Dynamic application security testing (DAST) is conducted when the application is:

Dynamic application security testing (DAST) is a security testing methodology that focuses on testing the application while it is running, typically in a production-like environment. The key aspect of DAST is that it evaluates the application's behavior in real-time scenarios, which includes interacting with its user interface and assessing how it processes input and handles data.

When the application is in execution with real data, DAST can identify security vulnerabilities that emerge only during the operational phase of the application's lifecycle. This means it can detect issues like cross-site scripting, SQL injection, and server misconfigurations when the application is actively processing requests and responding to user input. This real-world testing is crucial as it simulates how an attacker might interact with the application to exploit potential weaknesses.

Since DAST operates while the application is live, it does not require access to the source code, which differentiates it from static application security testing (SAST) that analyzes the source code prior to execution. This live testing approach enables a more accurate assessment of an application's security posture as it relies on how the application performs under normal usage conditions, thus providing vital insights into its vulnerabilities when exposed to actual threats.