Skip to content
Veracode Dynamic Analysis

Veracode Dynamic Analysis

Category: DAST
License: Commercial
0 Comments
Visit Website →

Veracode Dynamic Analysis is an enterprise DAST platform that scales to hundreds of web applications. It runs alongside Veracode’s SAST and SCA products on a single platform with unified flaw tracking, policy management, and compliance reporting.

Veracode Dynamic Analysis workflow showing scan creation through results

Named a Leader in the 2025 Gartner Magic Quadrant for Application Security Testing, Veracode has built its DAST offering around portfolio-scale management. The SaaS architecture means you can run parallel scans across your entire application inventory without managing scanning infrastructure.

The 2022 Crashtest Security acquisition added better JavaScript SPA support and developer-focused CI/CD integration.

What is Veracode Dynamic Analysis?

Veracode DAST performs black-box testing of running web applications and APIs. You configure scan targets through the Veracode platform or API, and the scanner crawls and attacks each application to find vulnerabilities.

Results feed into the same dashboard as Veracode Static Analysis and SCA findings. This means security teams see a single view of each application’s risk — what static analysis flagged in the code, what open-source vulnerabilities exist in dependencies, and what dynamic testing found exploitable at runtime.

For applications not accessible from the internet, Veracode offers Internal Scanning Management (ISM), a Docker-based agent that sits inside your network and connects outbound to the Veracode cloud. No inbound firewall rules needed.

FeatureDetails
Gartner positionLeader, 2025 Magic Quadrant for AST
ScaleHundreds of applications in parallel
DeliverySaaS (cloud-based)
Internal scanningISM Docker agent, outbound-only connection
API testingREST, SOAP, GraphQL, OpenAPI import
SPA supportJavaScript rendering via Crashtest Security
Custom crawlingSelenium-based crawl scripts
Platform integrationUnified SAST + SCA + DAST findings
IDE pluginsVS Code, IntelliJ, Eclipse
TicketingJira, ServiceNow

Key Features

Portfolio-Scale Scanning
Run parallel scans across hundreds of applications simultaneously. Schedule recurring assessments, apply consistent security policies, and track trends across your entire application portfolio from one dashboard.
Internal Scanning Management
Deploy a Docker container inside your network to scan firewalled applications. The ISM connects outbound to Veracode’s cloud — no inbound firewall rules, no VPN configuration, no complex network setup.
Unified Platform
DAST findings appear alongside Veracode SAST and SCA results. Unified flaw tracking, consistent severity scoring, and combined compliance reporting across all testing types.

JavaScript SPA Testing

The Crashtest Security acquisition in 2022 brought better support for modern JavaScript frameworks:

  • Full browser rendering for React, Angular, and Vue applications
  • JavaScript event handling and AJAX request discovery
  • Client-side form validation bypass
  • DOM-based XSS detection

These capabilities matter for organizations with modern frontends that older DAST engines struggle to crawl properly.

API Security Testing

Veracode tests REST and SOAP APIs, with OpenAPI/Swagger spec import:

# API scan configuration example
scan:
  type: api
  specification:
    type: openapi
    url: https://api.example.com/openapi.json
  authentication:
    type: bearer_token
    token: ${API_TOKEN}
  endpoints:
    include:
      - /api/v1/*
    exclude:
      - /api/v1/health

GraphQL introspection and testing is also supported.

Custom Crawling with Selenium

For applications with complex navigation flows, Veracode supports Selenium-based crawl scripts. Record login sequences, multi-step workflows, and application-specific interactions that the automated crawler can’t figure out on its own.

ISM Deployment
The Internal Scanning Management agent runs as a Docker container. It connects outbound to Veracode’s cloud on port 443 — no inbound firewall rules needed. This makes it practical for scanning staging environments, CI/CD ephemeral environments, and applications behind corporate firewalls.

