About dynamic analysis (DAST)

An ASoC dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.

Stage1: Explore

The Explore stage can be run automatically as part of an automatic scan, or manually by the user, or a combination of both.

During the first stage, and starting from the URL you configure, AppScan on Cloud crawls your application by simulating a web user clicking on links and completing form fields, building an understanding of the application's structure.

ASoC analyzes the responses to each Explore request, looking for any indication of a potential vulnerability. When ASoC receives a response that may indicate a security vulnerability, it creates one or more tests based on the response, as well as noting the validation rules needed to determine which results constitute vulnerability, and the level of security risk involved.

Before sending the site-specific tests that were created, ASoC sends several malformed requests to the application to determine the manner in which it generates error responses. This information is then used to increase the precision of ASoC's automatic test validation process.

In a typical scan, the Explore stage to discover the application runs automatically. However, you can configure ASoC to explore specific parts of the site, or to send requests in a specific order, using the Recorded explore feature. See Recorded explore.

Stage 2: Test

During the second stage, ASoC sends the thousands of custom test requests it created during the Explore stage. It records and analyzes the application's response to each test using the custom validation rules. These rules both identify security problems within the application and also rank their level of security risk.

Scan phases

In practice, the Test stage often reveals new links within a application, and more potential security risks. Therefore, after completing the first phase of Explore and Test, ASoC automatically begins a second phase to deal with the new information. If new links are discovered during the second phase, a third phase is run, and so on.

The discovery of new links in the Test stage, triggers a change in the number of expected tests shown during runtime. After completing the configured number of scan phases, scanning stops and the completed results are available to the user.

The default number of phases is four. This cannot be changed in ASoC, but if a different number is configured in an uploaded configuration file (DAST.CONFIG), that number of phases will be run.

Scan flow



Scan duration

  • Scan time limits:
    • The maximum total duration for the combined explore and test phases is 25 hours (1500 minutes).
    • The explore phase can run for a maximum of 30 minutes.
    • In specific scenarios that involve intervention and scan enablement, the total duration can exceed 25 hours.
  • What happens when limits are reached: If a scan exceeds these time limits, it is automatically terminated. The scan may appear complete, but it might contain only partial results, such as fewer tested elements than the total number identified. To verify whether a scan stopped because of a time limit, check the scan execution logs for the TestTimeLimitReached status.
  • How to maximize coverage: For large applications, or when scans are incomplete because of time limits, optimize your scans by:
    • Using the Exclude Path option to focus on critical areas
    • Updating your scan configuration
    • Using the Test Only capability with existing scan files
    • Resuming the scan that stopped because of time limits