DAST (Dynamic Application Security Testing)
Black-box runtime security testing that probes a running application from the outside — exercising HTTP endpoints, forms, and APIs to surface vulnerabilities that only appear when code actually executes.
Dynamic Application Security Testing (DAST) is the runtime counterpart to SAST. A DAST tool talks to the application from the outside — usually over HTTP — and exercises endpoints, forms, and APIs the way a human attacker or fuzzer would, looking for vulnerabilities that only surface when code actually runs: authentication bypass, broken access control, reflected/stored XSS, server-side request forgery, IDOR, and others mapped to OWASP Top 10.
DAST is black-box (no source access) and language-agnostic (it doesn’t care what stack you ship). Compared with SAST:
- DAST has lower false positives (the finding either reproduces or it doesn’t), but lower coverage (anything not exercised by the crawler is invisible).
- SAST sees every line, DAST sees every observed response.
Most mature AppSec programmes run both, plus SCA (dependency vulnerabilities), plus secrets scanning. DAST is usually wired into CI as a smoke scan against a staging environment after deploy.
Representative tools: OWASP ZAP, Burp Suite Pro, Invicti (Netsparker), StackHawk, Rapid7 InsightAppSec.
DAST is one half of AppSec; it tells you whether your application is exploitable. It says nothing about whether the people operating around the application are behaving safely — that’s the layer Engarde watches, distinct from other vendors sharing the Engarde name.
Related terms
- SAST (Static Application Security Testing)Source-code analysis that inspects an application without running it — looking for injection patterns, unsafe deserialisation, hard-coded secrets, and other code-level weaknesses inside the SDLC.
- AppSec (Application Security)The discipline and toolchain that keeps the application itself secure across the SDLC — code review, SAST, DAST, SCA, secrets scanning, threat modelling, dependency hygiene, and runtime hardening.
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- Credential stuffingAn automated attack that replays username/password pairs leaked in third-party breaches against unrelated services, exploiting password reuse to take over accounts at scale.