12 Best DAST Scanners for App & API Security

Application and API attacks have surged recently. According to the API Security Impact Study 2024, 84% of enterprises have experienced API security incidents in 2024. So, you must find and fix vulnerabilities in your App or API to prevent hackers from exploiting them.

akamai api security impact report — Akamai API security impact report

Of course, using a DAST scanner is a proven way to detect security issues in your running App or API. However, finding the right DAST scanner can be tricky, especially when you’re new to scanning tools. These tools tend to have different features for various use cases, which can be confusing if you’re a beginner.

To make it easier, I have prepared a list of the best DAST tools based on my thorough research, participation in trials and demos, and reading of product documents. I’ve also verified vendors’ claims using multiple data sources, including independent B2B review sites like G2, TrustRadius, and Capterra.

Check out the list below! 👇🏼

1. Probely
2. Invicti
3. Indusface WAS
4. Rapid7 InsightAppSec
5. StackHawk
6. SOOS DAST
7. Veracode Dynamic Analysis
8. Acunetix
9. Detectify
10. Intruder
11. Burp
12. Checkmarx DAST
Show moreShow less

You can trust Geekflare

At Geekflare, trust and transparency are paramount. Our team of experts, with over 185 years of combined experience in business and technology, tests and reviews software, ensuring our ratings and awards are unbiased and reliable. Learn how we test.

Top DAST Scanners Comparison

For a brief overview, I’ve created a comparison table below for the DAST scanners on this list based on key features, availability of a free trial, and pricing.

DAST Scanner	Key Features	Free Trial	Pricing
Probely	Noise-free scanning, low false positives, compliance support, customizable scanning, API scanning, integration with CI/CD pipelines	✅	On-request
Invicti	DAST + IAST approach, open-source component detection, broad vulnerability coverage	❌	On-request
Indusface WAS	Malware scanning, penetration testing, zero false positives, public asset inventory, defacement detection, VAPT	✅	$59/app/month
Rapid7 InsightAppSec	Protection from 95+ attack types, attack replay, scan scheduling, misconfiguration scanning	✅	$175/app/month
StackHawk	API testing for REST, SOAP, GraphQL, custom test scripts, prioritized scan results, CI/CD integration	✅	$42 per code contributor/month
SOOS DAST	Open-source ZAP scanner, unlimited domain scanning, CI/CD integrations, OSS vulnerability scanning, security misconfiguration detection	✅	$90/month
Veracode Dynamic Analysis	Cloud-native scanning, firewall-protected scanning, scan parameter customization, API security scanning, remediation guidance	✅	On-request
Acunetix	Scans script-heavy sites, 12,000+ vulnerabilities, combines DAST + IAST, open-source component analysis, CI/CD integration	❌	On-request
Detectify	SPA and JavaScript-heavy site scanning, tailored security tests, authenticated scanning, frequent security test updates	✅	On-request
Intruder	Emerging threat scans, flexible scheduling, remediation scans, API scanning, integration with compliance tools	✅	$99/month
Burp Suite	Unlimited automated DAST scanning, API scanning, browser-powered scanning, custom configurations, OAST integration	✅	On-request
Checkmarx DAST	SAST + DAST correlation, live API scanning, security risk assessment, SDLC integration, unified AppSec platform	❌	On-request

In the sections below, I’ve discussed 12 of the shortlisted DAST scanners in detail, including their features, my testing experience, and pricing.

1. Probely

Probely is a trusted DAST scanner that automates and scales web applications and API security testing. Its vulnerability scanner helps you identify around 30,000 vulnerabilities and provides a detailed report to fix them.

Its headless Chrome-based spider navigates through a web application like a human. It crawls every corner of your app, clicking links and filling out forms with the correct context to offer the industry’s leading coverage.

You can use it to fulfill web security compliance requirements by generating detailed compliance reports and showing those reports as evidence of compliance. You can easily integrate Probely with CI/CD tools, issue trackers, and messaging apps.

