A Brief History 

When Checkmarx launched DAST in early 2023, we assumed most teams primarily needed it for compliance requirements.

However, as we engaged with our customers, we consistently heard how teams viewed DAST as a critical pillar of their AppSec programs – not just a compliance checkbox. They wanted broad deployment and meaningful security coverage across their entire application portfolio, and DAST filled that role. This insight shaped our strategy and ultimately led to the ZAP team joining Checkmarx in late 2024. 

ZAP’s expertise combined with Checkmarx’s enterprise platform enabled us to rapidly elevate our DAST into the robust, enterprise-grade solution our customers needed – and positioned us to innovate even faster going forward. 

Where DAST Is Headed

With the AI disruption well underway and AI-development already considered the new norm, where exactly does DAST fit into the new SDLC? Is DAST even needed?  

The short answer is yes – and longer answer is hell yeah! At its core, DAST dynamically tests your running application for security vulnerabilities. With source code becoming more secure out-of-the-gate due to the improvements of the various models, dynamic testing will play a new, more strategic role in modern AppSec programs. 

To understand this shift, we first need to recognize that core activities in the SDLC, especially within AppSec, are evolving. Agentic AI alone is revolutionizing how tasks are performed and redefining what effective security testing looks like in an AI-first future.  

Think about code reviews. Agentic AI has the potential to significantly improve one of the biggest bottlenecks in development. If AI can reduce review time by 30-40% by handling basic tasks automatically, developer velocity will skyrocket and TTM will accelerate. This frees developers and team leaders to focus on the code logic of the apps instead of managing other tasks. Soon every aspect of a code review – functional, non-functional, testing – will be automated. We’re not there yet, but we’ll get there faster than you think.  

Another core activity that’s about to change is pen testing. With adversarial agents constantly and continuously testing your running application at any stage, pen testing will need to shift from periodic manual assessments to continuous automatic testing. Your applications will be under constant scrutiny by AI agents, delivering more thorough and frequent security testing than traditional manual approaches ever could. If you are worried about compliance and regulations – those will eventually catch up.  

DAST In an AI World

In an AI-first world, DAST becomes even more critical to test your AI-powered apps.  

Since developers are less familiar with AI-generated code, thorough dynamic testing is essential. ּBecause AI-powered applications also introduce entirely new attack vectors that DAST solutions are needed to address. This includes testing for prompt injections (AI equivalent of SQL injections), data poisoning attacks (like Erez Yalon’s demonstration at RSA 2025, where the poisoned LLM added rat poison to a shopping list), and data manipulation risks. Most importantly, DAST ensures that your AI-powered apps don’t overshare any sensitive or confidential information with your users.  

The biggest change that DAST introduces in the AI era is the move from a scanning tool to a security agent. This will impact everyone involved in the development process, from the single developer working on a feature branch and to the CISO.

Think of Luke the developer looking to work on a new functionality – the DAST agent can identify, at any given point, a running application and autonomously and continuously dynamically test it for any vulnerabilities – both new and traditional ones. After finding the issues, it can also interact with the local code-generator to fix the issues. All of that without the developer knowing the issues even happened in the first place.  

DAST Is a Gamechanger

This is a gamechanger in dynamic testing. Why? Because while previously viewed as a burdensome task completed at the end of a cycle, DAST now enables everything you develop – from a feature branch, to staging, and all the way to production. Combined with the new correlation use case, it can be a powerful agent that accompanies the entire SDLC.  

This also means that the way teams and programs approach DAST will have to adapt as well, and we will cover those aspects in our next set of blogs. Stay tuned!