How is Checkmarx DAST different from StackHawk, Bright, or OWASP ZAP?

OWASP ZAP is open-source and free but requires the team to operate it. StackHawk and Bright are managed cloud DAST products focused on developer-led adoption. Checkmarx DAST differentiates on cross-product correlation with SAST and SCA inside Checkmarx One, on enterprise-grade authenticated scanning across SAML, OAuth, OIDC, and custom session protocols, and on Triage and Remediation clustering across DAST, SAST, and SCA. Pick the one that fits the program shape.

What does authenticated scanning actually require?

DAST has to maintain session through whatever authentication the application uses (SSO, multi-step login, MFA, token refresh, custom session cookies). Programs that run DAST without configuring this end up testing the public landing page. Merito treats authenticated-scanning configuration as the central work of the first month. Checkmarx DAST supports SAML, OAuth 2.0, OIDC, multi-factor, and custom session protocols.

Can Checkmarx DAST scan APIs and mobile apps, not just web?

Yes. Same engine. API DAST ingests OpenAPI, GraphQL schema, or Postman collections and exercises every endpoint with realistic auth and payload. Mobile DAST covers native iOS and Android applications plus the backend services they call. Programs stop stitching together specialist DAST tools per surface.

How is Checkmarx DAST licensed?

Checkmarx DAST is part of the Checkmarx One Advanced and Enterprise bundles. Pricing is by application count, scan volume, and surface coverage (web, API, mobile). Pricing flows through Merito; implementation, authentication wiring, policy tuning, and CI/CD integration scope under a separate program engagement.

How long does a Checkmarx DAST implementation take?

First authenticated scan against staging in one to two weeks. Tuned policy and CI/CD integration in three to six weeks. Enterprise rollout across the portfolio typically runs three to six months. Merito treats authenticated-scanning configuration as non-negotiable in the first month.

What services does Merito provide for Checkmarx DAST?

Tenant setup, authentication wiring, policy tuning per application, scan-window scheduling, findings-routing design, CI/CD integration, MAPS Assessment for AppSec program scoping, Premium Support, Managed Services for ongoing run, training for AppSec architects and developers, and staff augmentation. The license is sold and scoped as a separate engagement from the rollout.

Checkmarx • Application security

Checkmarx DAST

Checkmarx DAST exercises running web, API, and mobile applications from the outside in with authenticated session handling, OWASP Top 10 coverage, and runtime business-logic testing, then routes findings into the same Checkmarx One backlog as SAST and SCA so AppSec works one queue instead of three.

A Merito Checkmarx DAST engagement points the scanner at staging or pre-prod, builds out authenticated session handling for the customer's actual SSO and OAuth flows, and feeds runtime findings into the same Checkmarx One backlog the SAST and SCA programs already work.

Get Checkmarx DAST pricing Talk to a Merito Checkmarx DAST specialist

Best for: AppSec leaders running DAST programs across web, API, and mobile, AppSec architects configuring authenticated scanning for SSO and OAuth flows, Engineering leaders integrating DAST into staging and pre-prod gates
Hosting: SaaS
Time to value: First authenticated scan against staging in one to two weeks. Tuned policy and CI/CD integration in three to six weeks. Enterprise rollout across portfolio typically runs three to six months.
Security posture: GDPR, HIPAA-aligned design, SAML SSO
Last reviewed: 2026-04-26

What it is

Checkmarx DAST in the enterprise stack

Checkmarx DAST is the dynamic analysis engine inside Checkmarx One. It runs against the deployed application, not the source code, exercising web apps through the UI, REST and GraphQL APIs through the network surface, and mobile apps through the runtime. The output catches what static analysis cannot see: runtime configuration flaws, broken authentication flows, server misconfiguration, business-logic vulnerabilities that only manifest when real requests cross the network boundary.

Authenticated scanning is the load-bearing capability. Most applications worth testing sit behind authentication, and DAST that cannot maintain session through SSO, multi-step login, or token refresh ends up scanning the public landing page and missing the application. Checkmarx DAST handles SAML, OAuth, OIDC, multi-factor flows, and custom session protocols so the scan reaches what the user reaches. Programs running unauthenticated DAST are not running DAST.

