DAST (Dynamic Application Security Testing)

Dynamic Application Security Testing (DAST) analyzes web applications in their running state by interacting with them through the front end, much like an attacker would. DAST tools send crafted HTTP requests to the application and analyze the responses for signs of vulnerabilities such as SQL injection, XSS, and authentication flaws.

DAST is "black-box" testing — it requires no access to source code and tests the application as deployed, including its configuration, server environment, and runtime behavior. This makes it effective at finding vulnerabilities that only manifest at runtime, such as misconfigured security headers, authentication bypass issues, and server-side vulnerabilities.

DAST complements SAST (Static Application Security Testing) by catching issues that code analysis misses, particularly configuration problems and runtime-specific vulnerabilities. However, traditional DAST tools struggle with modern JavaScript-heavy applications, API endpoints, and complex authentication flows.

How APVISO tests for this: APVISO represents the next generation of DAST, using AI agents instead of scripted crawlers and scanners. Unlike traditional DAST tools that follow pre-programmed rules, APVISO's agents reason about application behavior, handle modern SPAs, and discover vulnerabilities through intelligent exploration.