Dastardly Review 2026: Free DAST Tested

Name: Dastardly
Availability: OnlineOnly

Dastardly is a free DAST scanner from PortSwigger that runs the Burp Suite scanning engine in a Docker container. Give it a URL, get JUnit XML results in under 10 minutes. No API keys, no configuration files, no account required.

PortSwigger built Dastardly for one purpose: fast, high-confidence security checks in CI/CD pipelines. It does not try to be a full DAST scanner. It finds a focused set of vulnerabilities with minimal false positives.

Key Features

Feature	Details
Price	Free, no limits
Scan engine	Burp Suite scanner core
Scan time	Under 10 minutes (hard cap)
Output	JUnit XML
Deployment	Docker container
Configuration	Zero — just provide a target URL
Auth scanning	Not supported
API keys	Not required

Burp Scanner Engine

Same detection logic that powers Burp Suite Professional, refined through PortSwigger’s decades of web security research and the Web Security Academy program.

10-Minute Cap

Every scan finishes within 10 minutes regardless of site size. This hard limit keeps Dastardly from becoming a bottleneck in your build pipeline.

Zero Configuration

No config files, API keys, or account setup. Run the Docker container with a target URL and get results. That is the entire workflow.

Vulnerability Coverage

Dastardly checks for a focused set of high-confidence vulnerability types. Reflected XSS appears in the OWASP Top 10 under injection flaws, and the Verizon DBIR consistently identifies web application attacks as one of the top breach vectors — making even this narrow coverage valuable as a CI/CD safety net.

Reflected cross-site scripting (XSS)
CORS misconfigurations
Vulnerable JavaScript dependencies
Content-type mismatches
Multiple content types specified
HTML does not specify charset
Duplicate cookies set

The limited scope is intentional. Every reported issue is a real problem worth fixing. Dastardly will not flood your pipeline with noise.

Focused by Design

Dastardly does not attempt full DAST coverage. It finds the most common, highest-confidence web vulnerabilities in under 10 minutes. For deeper scanning with authenticated testing, see Burp Suite DAST edition.

CI/CD Integration

GitHub Actions

name: Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - name: Run Dastardly
        uses: PortSwigger/dastardly-github-action@main
        with:
          target-url: 'https://staging.example.com'

      - name: Upload Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: dastardly-report
          path: dastardly-report.xml

Docker (any CI system)

docker run --user $(id -u) --rm \
  -v $(pwd):/dastardly \
  -e BURP_START_URL=https://your-app.example.com \
  -e BURP_REPORT_FILE_PATH=/dastardly/dastardly-report.xml \
  public.ecr.aws/portswigger/dastardly:latest

GitLab CI

dast:
  stage: test
  image: public.ecr.aws/portswigger/dastardly:latest
  variables:
    BURP_START_URL: "$STAGING_URL"
    BURP_REPORT_FILE_PATH: "/dastardly/gl-dast-report.xml"
  artifacts:
    reports:
      junit: gl-dast-report.xml

The JUnit XML output works natively with Jenkins, GitHub Actions, GitLab CI, CircleCI, Azure DevOps, and virtually every other build system.

Getting Started

Pull the Docker image — docker pull public.ecr.aws/portswigger/dastardly:latest

Run a scan — Pass your target URL and an output file path. That is the only configuration.

Read the results — Open the JUnit XML file or let your CI system parse it. Each finding includes the vulnerability type, affected URL, and confidence level.

Best For

Teams that want a free, zero-friction security gate in CI/CD. Run it on every pull request. If Dastardly finds something, it is almost certainly real. Think of it as a smoke test for web security, not a full assessment. When you need deeper scanning, upgrade to Burp Suite DAST.

Limitations

Dastardly does not support authenticated scanning, custom scan profiles, or API specification imports. It cannot test pages behind login forms. The 10-minute cap means large applications get incomplete coverage. It checks a narrow set of vulnerability types compared to full DAST tools.

For authenticated scanning, API testing, or full OWASP Top 10 coverage, you need a commercial DAST tool like Acunetix or Invicti. Our free DAST tools guide covers other no-cost options, including ZAP which offers broader coverage. Dastardly is the entry point, not the replacement.

Frequently Asked Questions

What is Dastardly?

Dastardly is a free, lightweight DAST scanner from PortSwigger. It runs the Burp Suite scanning engine inside a Docker container, completes in under 10 minutes, and outputs JUnit XML for CI/CD integration.

Is Dastardly free?

Yes, completely free with no usage limits, no API keys, and no hidden tiers. PortSwigger positions it as an on-ramp to their commercial Burp Suite DAST product.

What vulnerabilities does Dastardly detect?

Dastardly checks for a focused set of high-confidence issues: reflected XSS, CORS misconfigurations, vulnerable JavaScript dependencies, content-type mismatches, missing charset declarations, and duplicate cookies. It prioritizes accuracy over breadth.

Can Dastardly do authenticated scanning?

No. Dastardly does not support authenticated scanning, custom configurations, or login sequences. It is designed as a quick security gate for unauthenticated surfaces only.

How does Dastardly compare to full DAST tools?

Dastardly trades coverage for speed and accuracy. It checks fewer vulnerability types but finishes in under 10 minutes with very few false positives. For deeper scanning, PortSwigger recommends upgrading to Burp Suite DAST.