Cross-product correlation is the platform advantage. DAST findings cross-reference back to Checkmarx SAST findings on the same code path so AppSec sees both the source-level vulnerability and the runtime confirmation in one ticket. SCA reachability data informs which OSS dependencies the runtime actually exercises. Triage and Remediation clusters DAST findings together with related SAST and SCA findings on root cause. Programs running DAST as a standalone tool against a different vendor's SAST get fragmented findings; programs running Checkmarx DAST inside Checkmarx One get unified backlog math.

What breaks DAST adoption is environment access. DAST needs a runnable application with realistic data, working authentication, and network reachability from the scanner. Programs that run DAST against an empty staging environment with a generic test account scan a hollow shell. Merito's engagement starts with environment readiness (test data, authentication wiring, scan-window scheduling) before pointing the scanner at anything real, and tunes the policy to the specific application surface rather than running default rules across web, API, and mobile as if they were the same.

Ideal use cases

Authenticated DAST against web applications behind SSO or multi-step login
API DAST against REST and GraphQL endpoints with token-based authentication
Mobile DAST for native iOS and Android applications and their backends
DAST integrated with Checkmarx SAST and SCA for cross-source-and-runtime findings
Regulated DAST evidence for PCI DSS, HIPAA, and SOC 2 audits

What it is best at

Where Checkmarx DAST earns its seat

Real authenticated scanning, not landing-page scanning

SAML, OAuth, OIDC, multi-factor, and custom session handling. The scanner reaches the application the user reaches. Tools that lose session after the first redirect end up testing nothing useful.

Web, API, and mobile in one engine

Same scanner covers web apps, REST and GraphQL APIs, and mobile-app backends. Programs stop stitching together specialist DAST tools per surface.

Cross-product correlation with SAST and SCA

DAST findings cross-link to the SAST flow path that introduced them and the SCA dependency at the runtime layer. AppSec triages once, not three times.

Business-logic testing, not just OWASP Top 10

Runtime exploration of multi-step flows surfaces business-logic flaws (broken authorization, IDOR, race conditions) that pure rule-based scanners miss.

Built for staging and pre-prod, not just CI

Scans run against persistent staging environments with realistic data and authentication. The findings reflect what attackers will see, not what a synthetic dev environment exposes.

Core capabilities

Checkmarx DAST capabilities, grouped by outcome

Scan engine and authentication

What separates DAST that finds real issues from DAST that scans the public landing page.

Authenticated session handling
SAML, OAuth 2.0, OIDC, multi-factor, and custom session protocols. The scanner stays logged in across multi-step flows.
OWASP Top 10 and beyond
Coverage of injection, broken auth, misconfiguration, sensitive data exposure, and the rest of the OWASP catalog. Plus business-logic flaws caught through guided exploration.
API scanning (REST, GraphQL, SOAP)
Imports OpenAPI, GraphQL schema, or Postman collections and tests every endpoint with realistic auth and payload.
Mobile DAST
Native iOS and Android app scanning plus the backend services they call. Cross-references mobile findings with the API surface they consume.

Coverage and tuning

Adapting the scanner to the customer's actual application surface rather than running defaults.

Application-specific tuning
Scan policies tunable per application, with web, API, and mobile policies separated rather than blended into one default.
Crawling depth and scope
Configurable crawl depth, allow-and-deny lists, and parameter handling so the scan covers what matters and skips what does not.
Scan windows and rate limiting
Configurable scan windows, request rate, and concurrency so DAST does not knock production-shaped staging environments offline.

Findings and integration

DAST output flowing into the AppSec backlog with the rest of Checkmarx One.

Cross-product correlation
DAST findings cross-link to SAST flow paths and SCA dependencies. One ticket, not three.
Triage and Remediation clustering
Related DAST, SAST, and SCA findings cluster on root cause for single-fix remediation.
Build-gate and ticketing integration
DAST results gate the staging-to-prod promotion and flow into Jira, Azure Boards, and ServiceNow as work items.
Compliance reporting
Audit-ready evidence for PCI DSS, HIPAA, SOC 2, and ISO 27001 attestations.

Where it fits in the stack

How Checkmarx DAST connects to the rest of your landscape

Checkmarx One platform (native)

Native

Checkmarx SASTDAST findings cross-link to the SAST flow path that introduced them so AppSec sees source and runtime in one ticket.
Checkmarx SCADAST runtime exercise informs which OSS dependencies are actually reached, sharpening SCA reachability scoring.
Checkmarx API SecurityDAST API scanning crosses with shadow-API discovery to flag undocumented endpoints exposed at runtime.
Checkmarx Triage and RemediationDAST findings cluster with related SAST and SCA findings on root cause for single-fix remediation.

