Appscan Banner image

Minimize the threat of costly data breaches or malicious hacks with dynamic analysis. Our DAST technology enables you to scan running applications and APIs for potential vulnerabilities during the development lifecycle before it gets to a production environment.

By incorporating automated DAST at any stage of development, you can address the most complex applications, assess risks, and help manage and resolve vulnerabilities... all before your applications are deployed to the web.


DAST for Developers

DAST for Developers

DAST for Developers


From pre-configured workflows for basic scans, to test optimization, and incremental scanning, HCL AppScan DAST is ideal for developers who want to integrate this powerful scanning engine directly into their IDEs, CI/CD pipelines, and DTS environments. Plugins for familiar tools like Jenkins, Azure DevOps, and GitHub are just the start. HCL AppScan DAST provides developers with the ability to look at specific activity traffic as well as ratify and correlate security findings. Developers can integrate security into Unit Tests and use DAST to reproduce and validate security fixes. All of these functions allow users to quickly and confidently promote their own code base to the main branch.

Web API Scanning

Web API Scanning

Web API Scanning


Quickly broaden your vulnerability coverage with automatic scanning of all Web APIs. This can be done through using Postman collection files, Open API descriptions, recorded traffic, or by harnessing HCL AppScan's seamless integration with leading API testing tools.

Incremental Scanning and Test Optimization

Incremental Scanning and Test Optimization

Incremental Scanning and Test Optimization


Save time and resources by leveraging our unique incremental scanning capability, which can limit testing to new portions of the source code or portions with issues found in earlier scans.

Fine-tune the time testing takes at distinct phases of the SDLC (software development life cycle) with our Test Optimization Slider, which offers four optimization levels to control the trade-off between issue coverage and scan speed. Choose to go 10x faster with 70% accuracy, or only 2x faster with 97% accuracy. Your choice!

Action-based Scanning and Login Management

Action-based Scanning and Login Management

Action-based Scanning and Login Management


Use an embedded browser to explore/crawl the application as a user would – providing a user-view of the application, rather than a traditional traffic-view.

Like crawling, user login requires replaying actions performed by the user. These are recorded using the embedded recorder or the Activity Recorder browser extension. This enables a more correct exercising of the application to handle application logic. More advanced features support one-time passwords and third-party authentication.

Vulnerable Third-Party Component Detection

Vulnerable Third-Party Component Detection

Vulnerable Third-Party Component Detection


Hackers target well-known vulnerabilities in popular libraries that you may have incorporated into your application. DAST together with vulnerable third-party component detection provide you with much more comprehensive vulnerability coverage, allowing you to identify (fingerprint) third-party libraries with known vulnerabilities and see those findings alongside all your DAST results.

OWASP Top 10 & OWASP API Security Top 10

OWASP Top 10 & OWASP API Security Top 10

OWASP Top 10 & OWASP API Security Top 10


The OWASP Foundation spearheads community-led, open-source projects to study and provide guidance in application security. HCL AppScan DAST technology contributes to our ability to offer 100% coverage for the most common vulnerabilities and security risks on both important benchmarks.

User Defined Tests

Create your own custom user rules to identify application specific issues or errors. You can examine traffic for unwanted content or behavior, create payloads and search for reflected behavior that indicates a problem, and even validate with external servers for known blind attacks.

Multi-Step Operations

Recorded multi-step and action-based multi-step operations enable testing of complex logical sequences in the application. Whenever a complex series of work needs to be accomplished before testing a particular page in a particular state, the sequence can be replayed to be in the correct state.

Privilege Escalation

Test application role-based access and permissions using HCL AppScan’s Privilege Escalation component. Using scans from two or more different roles, HCL AppScan generates a report of all access control errors from lower permission users to restricted locations of the application.

Third-Party and Infrastructure Tests

Your code relies on third-party libraries and components. Test those with the 1000s of available CVE (Common Vulnerabilities and Exposures) tests, as well as with infrastructure tests that check your server configuration, SSL/TLS channels, and more.

Featured Resources