Probely Features

Noise-free app and API scanning with a false-positive rate of 0.1%
Multiple scanning options, including customizable scanning, scheduled scanning, and scanning behind the firewall
Authenticated scanning of applications that rely on SSO and OpenID Connect
Easy integration with your application using its add-on or full-featured API
Compliance reporting support for regulators like GDPR, HIPAA, and PCI-DSS

I accessed the Probely free trial to explore its features and liked how it informs you about vulnerabilities. It categorizes vulnerabilities into three categories of severity—Low, Medium, and High, with CVSS (Common Vulnerability Scoring System) score. As a result, you can quickly prioritize vulnerability management.

Probely also provides tips and tricks on fixing vulnerabilities it detects in your app or application, as shown in the screenshot below.

I also found the dashboard informative and easy to navigate.

Probely Pricing

It offers a forever-free plan with 5 free scan hours/month. The Enterprise plan follows custom pricing. Probely provides a free 14-day, fully-featured trial. You can also request a demo to have a guided product tour.

Try Probely

2. Invicti

Invicti, with its unique DAST plus Interactive Application Security Testing (IAST) approach, detects vulnerabilities and security weaknesses that other DAST tools may miss. It combines signature and behavior-based testing to ensure no vulnerability or security weakness goes unnoticed.

The platform identifies all of your open-source components and detects which components are vulnerable. It helps you track the security posture of each application over time.

You get broad coverage for vulnerabilities, including SQL injection, Server-side request forgery, XSS, Out-of-band vulnerabilities, and more.

Invicti can be integrated with 50+ tools, including CI/CD, issue trackers, collaboration tools, and more.

Invicti Features

Ability to run vulnerability scans on websites, web applications, and APIs
A complete and updated inventory of all of your websites, web applications, and APIs
Advanced scanning technology, enabling you to scan script-heavy websites, passwords, and MFA-protected areas
Deployment in multiple environments, including cloud, on-prem, and everything in between

During my research and use of the demo, I noted that Invicti helps fix vulnerabilities faster by automatically locating them. The IAST sensor connects to the application runtime while the DAST engine scans for vulnerabilities.

When DAST finds an issue, IAST provides detailed insights, like file names and line numbers. It is a good feature for fast vulnerability remediation. Also, its proof-based scanning minimizes false positives.

Invicti Pricing

Invicti pricing is available on request. A free demo is available to explore its features.

Try Invicti

3. Indusface WAS

Indusface WAS offers you functions of DAST, malware scanning, and penetration testing. You get a broad range of vulnerability coverage, including SANS25, OWASP Top 10, WASC-classified, and zero-day threats.

Its automated vulnerability scanner checks all the areas, including single-page applications (SPAs), script-heavy websites, password-protected areas, complex paths & multi-level forms, and unlinked pages.

As automated scanners cannot detect all vulnerabilities, Indusface WAS also comes with manual pentesting support, allowing security experts to identify business logic vulnerabilities.

Indusface WAS Features

Bundled protection for mobile, web, and APIs
Zero false claim guarantee
Ability to create an inventory of public-facing web assets (domains, subdomains, IPs, mobile apps, data centers, and site types)
Detection of web defacement and malware infection
Vulnerability Assessment and Penetration Testing (VAPT) on the identified assets with a single click

During testing, I was impressed with its malware scanning feature, which monitors external JavaScript and hidden iframes installed on the application to detect signs of malware. And its AcuRisQ feature lets you prioritize security issues that pose the highest risks.

Indusface WAS Pricing

Indusface WAS pricing starts at $59/app/month. It offers a 14-day free trial.

Try Indusface WAS

4. Rapid7 InsightAppSec

InsightAppSec by Rapid7 automatically assesses your web application with fewer false positives and missed security weaknesses. Small or big, you can manage the security assessment of your application portfolio effortlessly with InsightAppSec.

The universal translator in InsightAppSec increases your application coverage area. Also, It offers custom checks to address issues and risks your app environment faces.

I liked that InsightAppSec enables you to collaborate at speed. Its rich reporting and integrations make informing compliance and development stakeholders seamless. You can easily tailor reports to several compliance regulations, such as HIPAA, PCI-DSS, and more.

InsightAppSec’s scan engines support both on-prem and cloud-based deployment. You can easily integrate InsightAppSec into your dev workflows.

