Threat Research Center engineer engagement
TRC engineers are the asset that distinguishes Continuous Dynamic from purely automated DAST scanners. Customers in active assessment talk to engineers directly rather than a ticket queue.
Black Duck • Application security
Black Duck Continuous Dynamic
Continuous Dynamic is service-led DAST. Black Duck Threat Research Center engineers configure production-safe scans on the customer's running web applications, AI verification reduces false positives, and three service editions cover everything from baseline unconfigured scans through expert-led business-logic testing.
Merito sells Continuous Dynamic and operates the application onboarding, authentication configuration, TRC engagement model, and finding triage that turn the service into reliable runtime AppSec coverage.
- Best for
- AppSec leaders running ongoing security testing on production web applications, Programs that lack in-house DAST expertise and want managed assessment, Security architects testing complex authenticated applications with multi-step logins or MFA
- Hosting
- SaaS
- Time to value
- First Baseline Edition scan running in one to two weeks. Standard Edition configured scans for authenticated applications live in three to six weeks. Premium Edition business-logic testing rolls out in eight to twelve weeks per application.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-27
What it is
Black Duck Continuous Dynamic in the enterprise stack
Continuous Dynamic is Black Duck's production-safe Dynamic Application Security Testing platform. The product combines automated scanning, AI verification of vulnerabilities, and manual assessment by Threat Research Center engineers. The service-led model handles the production-safety and authentication-configuration problems that often block self-serve DAST adoption.
Three service editions cover different program shapes. Baseline Edition runs unconfigured scans on web applications without complex forms or authentication, with vulnerability verification and TRC support included. Standard Edition adds configured scans for permanent web applications using forms or authenticated sessions. Premium Edition adds business-logic testing by TRC engineers for high-priority and mission-critical applications. Unlimited retesting is included on every edition.
Continuous Dynamic configures custom site authentication including multi-step logins, multi-factor authentication, and Privileged Access Management integration. Production-safe form testing is pre-trained inside the scanner so business workflows do not get triggered during scans. The TRC engagement model is the practical reason customers stick with Continuous Dynamic. Customers in active assessment talk to engineers rather than working a ticket queue.
Ideal use cases
- Production web application DAST without disrupting users
- Authenticated application testing with MFA and PAM integration
- Business-logic testing on mission-critical applications through TRC engineers
- Compliance evidence for ongoing DAST coverage (PCI, HIPAA, SOC 2)
- DAST without staffing an in-house DAST team
What it is best at
Where Black Duck Continuous Dynamic earns its seat
Production-safe form and authentication handling
Scanner pre-trained for production-safe form testing. Custom site authentication including multi-step logins, MFA, and PAM integration. Programs avoid the operational risk of self-serve DAST triggering business workflows.
AI verification reduces false positives
AI verification of vulnerabilities runs alongside continuous scanning and TRC manual assessment. The combination keeps the false-positive rate low without requiring customer-side triage at the scanner.
Three service editions match different programs
Baseline Edition for simple applications, Standard Edition for forms and authenticated apps, Premium Edition for business-logic testing. Programs scope to the edition that fits the application surface rather than over-buying.
Core capabilities
Black Duck Continuous Dynamic capabilities, grouped by outcome
Service-led DAST
How Continuous Dynamic actually delivers DAST coverage.
TRC engineer engagement
Threat Research Center engineers configure scans, validate findings, and engage on incidents. Customers in active assessment talk to engineers directly.
Continuous scanning
Ongoing scans against production applications without manual schedule management. Coverage stays current as applications evolve.
AI verification
AI verification of vulnerabilities reduces false positives before findings reach the customer's security team.
Authentication and form handling
The capabilities that make scanning complex applications safe.
Multi-step login support
Authenticated session handling for applications with multi-step login flows.
Multi-factor authentication
MFA configuration including SMS, TOTP, and FIDO2 flows so authenticated portions of the application get scanned.
