KEV-TICKERcves_ytd=28,720kev_total=1,289added_7d=+7[CISA KEV ↗]
// facet: web

Web application vulnerability scanners: DAST directory

DAST scanners filtered out of the main directory. Per-application list pricing where published.

author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer

What is a web application vulnerability scanner?

A web application vulnerability scanner (DAST) crawls a running web application and probes for OWASP Top 10 issues, authentication bypasses, injection flaws, and misconfigurations. Invicti, Acunetix, Burp Suite Enterprise lead the commercial tier; OWASP ZAP and Nuclei are the open-source workhorses.
// filter ::
asset
deployment
scan-type
compliance
price-band
license
Tenable Nessus Professional

Single-scanner on-prem workhorse. Per-scanner not per-asset.

verified 2026-06-25 · vendor page
networkwebcloud
self-hostedagent
AMBER
$4,790 / year (1 scanner, 1-year)
pci-asvsoc2hipaaiso27001free tier
Tenable Vulnerability Management (Tenable.io)

Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.

verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentlesshybrid
AMBER
$3,500 / year for 100 assets (~$35/asset/yr)
pci-asvfedrampsoc2hipaaiso27001free tier
Qualys VMDR

Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.

verified 2026-06-25 · vendor page
networkwebcloudcontainer
saasagentagentless
QUOTE
Quote only; partner-reported ~$199 per asset per year
pci-asvfedrampsoc2hipaaiso27001free tier
Invicti

Enterprise DAST with Proof-Based Scanning to cut triage. Sibling brand to Acunetix.

verified 2026-06-25 · vendor page
web
saasself-hosted
QUOTE
Quote only; partner-reported ~$5,000 per app per year
pci-asvsoc2hipaaiso27001free tier
Acunetix

Mid-market DAST sibling to Invicti. Per-target pricing, AcuSensor IAST optional.

verified 2026-06-25 · vendor page
web
saasself-hosted
QUOTE
Quote only; partner-reported $4,500-$7,000 Standard for 5 targets
pci-asvsoc2hipaafree tier
Burp Suite Enterprise

PortSwigger's enterprise DAST. Out-of-band Collaborator detection. Published list pricing.

verified 2026-06-25 · vendor page
web
self-hostedsaas
SIGNAL
$8,395 / year (Starter, 1 concurrent scan, 5 apps)
pci-asvsoc2free tier
HostedScan

Managed wrapper around OpenVAS / ZAP / Nuclei. Cheap entry point for solo founders.

verified 2026-06-25 · vendor page
networkweb
saas
PHOSPHOR
Free 5 targets; Pro $30/mo (10 targets); Business $250/mo
soc2free tier
Pentest-Tools.com

Pen-tester-flavoured scanner platform with report generator. Per-target monthly.

verified 2026-06-25 · vendor page
networkweb
saas
PHOSPHOR
Basic $95/mo (15 targets); Advanced $200/mo; Teams $475/mo
pci-asvsoc2free tier
[ 8 of 15 scanners shown ] · row prices verified against vendor pages on the date stamped above.

SPA and authenticated coverage

All three commercial DAST tools above (Invicti, Acunetix, Burp Enterprise) crawl SPAs reliably in 2026. The differentiator is authenticated-flow handling: Burp's session-replay approach is most flexible; Invicti's Proof-Based Scanning cuts triage hours; Acunetix's AcuSensor IAST agent gives source-line evidence.

// faq

FAQ

  • What does PCI DSS 6.6 require?
    PCI DSS 6.6 requires either a web application firewall in front of public-facing web apps OR an annual code review / web app scan. DAST tools above satisfy the scan path.
  • Can ZAP replace a commercial DAST?
    For CI/CD gating and pre-prod scans, yes. For periodic deep auth-flow scanning of complex SPAs, commercial DAST still leads on UX and reporting.
  • Is Burp Enterprise overkill for 5 apps?
    Starter is $8,395/year for 5 applications. If you want out-of-band detection (blind XSS, SSRF), it's the cheapest published price point.
  • Does Snyk Code cover DAST?
    No. Snyk Code is SAST. For DAST coverage pair with Burp, Invicti, Acunetix, or ZAP.
  • How often should DAST scans run?
    Pre-prod on every release, weekly authenticated scans in production, plus an annual deep scan as the audit-grade artifact.
Related: Invicti Burp Suite Enterprise DAST vs SAST