Rapid7 InsightAppSec Features

Protection from 95+ attack types
Attack replay feature to make remediation easier
Ability to export actionable reports in an HTML format
Option to schedule scans and set scan blackout periods
Ability to scan vulnerabilities due to misconfiguration
Option to run multiple scans simultaneously at no additional cost

To explore InsightAppSecc thoroughly, I subscribed to its free trial and scanned a website I control. It delivered the report in 29 minutes. It tested my site for more than 95+ attacks, including OWASP Top 10, misconfiguration, and more. I found its dashboard intuitive and liked its ability to schedule and blackout scans.

InsightAppSe Dashboard Showing Scan results

InsightAppSec Pricing

InsightAppSec pricing starts at $175/month per app. The company offers a generous 30-day free trial. You can also watch an online demo to understand the product better.

Try InsightAppSec

5. StackHawk

If you’re looking for a flexible yet powerful DAST tool for API scanning, StackHawk is the right choice. It is language agnostic and runs on any platform.

StackHawk is designed to focus on runtime and pre-production application security testing. It allows your team to actively test your application as part of their CI/CD workflows.

The platform offers detailed App Request & Response data, developer-friendly explanations, and resources to investigate issues quickly and efficiently. It offers 4 packages for users: Free, Pro, Enterprise, and Custom.

You also get to run technology-specific API Scan Configs.

StackHawk Features

Ability to test all APIs, including REST, SOAP, GraphQL, and gRPC APIs
Custom test scripts to cover specific scenarios for your web application
Prioritized scan results to help identify critical issues easily
Recreation and validation of findings with StackHawk’s cURL generator

During my research, I noted that StackHawk is customizable. You can create custom test scripts to scan your app for any specific coverage. It covers a wide range of vulnerabilities, including SQL injection, cross-site scripting, and various others.

StackHawk Pricing

StackHawk pricing starts at $42 per code per contributor (5 contributors minimum). It offers a 14-day free trial.

Try StackHawk

6. SOOS DAST

SOOS DAST is a multi-award winning dynamic application and API security testing tool to find vulnerabilities and security weaknesses. The containerized solution runs in your environment with Docker. It allows you to manage security issues via a unified web dashboard shared with SOOS SCA.

The platform leverages Industry-Standard Open Source ZAP Scanner with added features to offer your application broad security coverage. It can also push issues to GitHub’s Security Panel.

With the solution, you can scan your app and API for security issues, such as SQLi, security misconfigs, XSS, missing security headers, and more.

SOOS DAST Features

Scan web apps and APIs defined by OpenAPI, SOAP, or GraphQL
Unlimited DAST domain scanning
CI/CD integrations like Azure DevOps, AWS CodeBuild, GitHub Actions, and CircleCI
SOOS SCA for OSS vulnerability scanning and license management
A broad scan coverage, including SQL Injection, Missing Security Headers, Security Misconfigs, Cross-site scripting, and much more

I liked SOOS DAST for its ability to manage security issues via a unified dashboard. This dashboard incorporates results from Static Application Security Testing (SAST), Software Composition Analysis (SCA), Containers, and Software Bill of Materials (SBOMs).

SOOS DAST Pricing

SOOS DAST pricing starts at $90 per month. A free trial is available.

Try SOOS DAST

7. Veracode Dynamic Analysis

Veracode Dynamic Analysis is a single platform that allows security and development teams to find and fix runtime vulnerabilities in web apps and APIs. You can rapidly integrate Veracode DAST into your automated CI/CD pipelines (in 10 minutes, according to the company’s claims). Veracode DAST has a <5% false positive rate.

Veracode DAST Features

A cloud-native engine that constantly improves audit and scan capabilities
Customizable scan (with easy-to-configure parameters) to save time and reduce errors
Application and APIs scanning behind a firewall
Detailed reports that can be integrated with popular ticketing systems

I chose Veracode Dynamic Analysis because it provides instant, accurate results that can help you quickly identify security issues. Plus, the remediation guidance is informative. As a result, you can fix vulnerabilities efficiently, while on-demand expertise offers support when needed.

Veracode DAST Pricing

Veracode DAST pricing is available on request. The company offers a 14-day trial and product demo.

Try Veracode DAST

8. Acunetix

Acunetix comes with a powerful application security solution that identifies security vulnerabilities in your websites, applications, and APIs. It can automate scanning in hard-to-reach, password-protected areas.