PAM integration
Privileged Access Management integration for credential vaulting and rotation during scans.
Production-safe form testing
Scanner pre-trained for production-safe form interaction. Business workflows do not trigger during scans.
Service editions
How the three editions differ.
Baseline Edition (BE)
Basic unconfigured scan for web applications without complex forms or authentication. Includes vulnerability identification, AI verification, TRC support, and unlimited retesting.
Standard Edition (SE)
All BE features plus configured scans for permanent web applications using forms or authenticated sessions.
Premium Edition (PE)
All BE and SE features plus business-logic testing by TRC engineers for complex, high-priority, or mission-critical applications.
Reporting and integration
Where Continuous Dynamic findings flow into the customer's broader program.
SIEM and ticketing
Findings forwarded into Splunk, QRadar, Sentinel, ServiceNow, Jira, and Azure Boards for cross-tool detection and case management.
Software Risk Manager correlation
Findings flow into Software Risk Manager (ASPM) for cross-tool correlation across SAST, SCA, IAST, and pentest.
Polaris platform consumption
Continuous Dynamic capabilities pair with the Polaris platform's fAST Dynamic engine for service-led configurations on Polaris-managed applications.
Where it fits in the stack
How Black Duck Continuous Dynamic connects to the rest of your landscape
Black Duck platform (native)
Native- Polaris (fAST Dynamic)Continuous Dynamic capabilities pair with the Polaris fAST Dynamic engine for service-led configurations on Polaris-managed applications.
- Software Risk ManagerDAST findings flow into Software Risk Manager (ASPM) for cross-tool correlation.
- Black Duck SignalReachability and EPSS prioritization layered across Continuous Dynamic findings for additional triage automation.
Authentication and PAM (certified)
Certified- CyberArk, BeyondTrust, Delinea, OktaPAM integration for credential vaulting and rotation during authenticated scans.
- Okta, Azure AD, PingIdentity-provider integration for federated authentication during scans.
SIEM and ticketing (certified)
Certified- Splunk, QRadar, Microsoft Sentinel, ChronicleFindings forwarded for cross-tool detection engineering.
- Jira, ServiceNow, Azure BoardsFindings flow into ticketing as trackable work items with bi-directional status sync.
Custom integrations
Custom- Internal AppSec workflowsCustom finding routing into customer-built AppSec triage and remediation systems.
- Custom compliance reportingCustomer-specific evidence packages for PCI, HIPAA, FedRAMP, and SOC 2 audits.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (Global)
- Implementation complexity
- Moderate
- Typical time to value
- First Baseline Edition scan running in one to two weeks. Standard Edition configured scans for authenticated applications live in three to six weeks. Premium Edition business-logic testing rolls out in eight to twelve weeks per application.
- Prerequisites
- Production application list with authentication posture documented
- Service edition decision (Baseline, Standard, Premium)
- Authentication credentials and PAM access agreed
- Finding routing and case-management workflow defined
- What Merito usually handles
- Continuous Dynamic runs as a managed service. TRC engineers handle scanner configuration, authentication setup, and finding verification. Merito coordinates application onboarding, scope definition with the TRC, finding triage routing, and the operating model that consumes Continuous Dynamic findings inside the customer's broader AppSec program.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- Continuous Dynamic is licensed per application and service edition. Pricing varies with application count, edition (BE, SE, PE), and TRC engagement intensity. Unlimited retesting is included on every edition. Merito sells the license and scopes application onboarding, scope definition with the TRC, and finding triage operating model as separately priced services.
- Editions and modules
Baseline Edition (BE)
Unconfigured scans for web applications without complex forms or authentication.
Best for: Marketing sites, content portals, and public-facing applications without authenticated workflows.
Standard Edition (SE)
Configured scans for permanent web applications using forms or authenticated sessions.
Best for: Customer portals, partner applications, and authenticated SaaS surfaces.
