DAST (Dynamic Application Security Testing) is an automated security testing approach that evaluates a live, running application from the outside, interacting over HTTP like a real user or attacker. It helps uncover runtime issues that static code checks can miss, including injection flaws, broken authentication and authorization (who can sign in and what they can access), insecure session handling, and security misconfigurations in headers, routing, or middleware. At a high level, a DAST tool crawls the application to discover pages and endpoints, sends crafted requests with unexpected inputs, and inspects responses, errors, redirects, and timing to infer exploitable behavior without needing source code.
With DAST, teams validate what is actually exposed in a deployed environment and catch exploitable weaknesses before release; without it, configuration driven and request handling flaws can slip into production and show up as incidents, data exposure, or operational disruption. This gap exists because many security behaviors depend on deployment settings and real request processing, not just the code.