Policy Management

Define security policies at the organization level and enforce them across all applications:

  • Require no high-severity DAST findings before production deployment
  • Set different thresholds for different application risk levels
  • Automate policy checks in CI/CD pipelines
  • Generate compliance evidence for auditors

Integrations

Veracode Platform
Veracode SAST Veracode SAST
Veracode SCA Veracode SCA
Veracode Fix Veracode Fix
CI/CD & DevOps
GitHub Actions GitHub Actions
GitLab CI GitLab CI
Jenkins Jenkins
Azure DevOps Azure DevOps
Ticketing & IDE
Jira Jira
ServiceNow ServiceNow
VS Code VS Code
IntelliJ IntelliJ

Getting Started

1
Log in to the Veracode Platform — Navigate to Scans > Dynamic Analysis. Create a new scan configuration with your target URLs and authentication details.
2
Configure authentication — Set up form-based login, OAuth, API tokens, or import Selenium crawl scripts for complex authentication flows.
3
Deploy ISM (if needed) — For internal applications, deploy the ISM Docker container in your network: docker run -d -e VERACODE_API_ID=$ID -e VERACODE_API_KEY=$KEY veracode/internal-scan-agent:latest
4
Set policies — Define what severity levels block deployments. Apply policies to individual applications or across your entire portfolio.
5
Schedule or launch — Run scans on-demand or set up recurring schedules. Results flow into the unified Veracode dashboard alongside SAST and SCA findings.
Start with ISM
If your applications are in staging or behind a firewall, deploy the ISM Docker agent first. It only needs outbound HTTPS access — no inbound rules, no VPN tunnels. Most teams have it running in under 30 minutes.

CI/CD Integration

GitHub Actions

name: Veracode Dynamic Scan
on:
  push:
    branches: [main]

jobs:
  veracode-dast:
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to staging
        run: ./deploy-staging.sh

      - name: Start Veracode Dynamic Scan
        env:
          VERACODE_API_ID: ${{ secrets.VERACODE_API_ID }}
          VERACODE_API_KEY: ${{ secrets.VERACODE_API_KEY }}
        run: |
          curl -s -X POST "https://api.veracode.com/was/configservice/v1/analyses" \
            -H "Authorization: VERACODE-HMAC-SHA-256 ..." \
            -H "Content-Type: application/json" \
            -d '{
              "name": "CI Build ${{ github.run_number }}",
              "scans": [{
                "scan_config_request": {
                  "target_url": {
                    "url": "https://staging.example.com"
                  }
                }
              }]
            }'

When to Use Veracode Dynamic Analysis

Veracode DAST is built for organizations managing large application portfolios. If you already use (or plan to use) Veracode SAST or SCA, adding DAST gives you a single dashboard for all three testing types with unified policy enforcement.

Good fit for:

  • Large enterprises with hundreds of web applications to scan
  • Teams already using other Veracode products (SAST, SCA)
  • Organizations needing to scan internal/firewalled applications (via ISM)
  • Compliance-driven programs wanting unified reporting across test types
  • Teams scanning JavaScript SPAs built with React, Angular, or Vue

Not the best fit if:

  • Budget favors open-source — ZAP and Nuclei are free
  • You want a standalone DAST tool without a platform
  • You have a handful of applications and don’t need portfolio management
  • You prefer developer-first DAST tools over enterprise platforms

Frequently Asked Questions

What is Veracode Dynamic Analysis?
Veracode Dynamic Analysis is an enterprise DAST solution that scales to hundreds of applications. It integrates with Veracode’s SAST, SCA, and other products on a single platform with unified flaw tracking and compliance reporting.
Is Veracode DAST free or commercial?
Veracode DAST is a commercial enterprise product. Veracode was named a Leader in the 2025 Gartner Magic Quadrant for Application Security Testing. Delivery is SaaS-based with the Internal Scanning Management option for internal networks.
What is Veracode's Internal Scanning Management?
Internal Scanning Management (ISM) is a Docker-based agent you deploy inside your network. It connects outbound to Veracode’s cloud — no inbound firewall rules needed — and lets you scan applications behind firewalls, in staging environments, or in CI/CD pipelines.
How does Veracode DAST compare to alternatives?
Veracode differentiates through enterprise-scale portfolio management for hundreds of apps, unified SAST/SCA/DAST findings in one dashboard, ISM for scanning internal environments, and Gartner Leader recognition.
What did the Crashtest Security acquisition add?
Veracode acquired Crashtest Security in 2022 to improve JavaScript SPA testing and developer-oriented CI/CD integration. This added better handling of React, Angular, and Vue applications.

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools

Complement with IAST

Pair dynamic testing with runtime instrumentation for broader coverage.

Acunetix AcuSensor
Acunetix AcuSensor

Line-of-Code Details

Checkmarx IAST
Checkmarx IAST

Unified AppSec Platform Integration

See all IAST tools

Comments

Powered by Giscus — comments are stored in GitHub Discussions.