DAST is suddenly on everyone’s mind – and for good reason.  

Most DAST tools were designed for a world where release cycles were measured in months and penetration testing happened once a year. That model made sense when development moved slowly enough for episodic security reviews to provide meaningful coverage.  

Then AI accelerated everything, with AI coding assistants compressing weeks of work into hours. 

The gap between how fast applications are being built and how quickly they can be validated is exactly where risk lives. Runtime validation has moved from a nice-to-have to a foundational part of any serious application security program.  

The question is no longer whether to implement DAST. It is whether your DAST can keep pace with how fast your teams are building. 

Checkmarx has been investing and adapting in runtime security since 2023, well before AI-driven development made it a market-wide priority. So, when AI fundamentally changed the pace of software development, we didn’t need to retrofit our approach – because we were already building for this moment. 

The result is the next generation of Checkmarx DAST: runtime security designed to move at AI speed. 

Why Traditional DAST Can’t Keep Pace 

Legacy DAST often depends on heavy infrastructure setup. Scanning internal applications can require firewall changes, VPN access, security exceptions, or container deployments. These dependencies introduce approval cycles and coordination overhead that simply don’t align with applications being built in days or hours.  That model may work for annual testing, but it breaks down completely when security needs to run continuously in your CI/CD pipeline. 

Configuration adds another layer of friction. Authentication scripting, scan tuning, and policy setup frequently require specialized expertise. When onboarding takes longer than development itself, coverage gaps become inevitable. 

Even when scanning runs successfully, context is often fragmented. If SAST and DAST operate in separate systems, teams must manually reconcile findings, deduplicate issues, and correlate risk. That overhead slows remediation and reduces the practical value of runtime testing. 

In short, traditional DAST wasn’t built for continuous, developer-driven workflows. It was built for episodic pen testing. And in the AI era, this security creates exposure. 

Runtime Validation Is Now Foundational 

Runtime testing has become a core component of modern application security programs. 

In fact, according to the Future of AppSec report, DAST adoption increased 24% year over year, with 47% of organizations now deploying DAST – up from 38% the previous year. The reason is clear: static analysis alone isn’t enough to secure dynamic, API-driven, AI-assisted applications. 

Many vulnerabilities, such as business logic flaws, authentication weaknesses, and configuration errors only emerge when applications are running. So, validating behavior in live environments is no longer optional; it’s essential. 

The conversation has shifted from whether to implement DAST to how to implement it effectively without slowing development. 

Why Runtime Validation Matters in the AI Era 

AI-generated code increases productivity, but it also introduces new risks. Large language models (LLMs) generate functional code, yet they lack full business context and architectural awareness. At higher velocity, human review becomes more constrained. 

SAST remains critical for identifying vulnerabilities in source code before deployment. But it does not verify how an application behaves once it is running, especially in environments with complex authentication, APIs, client-side logic, and layered infrastructure. 

DAST provides that validation. 

By simulating real-world attacker behavior against live applications, it identifies issues that only appear under real operating conditions. 

Static analysis shows you what the code is. Runtime validation and DAST show you how it behaves. Modern application security requires both. 

How Does Checkmarx DAST Solve This? 

Complete AppSec in One Platform

Checkmarx DAST is built natively within Checkmarx One, delivering unified SAST and DAST findings in a single platform. DAST vulnerabilities are incorporated into a unified risk scoring, enabling faster triage and eliminating duplicate effort. 

It is true platform integration with shared context from code to runtime.  

Live API scanning further strengthens coverage. REST, SOAP, and gRPC endpoints are tested dynamically, and APIs discovered by both SAST and DAST are consolidated into one unified inventory. 

Production-Ready in Minutes

Traditional DAST adoption has been slowed by infrastructure and configuration barriers.  

Checkmarx DAST removes them. 

Teams can begin scanning immediately without complex network reconfiguration or custom authentication scripting through: 

• Pre-configured tunneling for secure internal application scanning
• Advanced authentication support with guided setup and MFA validation
• Pre-built templates that simplify configuration 
• Direct CI/CD integration for continuous testing

What once required weeks to set up now can be done in minutes. 

Designed for Developer Workflows 

With legacy tools, teams file networking tickets, wait for authentication scripts, and manually reconcile findings before deployment. 

With Checkmarx DAST, scanning is configured quickly, authentication is validated through guided workflows, and SAST and DAST findings appear together with correlated risk scoring. Developers receive actionable feedback directly within their pipeline and deploy confidently without introducing bottlenecks. 

Security moves with development, not against it. 

Runtime Validation You Can Trust 

Checkmarx DAST validates live applications and uncovers vulnerabilities that only emerge at runtime. Because it operates within a unified platform, findings are correlated with SAST results to reduce false positives and improve prioritization. 

The result is accurate, actionable runtime security without added friction. 

Here’s What Makes Checkmarx DAST Different

Checkmarx DAST stands apart because it is: 

• Integrated seamlessly within Checkmarx One, not acquired technology stitched together  
• Infrastructure-light, eliminating complex agent and network requirements
• Comprehensive in scope, covering full web applications and APIs
• Enterprise-grade, while remaining accessible to development teams

It is built on the proven ZAP foundation with commercial-grade enhancements. The Checkmarx-ZAP collaboration enables open-source innovation alongside enterprise reliability and scalability.  

In fact, ZAP project leaders Simon Bennetts, Rick Mitchell, and Ricardo Pereira joined Checkmarx to help build the next generation of our enterprise-grade DAST offering, while continuing to invest in the open-source ZAP project and grow its global community. 

Getting Started 

Existing Checkmarx customers: Professional and Enterprise plans include DAST. Essentials customers can add DAST to their existing subscription.  

New customers: See the unified Checkmarx One platform in action and discover how DAST integrates seamlessly with SAST for complete code-to-runtime security. 

You can also tune into our DAST webinar to see it in action here. 

What’s Next 

The shift is already underway. According to the Future of AppSec report, DAST adoption grew 24% year over year – not because security teams suddenly discovered runtime testing, but because the old model of annual pen tests and periodic scans no longer provide meaningful coverage. Teams building with AI-generated codeneed security that moves on the same timeline. 

Checkmarx DAST is built for that reality: unified with SAST on a single platform, deployable in minutes, and designed to work within developer workflows rather than around them. 

If you are an existing Checkmarx customer, DAST is already included in Professional and Enterprise plans. Essentials customers can add it to their current subscription and new customers can see it in action at our upcoming webinar.