ModelsAgree
← All leaderboards
🕷️

Best DAST tool for dynamic app testing

3 models · updated 2026-07-09

The verdict

Burp Suite leads — All 3 models rank Burp Suite the top pick.

Combined ranking

  1. 1
    Burp Suiteincumbent15 pts
    GPT #1Claude #1Gemini #1

    Best scanner pedigree, strong real-world vulnerability coverage, excellent authenticated and CI/CD scanning, and the Burp ecosystem makes validation and triage unusually strong

    To stay #1 Add more polished enterprise risk management and asset governance so large teams need fewer external tools

  2. 2
    Invictiincumbent11 pts
    GPT #2Claude #3Gemini #2

    Excellent automated web and API scanning, proof-based vulnerability validation reduces false positives, strong scheduling, discovery, reporting, and scale for security teams

    To rank higher Match Burp’s depth for expert manual testing workflows and extensibility

  3. 3
    StackHawk6 pts
    GPT Claude #2Gemini #4

    Built DAST for developers from the ground up — CI/CD-native, configuration-as-code (YAML), excellent API testing (REST, GraphQL, gRPC, SOAP) with OpenAPI-driven scans, fast scans that fit in a pipeline, and findings routed to devs as tickets not PDFs

    To rank higher Broaden coverage beyond its dev-pipeline sweet spot with stronger authenticated scanning of complex legacy/monolith UIs to displace enterprise incumbents

  4. 4
    OWASP ZAPincumbent5 pts
    GPT Claude #4Gemini #3

    The leading open-source DAST solution that is completely free, highly customizable, and easy to run in automated CI/CD environments via a powerful API and Docker wrappers.

    To rank higher Modernizing its desktop user interface and improving out-of-the-box handling of complex single-page applications without manual scripting.

  5. 5
    HCL AppScanincumbentnew3 pts
    GPT #3Claude Gemini

    Very mature enterprise DAST with broad compliance reporting, on-prem and cloud options, strong policy controls, and good fit for regulated organizations

    To rank higher Modernize the user experience and developer workflow speed to feel less heavy

  6. 6
    Rapid7 InsightAppSecincumbent2 pts
    GPT #5Claude Gemini #5

    Practical enterprise DAST with strong remediation guidance, attack replay, reporting, and integration into Rapid7’s broader vulnerability management ecosystem

    To rank higher Accelerate coverage for modern API-heavy and JavaScript-heavy applications

  7. 7
    Checkmarx DASTincumbent2 pts
    GPT #4Claude Gemini

    Strong choice inside a broader AppSec program, with good CI/CD integration, centralized governance, and useful correlation alongside SAST, SCA, IaC, and API security

    To rank higher Improve standalone DAST depth and scanner accuracy enough to rival the specialist leaders

  8. 8
    Qualys WASnew1 pts
    GPT Claude #5Gemini

    Cloud-scale scanning across thousands of apps, tight integration with the broader Qualys VMDR platform for unified vuln management, strong API scanning and scheduling, good fit where Qualys is already the enterprise standard

    To rank higher Improve crawl coverage and JavaScript-heavy SPA handling to match dedicated appsec-first vendors

Rank history

1234567806-2906-3007-0807-09Burp SuiteInvictiStackHawkOWASP ZAPHCL AppScanRapid7 InsightAppSecCheckmarx DASTQualys WAS
Burp Suite#1Invicti#2StackHawk#3OWASP ZAP#5HCL AppScan#4Rapid7 InsightAppSec#8Checkmarx DAST#6Qualys WAS#7

By model

ChatGPT

  1. 1.Burp Suite
  2. 2.Invicti
  3. 3.HCL AppScan
  4. 4.Checkmarx DAST
  5. 5.Rapid7 InsightAppSec

Claude

  1. 1.Burp Suite
  2. 2.StackHawk
  3. 3.Invicti
  4. 4.OWASP ZAP
  5. 5.Qualys WAS

Gemini

  1. 1.Burp Suite
  2. 2.Invicti
  3. 3.OWASP ZAP
  4. 4.StackHawk
  5. 5.Rapid7 InsightAppSec

Tracked by ModelsAgree · rank 1 = 5 pts … rank 5 = 1 pt · re-polled continuously