A useful DAST tools list is not just names — it is knowing which dynamic application security testing scanner fits your stack, because DAST tools test a running application from the outside, the same way an attacker would, and they differ sharply in coverage, authentication handling, and CI/CD fit. This roundup covers the open source and commercial options worth knowing, what each is genuinely good at, and how to actually run them.
Dynamic application security testing (DAST) complements static analysis. Where SAST reads source code, DAST sends real HTTP traffic to a deployed app and watches how it responds, which is why it catches runtime and configuration issues that source scanning cannot see.
Open source DAST tools
If you are starting out or working with a limited budget, the open source options are genuinely capable.
OWASP ZAP (Zed Attack Proxy) is the most widely used open source DAST scanner and the natural first stop. It runs as an intercepting proxy for manual testing and as an automated scanner for CI. Its baseline scan is designed to run quickly in a pipeline against a target URL, and its API and Docker image make automation straightforward. ZAP is maintained by an active community and is the default recommendation for teams that want free but serious coverage.
Nuclei takes a different approach: it runs a large, community-maintained library of templates that check for specific known vulnerabilities and misconfigurations. It is fast, template-driven, and excellent for scanning many hosts for known issues, though it is less of a deep crawler than ZAP.
Nikto is an older but still useful web server scanner. It checks for dangerous files, outdated server software, and common misconfigurations. It is noisy and not a full application scanner, but it is quick to point at a server for a first pass.
Wapiti and w3af round out the open source field as lighter-weight crawlers, useful for smaller targets, though both see less active development than ZAP.
Commercial DAST tools
Commercial scanners typically add better crawling of complex single-page applications, stronger authentication handling, lower false-positive rates, and reporting built for compliance.
Burp Suite Professional by PortSwigger is the tool most professional penetration testers reach for. Its scanner is strong, but its real strength is the manual-testing toolkit — Repeater, Intruder, and the extension ecosystem — that lets a tester dig into findings the automated scan surfaces. Burp is more a testing platform than a hands-off CI scanner, though its enterprise edition adds scheduled scanning.
Invicti (formerly Netsparker) and Acunetix (part of the same group) focus on automated scanning with proof-based verification, which aims to confirm a vulnerability is real before reporting it, cutting the triage burden. Both are aimed at teams that need to scan many applications with minimal manual review.
Rapid7 InsightAppSec and Checkmarx DAST appeal to organizations already invested in those vendors' broader platforms, offering DAST alongside SAST and vulnerability management in one console.
StackHawk deserves a mention for the developer-first, CI-native angle: it is built to be configured as code and run on every pull request rather than as a periodic security-team exercise.
What separates a good DAST tool from a mediocre one
The names matter less than a few capabilities that decide whether a scanner is useful on your app:
- Authenticated scanning. Most of your attack surface is behind a login. A tool that cannot maintain a session, handle token refresh, or script a login flow will only ever scan your public pages.
- Modern app crawling. Single-page apps built on React or Vue render content with JavaScript. A scanner that only parses server-rendered HTML misses most of the app. Look for a headless-browser crawler.
- API testing. Much of today's traffic is REST and GraphQL. Good DAST tools ingest an OpenAPI/Swagger spec to test endpoints directly rather than trying to discover them by crawling.
- False-positive rate. A scanner that floods you with unconfirmed findings gets ignored. Verification features that confirm exploitability are worth a lot.
- CI/CD integration. For continuous testing, the tool needs a headless mode, a clean exit code, and machine-readable output.
Fitting DAST into the pipeline
The mistake teams make is treating DAST as a once-a-quarter event. The higher-value pattern is a fast baseline scan on every deploy to a staging environment, plus a deeper authenticated scan on a schedule. A ZAP baseline scan in CI looks like this:
docker run -t ghcr.io/zaproxy/zaproxy zap-baseline.py \
-t https://staging.example.com \
-r zap-report.html
Wire the exit code into your pipeline so new high-severity findings fail the build, and publish the report where developers will see it. Our overview of dynamic application security testing goes deeper on running authenticated scans against real apps, and if you are weighing DAST against a code-scanning-first vendor, our comparison with Snyk covers where dynamic testing fills gaps that dependency and source scanning leave open.
FAQ
What is the best free DAST tool?
OWASP ZAP is the most capable free option. It handles both manual proxy testing and automated CI scanning, has an active community, and ships a Docker image built for pipelines.
What is the difference between DAST and SAST?
SAST analyzes source code without running it and finds issues like injection patterns in the code. DAST tests a running application from the outside and finds runtime and configuration issues. They catch different classes of bugs, so mature teams use both.
Can DAST tools scan APIs and single-page apps?
The better ones can. For APIs, look for a scanner that ingests an OpenAPI or GraphQL spec. For single-page apps, you need a scanner with a headless-browser crawler that executes JavaScript, since HTML-only parsers miss most of the app.
How often should I run DAST scans?
Run a fast baseline scan on every deploy to staging, and a deeper authenticated scan on a regular schedule (weekly or per release). Continuous, automated scanning beats an occasional manual audit.