy to use, especially for an open-source tool.
  • Integrations to DevSecOps tools like DefectDojo.5

Cons

  • Limited vulnerability detection rate.
  • It takes considerable time to analyze big applications but it can be fast for small applications
  • In terms of integrations ZAP lags behind commercial web scanning applications which can also lead to more manual work.

FAQ

What is a DAST Tool?

DAST tools are application security solutions that detect vulnerabilities in web applications while running in a live environment. They simulate attacks from a malicious user’s perspective to identify potential security issues. They can also be considered a part of vulnerability scanning tools.

How Do DAST Tools Work?

DAST tools typically interact with an application through its front end, testing for vulnerabilities like SQL injection, cross-site scripting (XSS), and other standard security threats. They do not require access to the source code.

Who Should Use DAST Tools?

DAST tools are essential for security teams, developers, and IT professionals involved in maintaining the security of web applications. They are particularly useful for organizations with dynamic, frequently updated web applications.

What are the Benefits of Using DAST Tools?

The main benefits include the ability to identify real-world attack vectors, ease of use without needing access to source code, and the capacity to test applications in their final running state.

Can DAST Tools Replace Other Security Testing Methods?

No, DAST complements other testing methods like static application security testing (SAST) and interactive application security testing (IAST). A comprehensive security strategy requires a mix of different testing approaches.

Are There Limitations to DAST Tools?

Yes, DAST tools can miss vulnerabilities that are not exposed through the web interface, and they might generate false positives. They also can’t typically assess the source code for underlying issues.

How Often Should DAST Tools be Used?

It’s recommended to use DAST tools regularly, especially after significant changes to the application or its environment. Continuous integration environments may benefit from more frequent testing.

Can DAST Tools Test Mobile Applications?

Some DAST tools are capable of testing mobile applications, but their effectiveness can vary depending on the tool and the specific application architecture.

Are DAST Tools Suitable for All Web Applications?

DAST tools are versatile, but their effectiveness can vary depending on the complexity and technology of the web application. They are generally more effective for traditional web applications than for single-page applications or services using extensive client-side scripting.

Share This Article
MailLinkedinX
Adil is a security expert with over 16 years of experience in defense, retail, finance, exchange, food ordering and government.

Next to Read

Comments

Your email address will not be published. All fields are required.

0 Comments

Related research