Skip to content
Home SAST Tools PT Application Inspector
PT Application Inspector

PT Application Inspector

Category: SAST
License: Commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 19, 2026
3 min read
Key Takeaways
  • Combines SAST, DAST, IAST, and SCA in a single platform with automatic vulnerability verification via safe exploit generation to reduce false positives.
  • Supports 15 languages including Java, C#, PHP, Python, Go, Kotlin, Swift, Scala, and Solidity, with custom analysis rules via JSA DSL (v5.2).
  • Not available to US entities — Positive Technologies was sanctioned by OFAC in April 2021 and added to the Commerce Department Entity List in November 2021.
  • Integrates with PT Application Firewall for automatic virtual patching when code fixes aren't immediately possible.

PT Application Inspector is a SAST platform from Positive Technologies that combines SAST, DAST, IAST, and SCA in a single tool. It supports 15 programming languages and automatically generates safe exploit payloads to verify whether detected vulnerabilities are actually exploitable.

Combined SAST+DAST+IAST+SCA
Runs static analysis, dynamic testing, interactive testing, and software composition analysis from one platform. Results are correlated and deduplicated in a single dashboard.
Auto Vulnerability Verification
Generates safe exploit payloads to confirm whether detected vulnerabilities are real. Verified issues get marked as confirmed; unexploitable findings get downgraded.
Data Flow Diagrams
Produces interactive data flow diagrams for each vulnerability, showing how tainted input travels through the application to reach a dangerous sink.

PT Application Inspector scan interface showing vulnerability analysis dashboard

What is PT Application Inspector?

PT Application Inspector (PT AI) takes a different approach from most SAST tools by integrating four testing methodologies into one platform. Instead of managing separate static, dynamic, and composition analysis tools, PT AI runs them together and correlates the results.

The differentiator is automatic exploit generation. When static analysis finds a potential SQL injection or XSS vulnerability, PT AI constructs a safe test payload and executes it against the application. If the exploit succeeds, the vulnerability is marked as verified. If defenses block it, the finding is downgraded. Positive Technologies claims this reduces false positives without requiring manual triage.

PT AI uses abstract interpretation technology for its SAST engine, which distinguishes it from pattern-matching-only tools. Version 5.2 (October 2025) introduced custom analysis rules via a JSA (Just Static Analyzer) DSL for describing code semantics.

The tool was positioned as a Niche Player in the 2018 Gartner Magic Quadrant for Application Security Testing.

Key features

Language support

PT Application Inspector scan results with vulnerability details and remediation guidance

PT AI supports 15 programming languages. Language coverage has expanded across recent releases:

VersionLanguages Added
v4.0 (2022)TypeScript
v4.7 (2024)C#, C, C++, Objective-C, Ruby
v5.2 (2025)Scala

The full list: Java, C#, PHP, JavaScript, TypeScript, Python, Go, C/C++, Objective-C, Kotlin, Swift, Ruby, Scala, Solidity, and SQL.

Note: C/C++ and Objective-C scanning is not supported on macOS.

WAF integration

PT AI integrates with PT Application Firewall (PT AF) for virtual patching. When a vulnerability is detected but can’t be immediately fixed in code, PT AI automatically exports findings to the WAF, which generates rules to block exploit attempts in production.

Docker container scanning

Version 4.0 (April 2022) introduced Docker container support and a web-based interface. The SSDL Edition runs as a server application accessible through a browser.

IDE plugins

PT AI provides plugins for Visual Studio Code (v2.8.0, 3,400+ installs) and IntelliJ IDEA. The VS Code plugin performs static analysis, detects configuration errors, and scans third-party components for vulnerabilities directly in the editor.

Geographic availability
Positive Technologies was sanctioned by the US Treasury Department in April 2021 and added to the Commerce Department Entity List in November 2021. This restricts the product from being sold to US entities. The company operates primarily in Russia, CIS countries, India, and parts of Europe and Asia.

Getting started

1
Request a trial — Contact Positive Technologies for a free trial. PT AI is commercial software with quote-based pricing. Two editions: Desktop (individual use) and SSDL (team/enterprise).
2
Deploy the server — The SSDL Edition runs on Linux or Windows as a web application. The Desktop Edition installs locally for individual security specialists.
3
Configure your project — Set up a project through the web interface. PT AI auto-detects languages and applies the appropriate analysis rules. Enable SAST, DAST, IAST, and SCA as needed.
4
Review verified findings — Each finding shows whether it was verified via automatic exploit generation. Data flow diagrams show the taint path from source to sink for each vulnerability.

When to use PT Application Inspector

PT AI fits organizations that want SAST, DAST, IAST, and SCA from a single vendor with automatic vulnerability verification. The integrated approach reduces tool sprawl and the exploit verification reduces manual triage effort.

Due to US sanctions on Positive Technologies, the tool is not available to US entities. Organizations outside the US that want consolidated security testing with verified findings should evaluate PT AI alongside alternatives like Checkmarx or Fortify.

Best for
Non-US organizations that want unified SAST, DAST, IAST, and SCA with automatic vulnerability verification to reduce false positives, in a single platform.

Frequently Asked Questions

What is PT Application Inspector?
PT Application Inspector (PT AI) is an application security testing platform from Positive Technologies that combines SAST, DAST, IAST, and SCA in a single tool. It supports 15 languages and automatically generates safe exploit payloads to verify vulnerabilities before reporting them. The latest version is 5.2, released October 2025.
Is PT Application Inspector free?
No. PT Application Inspector is commercial software with quote-based pricing. Two editions exist: Desktop Edition for individual security specialists, and SSDL Edition for large development teams. A free trial is available.
What is automatic vulnerability verification?
When PT AI detects a potential vulnerability through static analysis, it automatically generates a safe test payload (exploit) and executes it against the application to confirm whether the issue is exploitable. Verified vulnerabilities get marked as confirmed, while unexploitable findings are downgraded. This reduces false positives without manual triage.
Is PT Application Inspector available in the US?
No. Positive Technologies was sanctioned by the US Treasury Department (OFAC) in April 2021 and added to the Commerce Department’s Entity List in November 2021. This effectively restricts the product from being sold to or used by US entities. The company operates primarily in Russia, CIS, India, and parts of Europe and Asia.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub