Three approaches to finding vulnerabilities at runtime — each with different tradeoffs.
| DAST | IAST | RASP | |
|---|---|---|---|
| When it runs | Outside the app, against live endpoints | Inside the app during testing | Inside the app in production |
| Visibility | Black-box — sees HTTP only | Gray-box — sees code paths + HTTP | Full runtime context |
| Deployment | Point at a URL, no code changes | Requires agent in test environment | Agent deployed to production |
| False positives | Higher — no code context | Lower — correlates request + code | Lowest — real traffic only |
| Coverage | Only what it can reach via HTTP | Only exercised code paths | Only production traffic paths |
| CI/CD fit | Integration tests, staging | QA and integration testing | Production monitoring |
| Languages | Language-agnostic | Language-specific agents | Language-specific agents |
DAST tools like OWASP ZAP and Burp Suite scan running applications from the outside. They send malicious requests and analyze responses. The advantage is zero code changes and language independence. The downside is limited coverage — they can only test what they can reach through the UI or API, and they produce more false positives without code-level context.
IAST instruments the application during testing. An agent inside the runtime watches data flow from HTTP input through to dangerous sinks (SQL queries, file operations, etc.). This gives much better accuracy than DAST because it can see exactly which code path a payload takes. The tradeoff is language-specific agents and the requirement to run during active testing.
RASP is IAST's production cousin. It sits inside the running application and can both detect and block attacks in real time. Unlike a WAF, RASP sees the full application context — it knows whether a SQL string actually reached a query. The cost is production overhead and the need for language-specific agents.
Most teams start with DAST in CI/CD because it's the easiest to deploy. Add IAST during QA for better accuracy. Consider RASP for production defense-in-depth, especially for apps that can't be patched quickly. None of these replace SAST — they complement it by finding runtime-only issues.