Veracode Dynamic Analysis is an enterprise DAST platform that scales to hundreds of web applications.
It runs alongside Veracode’s SAST and SCA products on a single platform with unified flaw tracking, policy management, and compliance reporting.
Veracode has built its DAST offering around portfolio-scale management. The SaaS architecture means you can run parallel scans across your entire application inventory without managing scanning infrastructure.
The 2022 Crashtest Security acquisition added better JavaScript SPA support and developer-focused CI/CD integration.
What is Veracode Dynamic Analysis?
Veracode DAST performs black-box testing of running web applications and APIs.
You configure scan targets through the Veracode platform or API, and the scanner crawls and attacks each application to find vulnerabilities.
Results feed into the same dashboard as Veracode Static Analysis and SCA findings.
This means security teams see a single view of each application’s risk — what static analysis flagged in the code, what open-source vulnerabilities exist in dependencies, and what dynamic testing found exploitable at runtime.
According to NIST SP 800-53, combining multiple testing techniques provides more comprehensive security coverage than any single approach.
For applications not accessible from the internet, Veracode offers Internal Scanning Management (ISM), a lightweight Java-based agent (JAR file) that sits inside your network and connects outbound to the Veracode cloud.
No inbound firewall rules needed.
| Feature | Details |
|---|---|
| Scale | Hundreds of applications in parallel |
| Delivery | SaaS (cloud-based) |
| Internal scanning | ISM agent (Java JAR), outbound-only connection |
| API testing | REST, SOAP, GraphQL, OpenAPI import |
| SPA support | JavaScript rendering via Crashtest Security |
| Custom crawling | Selenium-based crawl scripts |
| Platform integration | Unified SAST + SCA + DAST findings |
| IDE plugins | VS Code, IntelliJ, Eclipse |
| Ticketing | Jira, ServiceNow |
Key Features
JavaScript SPA Testing
The Crashtest Security acquisition in 2022 brought better support for modern JavaScript frameworks:
- Full browser rendering for React, Angular, and Vue applications
- JavaScript event handling and AJAX request discovery
- Client-side form validation bypass
- DOM-based XSS detection
These capabilities matter for organizations with modern frontends that older DAST engines struggle to crawl properly. For a detailed comparison of testing approaches, see IAST vs DAST.
API Security Testing
Veracode tests REST and SOAP APIs, with OpenAPI/Swagger spec import:
Veracode DAST scans are configured through the Veracode platform UI or REST API. Configuration includes target URL, authentication settings, and scan scope.
# Configure and launch a DAST scan via the Veracode API
curl -X POST "https://api.veracode.com/was/configservice/v1/analyses" \
-H "Authorization: VERACODE-HMAC-SHA-256 ..." \
-H "Content-Type: application/json" \
-d '{
"name": "Production DAST Scan",
"scans": [{
"scan_config_request": {
"target_url": {"url": "https://app.example.com"}
}
}]
}'
GraphQL introspection and testing is also supported.
Custom Crawling with Selenium
For applications with complex navigation flows, Veracode supports Selenium-based crawl scripts.
Record login sequences, multi-step workflows, and application-specific interactions that the automated crawler can’t figure out on its own.
The Internal Scanning Management agent runs as a Java application (JAR file). It connects outbound to Veracode’s cloud on port 443 — no inbound firewall rules needed.
This makes it practical for scanning staging environments, CI/CD ephemeral environments, and applications behind corporate firewalls.
Policy Management
Define security policies at the organization level and enforce them across all applications:
- Require no high-severity DAST findings before production deployment
- Set different thresholds for different application risk levels
- Automate policy checks in CI/CD pipelines
- Generate compliance evidence for auditors
Integrations
Veracode SAST
Veracode SCA
Veracode Fix
GitHub Actions
GitLab CI
Jenkins
Azure DevOps
Jira
ServiceNow
VS Code
IntelliJGetting Started
java -jar Veracode_ISM_Endpoint.jarCI/CD Integration
GitHub Actions
name: Veracode Dynamic Scan
on:
push:
branches: [main]
jobs:
veracode-dast:
runs-on: ubuntu-latest
steps:
- name: Deploy to staging
run: ./deploy-staging.sh
- name: Start Veracode Dynamic Scan
env:
VERACODE_API_ID: ${{ secrets.VERACODE_API_ID }}
VERACODE_API_KEY: ${{ secrets.VERACODE_API_KEY }}
run: |
curl -s -X POST "https://api.veracode.com/was/configservice/v1/analyses" \
-H "Authorization: VERACODE-HMAC-SHA-256 ..." \
-H "Content-Type: application/json" \
-d '{
"name": "CI Build ${{ github.run_number }}",
"scans": [{
"scan_config_request": {
"target_url": {
"url": "https://staging.example.com"
}
}
}]
}'
Veracode DAST pricing
Veracode does not publish list prices for Dynamic Analysis on veracode.com. Buyers contact sales for a quote, and the licensing model is platform-level — most contracts bundle SAST, SCA, and DAST under a single Veracode Platform agreement scoped by application count and scan frequency.
Internal Scanning Management (ISM) is included in DAST plans rather than priced separately. There is no permanent free tier and no public per-application list.
For procurement benchmarking, request quotes from Veracode alongside Checkmarx, Invicti, and HCL AppScan — these are the closest enterprise platform peers and most do not publish public list prices either. See the Veracode alternatives breakdown for a deeper buyer comparison.
When to Use Veracode Dynamic Analysis
Veracode DAST is built for organizations managing large application portfolios.
If you already use (or plan to use) Veracode SAST or SCA, adding DAST gives you a single dashboard for all three testing types with unified policy enforcement.
Good fit for:
- Large enterprises with hundreds of web applications to scan
- Teams already using other Veracode products (SAST, SCA)
- Organizations needing to scan internal/firewalled applications (via ISM)
- Compliance-driven programs wanting unified reporting across test types
- Teams scanning JavaScript SPAs built with React, Angular, or Vue
Not the best fit if:
- Budget favors open-source — ZAP and Nuclei are free
- You want a standalone DAST tool without a platform — Invicti or Acunetix offer focused DAST
- You have a handful of applications and don’t need portfolio management
- You prefer developer-first DAST tools over enterprise platforms
Veracode DAST alternatives
Veracode Dynamic Analysis competes with a small set of enterprise DAST platforms. Each peer pulls a slightly different procurement profile.
Invicti is the closest commercial peer. Both target large application portfolios, both offer policy-driven compliance reporting, both support internal scanning. Invicti’s edge is proof-based scanning, which lowers triage time on noisy findings. Veracode’s edge is the unified Platform with SAST + SCA findings in one dashboard.
Checkmarx DAST is the natural alternative when AppSec procurement runs through Checkmarx for SAST. Checkmarx One bundles DAST into the same multi-engine platform Veracode pioneered, with similar enterprise scaling and IDE plugins.
HCL AppScan is the federal-leaning alternative. Long-deployed in financial services and regulated industries, AppScan offers strong CI/CD plugins and a pedigree comparable to Veracode for compliance-heavy buyers.
Burp Suite Professional covers the manual-tester gap. Veracode is built for automation at scale; Burp Pro is built for human-driven pentest workflows. Many enterprise teams license both.
For a deeper buyer-side comparison, see Veracode alternatives or browse the full DAST tools hub.
