Dynamic application security testing evaluates a running application from the outside to identify security weaknesses in behavior and exposed functionality.
Dynamic application security testing, or DAST, evaluates a running application from the outside to look for security weaknesses. In plain language, it interacts with the application as a user or external tester would and observes how the live system behaves.
DAST matters because some application issues become clearer when the software is actually running. Configuration, request handling, session behavior, and runtime responses can expose problems that are not obvious from code review alone.
It also matters because security teams need a view of the real deployed surface, not only the intended code structure. External behavior is what attackers and defenders both ultimately encounter.
DAST appears in QA security testing, pre-release validation, web-application review, and ongoing application assessment. Teams use it to probe the application’s exposed behavior, identify weaknesses, and verify whether protections around requests, sessions, and responses are working as expected.
Security teams often use DAST alongside SAST, because the two approaches complement each other rather than replacing each other.
A staging environment for a web portal is tested with DAST before release. The testing process discovers that an account-setting endpoint accepts a state-changing request without the expected protections, giving the team a chance to fix the issue before production.
DAST is not the same as SAST. DAST does not inspect source code directly. It evaluates the running application’s exposed behavior.
It is also not a guarantee of complete coverage. If a feature is hidden, hard to reach, or poorly represented in the test flow, DAST may miss issues that secure coding review or code analysis would catch.