Application Attack Simulation

Also known as:

  • Dynamic Application Security Testing (DAST)

What problem does it target?

DAST solutions address the need to identify security vulnerabilities in running applications by simulating attacks. They help find issues that may not be visible in source code, such as runtime misconfigurations and logic flaws. DAST can also help confirm which vulnerabilities are actually exploitable in a live environment (runtime reachability), reducing false positives compared to static analysis alone.

What does this solution do?

DAST platforms:

  • Scan live web applications for vulnerabilities
  • Detect issues like XSS, SQL injection, and authentication flaws
  • Provide actionable reports and remediation guidance
  • Integrate with CI/CD for automated testing
  • Observe which components are actually executed during testing, providing runtime reachability analysis. Function-level runtime reachability provides evidence of whether a vulnerable function is actually executed, offering higher certainty of exploitability and enabling application detection and response (ADR) capabilities. Runtime reachability can also combine code and container vulnerability scanning, and supports defense and mitigation actions, but requires agent deployment and may lack pre-deployment scanning features.

Reachability and False Positives

Runtime reachability analysis in DAST offers more certainty by observing which components are actually executed in a live environment, reducing false positives further. This helps security teams focus remediation efforts on vulnerabilities that are truly exploitable, rather than all detected issues. Function-level runtime reachability is more accurate for prioritizing vulnerabilities and reducing wasted developer effort.

Compliance and Prioritization

Compliance requirements have traditionally driven patching of all vulnerabilities, but there is a shift toward justifying non-patching of non-exploitable findings using tools like VEX statements for SBOMs.

Who is this for?

  • Security and QA teams
  • Organizations deploying web applications
  • Enterprises seeking to validate runtime security

Who might not benefit from this?

  • Teams without web-facing applications
  • Projects in early development stages

Pitfalls and remedies

Pitfall Remedy
Incomplete coverage of application logic Combine with manual testing and SAST
False positives/negatives Regularly update scan rules and validate findings; use runtime reachability analysis
Performance impact on production Test in staging environments when possible

Sample products

  • Burp Suite
  • OWASP ZAP
  • Acunetix
  • Rapid7 InsightAppSec
  • AppSpider (Rapid7)

All trademarks are property of their respective owners.
Copyright © 2025 Deepblue Consulting – All rights reserved.