The platform offers an accurate view of your attack surface and assigns a score to vulnerabilities it detects. This helps you prioritize vulnerability management. Also, it allows you to scan multiple environments simultaneously.

Acunetix comes with SCA to scan open-source components of your web application. It reduces false positives with proof of exploit and lets you know the exact location of vulnerabilities to save time on vulnerability fixing. Easy scan scheduling allows you to automate scanning.

You can integrate it with your CI/CD, issue tracker, WAF, and other tools.

Acunetix Features

Scans script-heavy websites, single-page applications (SPAs), and applications built with HTML5 and JavaScript
Identifies over 12,000 web vulnerabilities, including SQL injection and XSS
Merges results from Dynamic (DAST) and Interactive (IAST) security testing for deeper insights
Analyzes open-source components for security risks, licensing issues, and outdated dependencies
Checks hard-to-find unlinked files and API endpoints that other scanners can easily miss

I like that you can integrate Acunetix easily with your web application firewall to stay secure while you fix security issues.

Acunetix also lets you know if your application security is improving over time with visual trends, helping you tweak your application security strategy to improve it.

Acunetix Pricing

Acunetix pricing is available on request. The company offers a free demo.

Try Acunetix

9. Detectify

Detectify automatically scans custom-built applications, finds business-critical security vulnerabilities, and strengthens your web app security with Application Scanning.

The solution offers you a complete overview of vulnerabilities. You will have expert remediation tips to address detected security issues. You can filter and tag findings to initiate the remediation process faster.

The Detectify application scanner easily integrates with OpsGenie, Splunk, Jira, Slack, PagerDuty, and more for better collaboration.

You can export results in PDF, XML, JSON, and more, and share scan profiles with your team members.

Detectify Features

Scans complex web apps, including SPAs and JavaScript-heavy sites, for deep insights
Finds diverse vulnerabilities with an evolving fuzzing engine
Tailors security testing by mapping your tech stack and applying the most relevant tests
Scans authenticated areas like admin panels and user settings for hidden risks

My favorite feature of Detectify is that it updates the scanner with new security tests every week. So you will have an up-to-date scanner to scan your application.

Detectify Pricing

Detectify’s application scanning pricing is quote-based. It offers a 14-day free trial and a free demo to explore the product.

Try Detectify

10. Intruder

Intruder web application vulnerability scanner helps you detect and fix vulnerabilities in your web application and its underlying infrastructure.

Its DAST scanner is powered by ZAP and performs over 75+ checks on your application, including security misconfiguration, injection flaws, and more.

The platform allows you to schedule recurring scans at flexible intervals. It automatically detects new vulnerabilities with proactive emerging threat scans.

The system prioritizes security risks intelligently and provides remediation advice, helping you focus on the most critical issues. This ensures continuous scanning for vulnerability detection and remediation for your web applications with minimal manual effort.

Additionally, Intruder lets you run remediation scans, so you don’t have to run full scans to verify if your remediation efforts were fruitful.

It can also scan your API for security vulnerabilities. For compliance support, you can easily integrate Inrtuder with Drata.

Intruder Features

Quick setup in under 10 minutes
API to integrate with your CI/CD pipeline
Add-on penetration testing
Easy integration with Jira, GitLab, GitHub, and more

I chose Intruder for its Emerging Threat Scans, which automatically detect and scan for new critical vulnerabilities as they arise. I’ve also verified from Intruder’s product documents that it supports unlimited users and unlimited ad-hoc scans.

Intruder Pricing

Intruder application scanner pricing starts at $99/month. A free 14-day trial is available to explore its features.

Try Intruder

11. Burp

Burp Suite’s Enterprise plan offers unlimited automated DAST scanning. It provides you with complete visibility into the attack surface of your application or API.

A major advantage is that it integrates with CI/CD pipelines, vulnerability management platforms, and issue-tracking tools like Jira and Trello. It also supports custom Burp extensions, GraphQL API, and SSO for easy access.

Burp Suite Enterprise scans your web portfolio for vulnerabilities aligned with PCI DSS standards, OWASP Top 10, and more to help you meet various compliance.

You can also track security changes over time by visually comparing deltas and updates. This helps you understand how your attack surface evolves. Another great feature is that it supports Role Based Access Control (RBAC).

