DAST — Dynamic Application Security Testing

DAST scans your running infrastructure and applications from the outside, simulating what an attacker would see.

  • Works by probing live targets: domains, IP addresses, web apps
  • Finds vulnerabilities in deployed software, network services, and configurations
  • Does not require access to source code
  • Results appear in Issues

DAST is managed through Targets and Scans.

SAST — Static Application Security Testing

SAST scans your source code before or after deployment, looking for vulnerabilities in the code itself.

  • Works by analyzing code in your Git repositories
  • Finds insecure coding patterns, exposed secrets, and vulnerable dependencies
  • Does not require a running application
  • Results appear in Feed

SAST is managed through Repositories and Integrations.

Why use both

DAST and SAST find different classes of problems:

LayerWhat DAST findsWhat SAST finds
NetworkOpen ports, exposed services
ApplicationCVEs in deployed software, HTTP misconfigsInsecure code patterns, SQL injection in code
CodeHard-coded secrets, vulnerable dependencies

A vulnerability might be detectable only by one method. Combining both gives you the most complete coverage across your attack surface.

What's next