Fortify WebInspect Agent 2026: DAST+IAST Hybrid

Name: Fortify WebInspect Agent (IAST)
Availability: OnlineOnly

Fortify WebInspect Agent adds IAST capabilities to the Fortify WebInspect DAST scanner. It instruments Java and .NET applications during dynamic scans to provide file names, line numbers, and stack traces for each vulnerability.

The agent is included free with WebInspect and WebInspect Enterprise licenses. It is also available through Fortify on Demand SaaS.

What is Fortify WebInspect Agent?

OpenText Fortify WebInspect dynamic scan configuration interface showing target URL and authentication settings

The WebInspect Agent transforms Fortify WebInspect from a pure DAST scanner into a hybrid DAST+IAST solution. While WebInspect attacks the application externally, the agent monitors code execution internally. This combination means developers get specific file-and-line references rather than generic HTTP-level descriptions.

Code-Level Reporting

Captures source file names, line numbers, full stack traces, and variable values at the point of exploitation. Turns vague DAST findings into precise remediation targets.

Attack Validation

Confirms that WebInspect’s attack payloads actually reach vulnerable code. If a WAF or input validation blocks the attack, the agent drops the false positive.

CAPTCHA Bypass

Intercepts CAPTCHA validation at the application level during scanning. WebInspect scans proceed automatically without manual intervention.

Key Features

Feature	Details
Supported Languages	Java, .NET
Licensing	Included with WebInspect and WebInspect Enterprise
SaaS Option	Available through Fortify on Demand
Java Deployment	JVM agent argument
.NET Deployment	IIS module or Windows installer
Attack Validation	Confirms payloads reach vulnerable code paths
CAPTCHA Handling	Bypasses CAPTCHA at application level
Cross-Tool Correlation	Integrates with Fortify SCA static findings

Code-Level Vulnerability Reporting

When the agent detects a vulnerability during a scan, it captures the complete execution context: source file name and path, line number where the vulnerability occurs, full stack trace showing the call chain, and variable values at the point of exploitation.

This detail eliminates the guesswork that typically follows DAST-only scans.

Attack Validation

The agent validates that attacks launched by WebInspect actually reach vulnerable code paths. If a potential vulnerability is blocked by a web application firewall, input validation, or other defensive layer before it reaches vulnerable code, the agent confirms the finding is a false positive.

Fortify SCA Correlation

Organizations using Fortify SCA for SAST can correlate static findings with runtime observations from the WebInspect Agent. This cross-referencing confirms which statically-detected vulnerabilities are actually reachable during execution.

OpenText Fortify DAST architecture diagram showing target application scanning workflow

Integration with Fortify Ecosystem

Fortify is now part of OpenText, following the acquisition of Micro Focus in 2023. The agent works within the broader OpenText Fortify ecosystem:

Fortify WebInspect — DAST scanning with IAST enhancement
Fortify SCA — static analysis correlation
Fortify Software Security Center — centralized reporting
Fortify on Demand — SaaS delivery option

Getting Started

Get the agent — Download the WebInspect Agent from your Fortify portal. It ships with WebInspect installations at no additional cost.

Deploy to your application — For Java, add the agent as a -javaagent JVM argument. For .NET, install the IIS module via the provided Windows installer. No source code changes needed.

Enable in WebInspect — In your WebInspect scan configuration, navigate to the Agent settings and enable “Use WebInspect Agent.” Configure the agent server URL.

Run your DAST scan — Start a WebInspect scan against the instrumented application. Results include both external DAST findings and internal IAST code-level details.

When to Use Fortify WebInspect Agent

The WebInspect Agent makes sense whenever you already run Fortify WebInspect scans and want more actionable results. There is no extra licensing cost.

Best For

Teams already using Fortify WebInspect who want code-level vulnerability details, false positive reduction, and CAPTCHA bypass at zero additional cost.

The agent is particularly valuable for Java and .NET enterprise applications where WebInspect is already part of the security testing strategy. If you need IAST for languages beyond Java and .NET, consider Contrast Assess or Seeker IAST.

Frequently Asked Questions

What is Fortify WebInspect Agent?

Fortify WebInspect Agent is an IAST component that adds code-level vulnerability details including file names, line numbers, and stack traces to Fortify WebInspect DAST scans.

Is Fortify WebInspect Agent free or commercial?

The WebInspect Agent is included free with Fortify WebInspect and WebInspect Enterprise licenses. It is also available through Fortify on Demand SaaS.

What languages does Fortify WebInspect Agent support?

The agent supports Java and .NET applications. Java applications use a JVM agent argument, and .NET applications use an IIS module.

How does the WebInspect Agent reduce false positives?

The agent validates that attacks launched by WebInspect actually reach vulnerable code paths. If a WAF or input validation blocks the attack before it hits vulnerable code, the agent eliminates the false positive.

Can the WebInspect Agent bypass CAPTCHAs?

Yes. When deployed, the agent intercepts CAPTCHA validation at the application level, allowing WebInspect scans to proceed without manual intervention.