Burp Suite Enterprise Features

Out-of-box configurations for preset scan modes
API scanning to detect vulnerabilities in API endpoints
Authenticated scanning for restricted areas
Browser-powered scanning to analyze and navigate complex SPAs
Custom and scalable configurations to control scan depth, vulnerability reports, and speed

I liked that Burp Suite Enterprise allows you to add Out-of-band Application Security Testing (OAST) to DAST, improving scanning accuracy and efficiency.

Burp Scanner provides clear remediation advice for every detected issue. PortSwigger Research and the Web Security Academy offer expert guidance, helping you fix vulnerabilities effectively.

Burp Pricing

You can deploy Burp Suite Enterprise in two ways: self-hosted or through PortSwigger’s secure cloud. The pricing is available on request. A free trial is available to explore features.

Try Burp Scanner

12. Checkmarx DAST

Checkmarx DAST is a powerful web security scanner available in the Checkmarx One application security platform. It provides you with comprehensive security testing and an insightful view of the overall risks of your applications through a single dashboard.

A single platform enables you to run SAST and DAST scans, offering a seamless AppSec experience. Additionally, it supports various languages and integrations.

As Dynamic Application Security Testing (DAST) is an add-on to Checkmarx One, you can use other Application Security (AppSec) programs available with it.

These include Static Application Security Testing (SAST), Software Composition Analysis (SCA), Supply Chain Security (SCS), API Security, Container Security, and Infrastructure as Code (IaC) Security.

Checkmax DAST Features

Correlation of SAST and DAST findings in a single platform for better vulnerability remediation
Integrate seamlessly with the software development lifecycle
Scan live APIs to detect real-time vulnerabilities
See API vulnerabilities discovered by both SAST and DAST in a single location

Checkmarx DAST Pricing

Checkmarx DAST is available as an add-on with Checkmarx One and follows custom pricing. You need to contact the company to get pricing details. A free demo is available.

Try Checkmarx DAST

If like using open-source tools for flexible security configurations, you can explore these open-source web security scanners.

What Is DAST and How Does It Work?

Dynamic Application Security Testing (DAST) is an application security testing methodology in which a running application is tested to identify vulnerabilities.

DAST doesn’t have access to the source code of an application. So, it detects security vulnerabilities by carrying out simulated attacks.

The DAST approach evaluates a running application from outside by attacking the application as the hackers would do, thereby simulating real-world attacks. The application’s responses to these simulated attacks are analyzed to determine if the running application is susceptible to various actual web application attacks.

In a sense, DAST tools perform automated penetration testing of your web application to identify security weaknesses in the application.

In other words, a DAST tool works like a security guard you appointed to protect your home. This security guard is more than just an ordinary security guard. Instead, the guard tries to assess your home’s security by breaking into your house like burglars would.

After doing the assessment, the guard lets you know how they were able to enter your home so that you can strengthen your house’s security to avoid further such incidents.

This is how a DAST scanner typically works:

Scanning the Application

A DAST tool interacts with a running application to complete vulnerability scanning. In the process, the tool assesses application security posture. This can include finding potential input fields within an application, forms, API endpoints, etc.

Carrying Out Simulated Attacks

The tool then performs simulated attacks to test application security for common web application threats such as SQL injection, cross-site scripting (XSS), and various other web application injection attacks.

Identifying Vulnerabilities

After carrying out simulated attacks, the DAST tool analyzes the application’s responses to determine if any weakness or vulnerability has been exposed during the attacks. Based on the responses, the tool will then create a detailed report about its assessment of the security vulnerabilities.

Sending Report

The DAST tool generates a detailed report on its findings, including identified vulnerabilities and recommendations for remediation. Security professionals can use this report to address security concerns and improve application security.

A good DAST tool leverages both automatic pentesting and manual testing techniques to conduct a thorough web application security assessment to identify potential vulnerabilities.

5 Key Features Your DAST Tool Should Have

Here are key features you should look for when shopping for a DAST scanner.

1. Vulnerability Coverage

Vulnerability coverage is the most critical feature of a DAST scanner. So, you should make sure that the DAST scanner you pick covers a wide range of vulnerabilities, such as:

Injection attacks
Authentication & authorization flaws
Security misconfiguration
Sensitive data exposure
Cross-site request forgery
API security issues.