Premium Edition (PE)
Adds business-logic testing by TRC engineers for high-priority and mission-critical applications.
Best for: Payment, financial, healthcare, and other applications where business-logic abuse is the dominant risk.
- Common expansion areas
- Add Black Duck Signal for reachability and EPSS prioritization across Continuous Dynamic findings
- Add Software Risk Manager for cross-tool ASPM correlation
- Promote applications from Baseline to Standard or Premium Edition as program maturity grows
- Add Coverity Static or Black Duck SCA for paired SAST and supply-chain coverage
Merito services
How Merito helps you win with Black Duck Continuous Dynamic
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Continuous Dynamic Implementation
Application onboarding, edition selection, scope definition with TRC, authentication configuration, and finding routing setup.
Explore service02MAPS Assessment
AppSec program scoping for DAST adoption alongside Akamai API Security, Checkmarx DAST, OpenText DAST, and other DAST options.
Explore service03Premium Support
Named engineer, priority SLAs, and release-window coverage for Continuous Dynamic in production.
Explore service04Managed Services
Long-term run support including ongoing application onboarding, edition optimization, and finding triage operating model evolution.
Explore service05Training and Enablement
Role-based training for AppSec engineers, compliance leaders, and SOC analysts using Continuous Dynamic findings.
Explore serviceContinuous Dynamic licensing
Buy Continuous Dynamic from the partner that coordinates the TRC engagement.
Service-led DAST is application onboarding, edition selection, authentication setup, and finding routing. Buy Continuous Dynamic through Merito and get the coordination plus the TRC engagement together.
Merito point of view
Continuous Dynamic is a service. Customers buying it as a self-serve scanner are buying the wrong product.
TRC engineer engagement is the practical reason customers stick with Continuous Dynamic. The product is configured and operated by Black Duck engineers rather than the customer. Programs that scope Continuous Dynamic expecting a self-serve DAST scanner with limited setup misread the product. Merito's positioning is that Continuous Dynamic is managed DAST with engineers in the loop, not a tool to install and run.
AI verification matters but is not the differentiator. The TRC manual assessment is what catches business-logic vulnerabilities that AI verification cannot reason about. Premium Edition is the right scope for mission-critical applications because the TRC business-logic testing is the only path to that coverage.
Continuous Dynamic pairs with Polaris when the customer wants unified findings across SAST, SCA, and DAST. The fAST Dynamic engine inside Polaris and the service-led Continuous Dynamic delivery overlap. Programs typically run both for different application surfaces (Polaris fAST Dynamic for self-serve, Continuous Dynamic for managed assessment). Merito makes the call during MAPS Assessment.
What buyers usually underestimate
- Scoping Continuous Dynamic as a self-serve scanner rather than a managed service
- Choosing Baseline Edition for authenticated applications that need Standard or Premium configuration
- Skipping Premium Edition on mission-critical applications where business-logic abuse is the dominant risk
- Not setting up the finding routing operating model so TRC findings accumulate without analyst follow-up
- Treating AI verification as a replacement for TRC manual assessment on complex applications
Related from Merito
Continue exploring Black Duck Continuous Dynamic on Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Black Duck Continuous Dynamic FAQs
Consultation request
Talk to Merito about Continuous Dynamic
Share your application inventory, current DAST posture, and the runtime risks you are most worried about. A Merito Continuous Dynamic specialist follows up within one business day.
Service-led DAST
TRC engineers in the loop
Black Duck Threat Research Center engineers configure scans, validate findings, and engage on incidents. Customers talk to engineers, not a ticket queue.
Three editions
Match the edition to the application risk
Baseline for simple applications. Standard for forms and authenticated apps. Premium for business-logic testing on mission-critical surfaces.
Next step
Pick the edition that fits the application risk. Merito coordinates the TRC.
A Continuous Dynamic engagement with Merito starts with the application inventory and the edition decision. Mission-critical applications need Premium Edition for business-logic testing.