DAST (dynamic application security testing)
DAST, or dynamic application security testing, is a method that probes a running web application from the outside, the way an attacker would, without reading its source code. A DAST tool sends real requests to a live URL and inspects the responses for weaknesses such as misconfiguration, weak transport security, and exposed endpoints.
Testing the app while it runs.
DAST treats the application as a black box. It interacts with the deployed site over HTTP and HTTPS, then judges security from what comes back, so it needs no access to the code or the build. That is the opposite of SAST, which reads source code at rest before anything is deployed.
Black-box view
A DAST tool only sees what is reachable on the network. It finds problems an outsider could hit, including issues introduced after the code was written, like a server misconfiguration or an expired certificate.
Runtime evidence
Because the app is live, a DAST result reflects the real production stack. You see the TLS settings actually served and the headers actually sent, plus which endpoints are exposed, not what the code intended.
Authenticated scans
Much of an app sits behind a login. A useful DAST run can supply credentials and test the pages a signed-in user reaches, not just the public marketing surface.
Two angles on the same app.
DAST and SAST answer different questions. SAST (static analysis) reads the code before it ships and points at risky lines. DAST runs against the deployed app and shows what an attacker can reach right now. Most teams use both, since each catches issues the other misses.
| Aspect | DAST (dynamic) | SAST (static) |
|---|---|---|
| What it tests | A running app over the network | Source code at rest |
| Needs source access | No | Yes |
| Catches config and TLS issues | Yes, on the live stack | Rarely, the code does not show deploy settings |
| When it runs | After deploy, against staging or production | During development, before deploy |
Where AuditWard sits.
AuditWard's security pass is a dynamic test in this sense. It runs real pentest tooling against your live URL (curl, testssl.sh, Nuclei, Nmap, Gobuster, nslookup, and WhatWeb), then an Analyst agent triages the output into confidence-scored findings tagged to frameworks like PCI DSS 4.0, OWASP Top 10, and GDPR. For apps behind a login, a credential loop pauses with structured questions so signed-in pages get scanned too. AuditWard pairs that scan with browser-based QA testing in the same run. It is not a certified pentest or an ASV scan, and it does not replace a manual penetration test. It complements one by giving you fast, repeatable runtime evidence.
DAST questions.
What is DAST in simple terms?
DAST, or dynamic application security testing, is checking a running website for security weaknesses by sending it real requests and reading the responses. It works from the outside without source code, so it sees the app the way an attacker on the internet would.
How is DAST different from SAST?
SAST reads source code at rest and flags risky patterns before deploy. DAST tests the deployed, running app over the network and catches issues that only appear in production, such as a weak TLS setting or a missing security header. Teams commonly run both.
Is AuditWard a DAST tool?
AuditWard runs a dynamic security pass against your live URL with real pentest tooling and triages the output into compliance-tagged findings, so its security scan is dynamic in nature. It pairs that with browser-based QA testing, and it does not replace a manual penetration test.
Related terms: vulnerability scanning and penetration test vs vulnerability scan. Back to the glossary.