CI/CD and developer tooling (certified)

Certified

Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesScheduled DAST runs against staging and gate promotions to production.
Postman, OpenAPI, GraphQL schemaAPI spec ingestion drives endpoint coverage for API DAST.
Jira, Azure Boards, ServiceNowFindings flow into ticketing as work items with bi-directional status sync.
Slack, Microsoft TeamsChannel notifications for high-severity DAST findings and gate failures.

Custom integrations

Custom

Internal staging environments and test-data systemsScanner connectivity, test-account provisioning, and data-refresh integration with internal staging fabrics.
SIEM and risk dashboardsDAST findings export into internal SIEM, GRC, and risk-management platforms via the Checkmarx One API.
Custom compliance reportingCustomer-specific reports for PCI DSS, HIPAA, SOC 2, and FedRAMP audits.

Deployment and implementation

How it rolls out

Hosting: SaaS (North America, EMEA, APJ)
Implementation complexity: High
Typical time to value: First authenticated scan against staging in one to two weeks. Tuned policy and CI/CD integration in three to six weeks. Enterprise rollout across portfolio typically runs three to six months.
Prerequisites: Runnable staging or pre-prod environment with realistic data
Authentication credentials (SSO, OAuth, or test accounts) for scan sessions
Network reachability from Checkmarx scanners to the target environment
Named AppSec policy owner
Scan-window schedule agreed with environment owners
What Merito usually handles: Checkmarx DAST runs as Checkmarx One SaaS with optional internal scanning agents for environments behind a corporate firewall. Merito handles tenant setup, authentication wiring, policy tuning per application, scan-window scheduling, and findings-routing design.

Licensing and packaging

How it is bought

Model: Subscription
What to expect: Checkmarx DAST is part of the Checkmarx One platform and licensed by application count, scan volume, and bundle tier. Pricing depends on web, API, and mobile coverage in scope and bundle (Advanced or Enterprise). License acquisition flows through Merito; the AppSec program is scoped as a separate engagement.
Editions and modules: Checkmarx One Advanced
Adds DAST, API Security, IaC Security, Malicious Package Protection, and Repository Health to the Essentials baseline.
Best for: Programs adding DAST and API Security to an existing SAST or SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running DAST inside a fully consolidated AppSec platform.
Common expansion areas: Add Checkmarx API Security for shadow-API discovery and drift detection
Add Checkmarx Mobile DAST coverage as the program extends to native apps
Layer Triage and Remediation to cluster DAST findings with SAST and SCA
Add Checkmarx Container Security and IaC Security for cloud-native programs

Merito services

How Merito helps you win with Checkmarx DAST

Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.

Checkmarx DAST Implementation

Tenant setup, authenticated-scanning wiring, policy tuning per application, and CI/CD integration.

Explore service 02

MAPS Assessment

AppSec program scoping for Checkmarx DAST adoption alongside StackHawk, Bright, OWASP ZAP, and OpenText DAST.

Explore service 03

DevOps Consulting

DAST scheduled and gated in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket pipelines.

Explore service 04

CRAFT Enablement

Developer enablement and AppSec champion programs around DAST findings.

Explore service 05

Premium Support

Named engineer, priority SLAs, and release-time coverage for Checkmarx DAST.

Explore service 06

Managed Services

Long-term run support including authenticated-scan maintenance, scan-window operation, and policy evolution.

Explore service 07

Training and Enablement

Role-based training for AppSec architects, security engineers, and developers consuming DAST output.

Explore service 08

Staff Augmentation

Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.

Explore service

Checkmarx DAST licensing

License the scanner. Configure authenticated session handling. Same engagement.

Checkmarx DAST pricing arrives with authenticated-session wiring, per-application policy tuning, scan-window scheduling, and CI/CD integration that turn the scanner into a working AppSec program.

Request Checkmarx DAST pricing

Merito point of view

DAST that loses session after the login form is theatrical, not protective.

Merito has audited DAST programs that ran nightly against production-shaped staging, generated thousands of findings, and missed every business-logic flaw because the scanner lost session at the SSO redirect. Authenticated scanning is the difference between testing the application and testing the public landing page. Checkmarx DAST handles real session protocols; programs that adopt DAST without configuring authentication correctly are doing compliance theater.

