# Dynamic Analysis (DAST) One-sentence definition: Black-box testing of running applications via HTTP/S to find exploitable issues. ## Key Facts - Good at input/output flaws (XSS, injection, misconfig); limited for logic. - Requires stable test environment, test users, and seed URLs. - Handle auth flows; avoid production data; whitelist scanners. - Combine with IAST for context and coverage. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose DAST to validate exploitable web flaws. **Mnemonic:** “**Drive** the app.” ## Mini Scenario Q: Scanner misses deep pages—why? A: Broken auth/crawl; supply authenticated session and API docs. ## Revision Checklist - Strength vs weakness. - Setup needs. - Pairing with IAST. ## Related [[Interactive Application Security Testing (IAST)]] · [[Web Application Testing (OWASP Top 10)]] · [[API Security Testing (OWASP API Top 10)]] · [[Testing in CI CD (Shift Left and Right)]] · [[Remediation Verification and Regression Testing]] · [[Domain 6 - Index]]