Web application vulnerability scanners: DAST directory
DAST scanners filtered out of the main directory. Per-application list pricing where published.
What is a web application vulnerability scanner?
Single-scanner on-prem workhorse. Per-scanner not per-asset.
Per-asset SaaS replacement for Nessus at scale, plus WAS/EASM/CTEM modules.
Cloud-native VMDR with TruRisk scoring; quote-only at enterprise scale.
Enterprise DAST with Proof-Based Scanning to cut triage. Sibling brand to Acunetix.
Mid-market DAST sibling to Invicti. Per-target pricing, AcuSensor IAST optional.
PortSwigger's enterprise DAST. Out-of-band Collaborator detection. Published list pricing.
Managed wrapper around OpenVAS / ZAP / Nuclei. Cheap entry point for solo founders.
Pen-tester-flavoured scanner platform with report generator. Per-target monthly.
SPA and authenticated coverage
All three commercial DAST tools above (Invicti, Acunetix, Burp Enterprise) crawl SPAs reliably in 2026. The differentiator is authenticated-flow handling: Burp's session-replay approach is most flexible; Invicti's Proof-Based Scanning cuts triage hours; Acunetix's AcuSensor IAST agent gives source-line evidence.
FAQ
- What does PCI DSS 6.6 require?PCI DSS 6.6 requires either a web application firewall in front of public-facing web apps OR an annual code review / web app scan. DAST tools above satisfy the scan path.
- Can ZAP replace a commercial DAST?For CI/CD gating and pre-prod scans, yes. For periodic deep auth-flow scanning of complex SPAs, commercial DAST still leads on UX and reporting.
- Is Burp Enterprise overkill for 5 apps?Starter is $8,395/year for 5 applications. If you want out-of-band detection (blind XSS, SSRF), it's the cheapest published price point.
- Does Snyk Code cover DAST?No. Snyk Code is SAST. For DAST coverage pair with Burp, Invicti, Acunetix, or ZAP.
- How often should DAST scans run?Pre-prod on every release, weekly authenticated scans in production, plus an annual deep scan as the audit-grade artifact.