Merito recommends Checkmarx DAST specifically when the AppSec program already has Checkmarx One or is consolidating onto it, when the runtime surface includes APIs and mobile alongside web, and when cross-product correlation with SAST and SCA matters. For web-only programs with strong open-source toolchains, OWASP ZAP plus a CI integration is sometimes enough; for programs that want managed cloud DAST without the rest of Checkmarx, StackHawk or Bright might fit better. Merito surfaces those alternatives honestly.

API DAST is where the program math changes. The API surface is usually the actual application; the web frontend is the easy half. Programs running DAST without API scanning are scanning the visible part and missing the structural risk. Merito's engagements include OpenAPI or GraphQL schema ingestion as a default, not an upsell.

What buyers usually underestimate

Running DAST without authenticated session handling, so the scanner never reaches the application.
Scanning empty staging environments with no realistic data, generating low-signal findings.
Treating web, API, and mobile DAST as one default policy rather than tuning per surface.
Skipping cross-product correlation, so DAST findings never link to the SAST source they came from.
Running DAST without scan windows and rate limiting, knocking staging environments offline during business hours.

Related from Merito

Continue exploring Checkmarx DAST on Merito

Checkmarx DAST FAQs

Consultation request

Talk to Merito about Checkmarx DAST

Share your application surface (web, API, mobile), authentication shape, and current DAST tool if any. A Merito Checkmarx specialist follows up within one business day.

Real authenticated scanning

Reach what the user reaches

SAML, OAuth, OIDC, multi-factor, and custom session protocols. Tools that lose session after the first redirect end up testing nothing useful.

Cross-product correlation

One ticket, not three

DAST findings cross-link to SAST flow paths and SCA dependencies inside Checkmarx One. AppSec triages once.

Next step

Configure authenticated scanning before pointing the scanner at staging.

A Merito Checkmarx DAST engagement starts with authentication wiring and per-application policy tuning. Default-rule scans against landing pages are not DAST.

Book a Checkmarx DAST consultation

Checkmarx DAST

How it rolls out

Hosting

SaaS (North America, EMEA, APJ)

Implementation complexity

High

Typical time to value

First authenticated scan against staging in one to two weeks. Tuned policy and CI/CD integration in three to six weeks. Enterprise rollout across portfolio typically runs three to six months.

Prerequisites

Runnable staging or pre-prod environment with realistic data
Authentication credentials (SSO, OAuth, or test accounts) for scan sessions
Network reachability from Checkmarx scanners to the target environment
Named AppSec policy owner
Scan-window schedule agreed with environment owners

What Merito usually handles

Checkmarx DAST runs as Checkmarx One SaaS with optional internal scanning agents for environments behind a corporate firewall. Merito handles tenant setup, authentication wiring, policy tuning per application, scan-window scheduling, and findings-routing design.

How it is bought

Model

Subscription

What to expect

Checkmarx DAST is part of the Checkmarx One platform and licensed by application count, scan volume, and bundle tier. Pricing depends on web, API, and mobile coverage in scope and bundle (Advanced or Enterprise). License acquisition flows through Merito; the AppSec program is scoped as a separate engagement.

Editions and modules

Checkmarx One Advanced
Adds DAST, API Security, IaC Security, Malicious Package Protection, and Repository Health to the Essentials baseline.
Best for: Programs adding DAST and API Security to an existing SAST or SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running DAST inside a fully consolidated AppSec platform.

Common expansion areas

Add Checkmarx API Security for shadow-API discovery and drift detection
Add Checkmarx Mobile DAST coverage as the program extends to native apps
Layer Triage and Remediation to cluster DAST findings with SAST and SCA
Add Checkmarx Container Security and IaC Security for cloud-native programs

Talk to Merito about Checkmarx DAST

Share your application surface (web, API, mobile), authentication shape, and current DAST tool if any. A Merito Checkmarx specialist follows up within one business day.

Real authenticated scanning

Reach what the user reaches

SAML, OAuth, OIDC, multi-factor, and custom session protocols. Tools that lose session after the first redirect end up testing nothing useful.

Cross-product correlation

One ticket, not three

DAST findings cross-link to SAST flow paths and SCA dependencies inside Checkmarx One. AppSec triages once.