What is DAST (Dynamic Application Security Testing)?

Security testing that runs against a deployed application, sending requests and observing responses.

Full explanation

DAST tests the application from outside — same as what an attacker would do. Classic DAST scans URLs, sends malicious payloads, and looks for evidence of vulnerability (errors, changed responses, injected HTML). DAST excels at finding bugs that SAST misses — business-logic flaws and configuration issues — but has longer cycle times.

Example

OWASP ZAP, Burp Suite, Nessus are classic DAST tools. Securie's verification sandbox is a modern DAST layer that runs inside CI.

FAQ

Does DAST require a staging environment?

Typically yes — you point DAST at a running URL. Securie avoids this by spinning up an ephemeral sandboxed copy per finding.