Fluid Attacks Review 2026: Tested Pros & Cons

Name: Fluid Attacks
Availability: OnlineOnly

Fluid Attacks combines DAST, SAST, SCA, and penetration testing in a single platform. Automated scanners find the bugs. Their team of ethical hackers confirms the critical ones are real.

This two-layer approach — machine scanning plus human verification — is the main selling point. False positive rates stay very low because a person has actually validated exploitability before the finding reaches your dashboard.

The company is based in Colombia, became a CVE Numbering Authority in 2021, and their CLI tool is CASA tier 2 approved for Google Play compliance.

Key features at a glance

Feature	Detail
Testing Methods	DAST, SAST, SCA, PTaaS, secure code review
SAST Languages	Java, Python, JS, TS, Go, Ruby, PHP, C#, C/C++, Kotlin, Swift, Scala
False Positive Approach	Deterministic detection + human expert verification
CVE Authority	CNA status since 2021 — can assign CVE identifiers
CASA Compliance	Tier 2 approved for Google Play requirements
AI Fix Suggestions	Language and framework-aware remediation guidance
API	GraphQL-based API for programmatic access
IDE Plugins	VS Code, IntelliJ, Cursor
Connectivity	Cloud (HTTPS/SSH), Egress (static IP), Connector (Cloudflare ZTNA)
Severity Scoring	CVSSF (proprietary metric beyond standard CVSS)

What is Fluid Attacks?

Most DAST tools are fully automated — you point them at a target, they scan, they report. Fluid Attacks takes a different approach by adding human verification on top of automated scanning.

The automated layer runs DAST against running applications, SAST against source code in 13 languages, and SCA against your dependency tree. Findings from all three scanners land in one dashboard with deduplication built in.

The human layer is where it gets interesting. Fluid Attacks’ team of certified ethical hackers reviews critical findings, confirms exploitability, and weeds out false positives. They also run continuous penetration testing alongside the automated scans.

CVE Numbering Authority

Fluid Attacks has been a CNA since 2021, meaning they can assign CVE identifiers to vulnerabilities they discover during research and testing. This is unusual for a testing vendor and reflects active involvement in vulnerability disclosure.

Automated + Human

Automated scanners (DAST, SAST, SCA) run continuously. Ethical hackers verify critical findings and perform manual testing that automated tools can’t replicate.

Low False Positives

Deterministic detection patterns trigger only on confirmed vulnerabilities. Human verification adds a second filter. When a finding hits your dashboard, it’s almost certainly real.

AI Fix Suggestions

For each finding, the platform generates fix recommendations specific to your programming language and framework. Not generic advice — actual code-level guidance.

CASA Tier 2

The free CLI tool is approved by the App Defense Alliance for Google Play CASA compliance validation. Useful for mobile teams needing to pass Play Store security requirements.

Multi-methodology testing

All scan types run through one platform. DAST probes running applications with targeted attack patterns. SAST reviews source code in 13 languages. SCA checks open-source dependencies for known vulnerabilities and license issues. The OWASP Testing Guide recommends combining multiple testing methodologies because each catches different vulnerability classes — DAST finds runtime issues, SAST catches code-level flaws, and SCA surfaces vulnerable dependencies.

Results from all three appear in a single dashboard. Duplicate findings across methodologies get merged automatically, so you don’t waste time triaging the same bug reported by two different scanners.

Connectivity options

Fluid Attacks supports three ways to reach your applications:

Cloud: HTTPS/SSH encrypted connections with OAuth, SSH, or HTTPS authentication
Egress: Cloudflare-based static IP whitelisting for firewall rules
Connector: Zero Trust Network Access via Cloudflare Tunnel for private network testing

The Connector option is worth noting — it lets Fluid Attacks scan internal applications without opening inbound firewall ports.

IDE integration

Fluid Attacks ships plugins for VS Code, IntelliJ, and Cursor that surface findings and AI-powered fix suggestions directly in your editor. Fixes come with code-level context for the specific language and framework you’re using.

How to use Fluid Attacks

Create a project — Sign up and configure your first application in the Fluid Attacks platform. Choose your connectivity method (cloud, egress, or connector).

Connect your repos — Link source code repositories for SAST and SCA. Configure Git access via SSH or HTTPS.

Set up DAST targets — Add target URLs for dynamic scanning. Configure authentication if testing protected areas.

Review findings — Check the unified dashboard for results across all scan types. Critical findings include human verification status and AI fix suggestions.

CI/CD integration

Fluid Attacks integrates with GitLab, Azure DevOps, and other CI/CD platforms. The pipeline can break builds when findings exceed your severity threshold.

# Using the Fluid Attacks Docker image
docker run --rm -v $(pwd):/code fluidattacks/cli:latest \
  skims scan /code/config.yaml

Fluid Attacks primarily works through their platform for continuous scanning and human verification. The CLI tool (skims) takes a YAML configuration file that defines scan targets and rules. For CI/CD integration, connect your repositories directly through the Fluid Attacks platform, which handles build-breaking policies and finding deduplication across scan types.

Integrations

Development

GitLab

Azure DevOps

Jira Cloud

VS Code

IntelliJ

When to use Fluid Attacks

Fluid Attacks makes sense when you want automated scanning verified by actual humans. The combination eliminates most false positives, but it costs more than pure-automation tools and the human review adds time to the triage cycle.

Good fit when you need:

Multi-methodology testing (DAST + SAST + SCA) in one place
Human expert verification of critical findings
Very low false positive rates
Continuous penetration testing alongside automated scanning
CASA tier 2 compliance for Google Play
CVE-level vulnerability research support

Teams that prioritize speed over accuracy, or those on a tight budget, may prefer fully automated DAST tools like StackHawk or ZAP. For a comparison of testing approaches, see our guide on SAST vs DAST vs IAST. Fluid Attacks is for organizations willing to pay more for higher confidence in findings. Teams focused purely on API security might also consider Escape, which specializes in business logic and BOLA detection.

Frequently Asked Questions

What is Fluid Attacks?

Fluid Attacks is a Colombian security company that combines DAST, SAST, SCA, and penetration testing in one platform. Automated findings are verified by their team of ethical hackers, which keeps false positive rates very low.

Is Fluid Attacks free or commercial?

The full platform with human verification requires a commercial subscription. Their open-source CLI tool is free and CASA tier 2 approved for Google Play compliance validation.

What languages does Fluid Attacks support?

SAST covers 13 languages including Java, Python, JavaScript, TypeScript, Go, Ruby, PHP, C#, C, C++, Kotlin, Swift, and Scala. DAST and SCA are language-agnostic since they test running applications and dependencies respectively.

How does Fluid Attacks compare to alternatives?

The main differentiator is combining automated scanning with human expert verification. Most platforms are fully automated. Fluid Attacks uses ethical hackers to confirm critical findings, which reduces false positives but adds cost.

What is CASA tier 2 approval?

Cloud Application Security Assessment (CASA) tier 2 is a Google requirement for certain Play Store apps. Fluid Attacks’ CLI tool is one of the approved scanners for validating CASA compliance.