Contact Us Today 01642 716680


Definition: DAST is a security practice that involves the testing and evaluation of applications in their running state, often from the outside in, to identify security vulnerabilities that may occur during execution.

DAST tools simulate attacks on an application, automating the discovery of security issues such as Runtime Application Self-Protection vulnerabilities, cross-site scripting (XSS), SQL injection, and other conditions that cannot be detected by examining static source code alone. The dynamic nature of DAST allows it to interact with an application, uncovering issues that only become apparent during operation, such as those involving user authentication, session management, and data validation.

These tools are commonly used in the later stages of the development lifecycle and can be particularly effective in finding configuration mistakes or errors that surface only when a user is interacting with the application. DAST is considered an essential part of a robust cyber security strategy, complementing static application security testing (SAST) by bringing an attacker’s perspective to the testing process.

Effective DAST practices involve regular scanning and testing cycles during and after software deployment, using automated DAST tools and techniques to provide continuous security assurance.

Key Characteristics:

  • Tests applications in their running state, as an attacker would see them
  • Identifies security vulnerabilities that emerge during program execution
  • Complements static analysis by revealing issues not visible in source code alone
  • Often used for web applications to find common vulnerabilities like XSS and SQL injection


  • Real-World Example: A web development team conducts DAST on their e-commerce platform before a major release to ensure no new changes affect the application’s ability to defend against common web attacks.
  • Hypothetical Scenario: During routine maintenance, a DAST tool is employed to test a company’s customer portal for security weaknesses, finding an unsecured API endpoint that could have allowed unauthorised access to user data.

Related Terms:

  • SAST (Static Application Security Testing): A process that examines source code for security vulnerabilities without running the program.
  • XSS (Cross-Site Scripting): A security vulnerability typically found in web applications, which DAST can help identify by simulating attack scenarios in a live environment.
  • SQL Injection: A code injection technique used to attack data-driven applications that DAST tools can detect by executing dynamic tests.
  • Runtime Application Self-Protection (RASP): Security technology that runs within an application’s runtime environment to detect and block cyberattacks in real time, which DAST will engage with during evaluation.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.