Safeguard
AppSec

Checkmarx DAST: What It Does and How It Fits an AppSec Program

Checkmarx DAST is the dynamic testing component of the Checkmarx One platform, scanning running web apps and APIs for vulnerabilities. Here is how it works and where it fits.

Aisha Rahman
Security Analyst
6 min read

Checkmarx DAST is the dynamic application security testing component of the Checkmarx One platform: it scans running web applications and APIs by simulating real-world attacks against a live target rather than reading source code. Where static analysis inspects code at rest, DAST probes the deployed application from the outside, exactly as an attacker would, and reports the vulnerabilities that only appear when the system is actually running. This guide explains what Checkmarx DAST does, how you can perform DAST testing using Checkmarx, and how it fits alongside the static and dependency-scanning tools in a complete application security program.

What DAST is, in one paragraph

Dynamic application security testing runs against a deployed application. The scanner crawls the app to discover its pages, parameters, forms, and API endpoints, then injects test payloads into each input and watches the responses for evidence of a vulnerability. Because it exercises the running system, DAST finds issues that source analysis cannot see: server misconfigurations, authentication and session-handling flaws, and injection points that only manifest at runtime. It is language-agnostic by nature, since it does not care what the application is written in, only how it responds.

What Checkmarx DAST does

Checkmarx DAST is language-agnostic and designed to identify vulnerabilities in web applications and APIs by simulating attacks. A few capabilities stand out in how Checkmarx positions it.

It integrates into the software development lifecycle, connecting to CI/CD pipelines so scans can run automatically on every build across development and pre-production environments rather than as a manual, once-a-release event. It ships with pre-built scan templates so a team member can stand up a new scan target quickly, and built-in tunnelling to reach environments that are not publicly exposed.

Authentication handling is a common DAST pain point, and Checkmarx addresses it with browser-recorded login flows for complex authentication sequences and built-in support for two-factor authentication. Getting the scanner authenticated matters more than it sounds, because an unauthenticated scan only tests the login page and misses the entire application behind it.

How to do DAST testing using Checkmarx

You can test using Checkmarx DAST by pointing it at a running instance of your application, typically a staging or pre-production environment rather than production, since dynamic scanning sends real (if benign) attack traffic. The workflow is: configure the target URL, set up authentication so the scanner can reach protected areas, choose or customize a scan template, and run the scan either on demand or wired into a pipeline stage.

Because Checkmarx DAST is part of Checkmarx One, findings land in the same platform as results from the other scanners, so a vulnerability discovered dynamically shows up next to related static and dependency findings for the same application. Running DAST against staging on a schedule, and gating a release on the absence of new high-severity dynamic findings, is the pattern that turns it from a periodic audit into continuous coverage.

Where it sits in Checkmarx One

Checkmarx sells DAST as part of a broader platform rather than as a standalone scanner. Checkmarx One brings several categories together: Code (SAST, API security, infrastructure-as-code scanning, secrets detection), Software Supply Chain (SCA, malicious package protection, container security, repository health), and Runtime, where DAST lives. DAST is offered as an add-on within Checkmarx One Professional or higher and is not sold as a separate product, so adopting it generally means buying into the platform.

The upside of the platform model is correlation: the same application's static findings, dependency vulnerabilities, and dynamic findings can be viewed together, which helps prioritize. The tradeoff is that if you only want dynamic scanning and nothing else, a bundled add-on may be more than you need.

DAST, SAST, and SCA are not interchangeable

It is worth being precise about what DAST does and does not cover, because teams sometimes buy one scanner and assume they are done. DAST tests the running application and excels at runtime and configuration issues, but it cannot see code paths that its crawler never reaches, and it gives you a symptom (an injectable parameter) rather than the exact vulnerable line. SAST reads the source and points at the specific code, but it cannot confirm exploitability. SCA finds known-vulnerable open-source dependencies, which neither of the others reliably catches. A mature program runs all three, because each covers a class of risk the others miss. Our DAST product overview walks through how dynamic scanning slots into a pipeline, and the Safeguard Academy covers building a layered program.

Choosing whether Checkmarx DAST is right for you

Checkmarx DAST is a strong fit if you are already invested in, or considering, the Checkmarx One platform and want your dynamic results correlated with static and supply-chain findings in one place. If you want a lightweight, standalone dynamic scanner, or you are on a small team without the budget for a full platform, an open-source scanner like OWASP ZAP or a focused dynamic product may serve you better. The decision usually comes down to whether platform consolidation is a goal for your organization, not to the DAST engine in isolation.

FAQ

Is Checkmarx DAST sold as a standalone product?

No. Checkmarx DAST is an add-on within Checkmarx One Professional or higher and is not sold separately. Adopting it means using the broader Checkmarx One platform, where its dynamic findings correlate with SAST, SCA, and other results.

Can you do DAST testing using Checkmarx against APIs?

Yes. Checkmarx DAST is designed to test both web applications and APIs, simulating attacks against the running endpoints. Proper authentication configuration is important so the scanner can reach protected API routes rather than only the public surface.

How is DAST different from SAST?

DAST tests a running application from the outside, finding runtime and configuration flaws and confirming that inputs are reachable. SAST reads source code at rest and points at the exact vulnerable line but cannot confirm exploitability. They are complementary, and effective programs run both.

Should I run Checkmarx DAST against production?

Generally no. Dynamic scanning sends real attack-style traffic that can create noise or side effects, so run it against a staging or pre-production environment that mirrors production, ideally on a schedule and wired into your release gate.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.