I recommend booking a demo with multiple dynamic application security testing tools to see which tool covers a wide range of vulnerabilities.

2. Automated Scan

A good DAST tool offers automated scanning, which reduces the hassle of manually initiating security scans. So, make sure the DAST scanner you are considering allows you to schedule scans.

3. Integrations

The tool must support standard integrations like CI/CD pipelines, issue trackers, and security platforms. Broad and seamless integration support helps you enforce a secure app development culture.

4. Real-time Insights

Detailed reports and real-time alerts help your security teams respond quickly. The DAST tool should also provide actionable insights through continuous and automated security checks for faster remediation.

5. Compliance Support

Meeting security standards like OWASP, GDPR, and PCI DSS is important to avoid legal liabilities. These standards will also depend on the nature and location of your business.

So, pick a DAST tool that helps you meet various compliances applicable to your business.

5 Benefits of DAST Scanners

Below, I’ve listed 5 key benefits of using a DAST solution to improve the security of your web application:

It will identify various runtime vulnerabilities, which can be detrimental to your web application and company if exploited.
A DAST tool acts as an actual hacker. So it can discover vulnerabilities or security weaknesses often missed by other security testing methods.
It can help your security experts and development team find vulnerabilities outside your application’s source code and in third-party interfaces.
DAST is the only security testing method that is not programming language-specific. So you can test any web application, irrespective of its programming language.
It can run compliance-related scans to help you comply with leading data security regulations.

A DAST scanner discovers a broad range of vulnerabilities and security weaknesses, including input/output validation issues, misconfigurations, authentication errors, and many other runtime issues.

It is easy to combine DAST with other web application security testing methods, such as SAST.

How DAST Is Different Than SAST

Static Application Security Testing (SAST) is a white-box app security testing methodology in which security professionals test a web application from the inside for known vulnerabilities.

Deployed in the early stages of the software development lifecycle (SDLC), SAST evaluates a range of static inputs, including the application’s source code and documentation (requirements, design, specifications, etc.).

As a SAST tool has full access to an application source code, it can identify where a vulnerability exists. Also, it can discover vulnerabilities in code fragments that you have written but not deployed or linked with the main application.

On the other hand, DAST tools perform security tests on a running application from outside to identify vulnerabilities or security weaknesses in the web application. For DAST, you don’t require access to the source code of an application.

Here are the key differences between DAST and SAST:

DAST tests a running application from outside by carrying out simulated attacks. SAST tests a web application early in the software development lifecycle by evaluating its source code, configuration files, and other static artifacts.
DAST focuses on the application’s front end, such as its interaction with users, API endpoints, and other systems, to find exploitable vulnerabilities, such as runtime issues or misconfiguration. However, SAST analyzes the application’s source code and finds vulnerabilities within the codebase.
As DAST identifies vulnerabilities and security issues at the later stage of the software development lifecycle, it is often expensive to fix those vulnerabilities. The types of vulnerabilities SAST discovers are inexpensive to remediate.
DAST tends to give fewer false positives than SAST does.

So, in SAST vs. DAST, what’s better for application security testing? The answer is both.

By combining these two app security testing methodologies, you can comprehensively assess your web application security.

Conclusion

Web application attacks are skyrocketing. Hackers target web apps and APIs to steal sensitive data or deliver malware. So, it becomes crucial to choose one of the best DAST scanners to assess your web application, API, or cloud infrastructure to detect and fix security vulnerabilities.

Additionally, you should learn more about web application security to enhance your app security and protect your application from threat actors.

Sandeep Babu
Contributor
- LinkedIn
Sandeep Babu is an in-house cybersecurity writer at Geekflare. He has completed multiple cybersecurity certifications, including the ISC2 Certified in Cybersecurity, Google Cybersecurity Professional Certificate, and many more. Sandeep Babu has been working in cybersecurity since 2019. Earlier, he covered cybersecurity for MakeUseOf, Small Business Trends, and Cloudwards.
Anirban Choudhury
Editor
- LinkedIn
Anirban Choudhury is as an editor at Geekflare, bringing over 7 years of experience in content creation related to VPNs, Proxies, Hosting, Antivirus, Gaming, and B2B2C technologies.