Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
English
Entry № 305

DAST (Dynamic Application Security Testing)

Reviewed byCybersecurity entrepreneur & security researcher

What is DAST (Dynamic Application Security Testing)?

DAST (Dynamic Application Security Testing)Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.

DAST tools interact with a deployed application — usually via HTTP — without needing source code. They crawl endpoints, send crafted requests, and observe responses to detect issues such as SQL injection, XSS, SSRF, broken authentication, misconfigured CORS or insecure cookies. Because they see what an attacker would see, DAST complements SAST by catching runtime-only problems, including those arising from configuration, infrastructure or third-party services. DAST is typically run in staging or QA environments and integrated into CI/CD as a release gate. Common tools include OWASP ZAP, Burp Suite, Invicti, Acunetix and StackHawk.

Examples

  1. 01

    Running an OWASP ZAP automated scan against a staging API as a CI job.

  2. 02

    Performing a Burp Suite scan with an authenticated session against a SPA.

Frequently asked questions

What is DAST (Dynamic Application Security Testing)?

Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations. It belongs to the Application Security category of cybersecurity.

What does DAST (Dynamic Application Security Testing) mean?

Black-box security testing that probes a running application over the network to find vulnerabilities visible only at runtime, such as injection, auth flaws and misconfigurations.

How do you defend against DAST (Dynamic Application Security Testing)?

Defences for DAST (Dynamic Application Security Testing) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for DAST (Dynamic Application Security Testing)?

Common alternative names include: Dynamic analysis, Black-box security testing.

Related terms

See also