Smarter, not flashier: How AI enhances DAST on the Invicti Platform

The short story is that we only use AI within the Invicti Platform where it adds genuine value, and you can switch it off at any time and still have the world’s best DAST powering your AppSec program. The full story, though, is much more interesting.

Fueled by decades of experience, not hype

At the core of the Invicti Platform is a new DAST scan engine, built from the ground up to be nothing less than the fastest and most accurate vulnerability scanning engine ever. It incorporates two decades of accumulated experience with Acunetix, Netsparker, and Invicti product features, security checks, and customer feedback. This was all distilled into a brand new design powered not by AI magic but by years upon years of expertise in finding vulnerabilities and building automated scanners to do it.

The crucial distinction compared to the AI-powered crowds is that at Invicti, we use AI and machine learning (ML) to process and enhance scan inputs and outputs, but the actual vulnerability testing is always performed and verified by our proprietary deterministic DAST engine. In security, nothing is more important than reliable and repeatable results, which is not something that AI alone can provide.

It’s all about using the right tool for the job. To safely run a DAST scan that involves sending real requests to a real application and then exploiting and reporting real vulnerabilities, you need to be confident that you know precisely what every part of the scanner is doing. This is not a job for AI, so we use our proprietary scan engine for the testing part. However, finding realistic URLs, parameters, and values to test based on context data you might not know in advance is a perfect job for AI, so that’s one of the ways we use it. 

Complete control and data privacy

The use of mainstream AI (which usually means generative AI) raises some serious questions regarding data privacy and control that make for a legal and ethical minefield when it comes to security testing. When building the Invicti Platform, it was therefore clear from day one that whatever AI enhancements are added must process data about test targets and results with the same strict level of privacy as the non-AI features. 

No identifiable data about customer applications, configurations, or vulnerabilities on the Invicti Platform is ever exposed to external AI models or shared with third parties, and we never use any customer data to train our own models.

From talking to our customers, we also knew very well that the AI free-for-all in the tech industry has caused many organizations in regulated industries to restrict or ban all AI usage by default until they know what exactly a specific solution is doing. For that reason, AI features on the Invicti Platform are off by default, and you can control what you’d like to enable.

Unlike some less mature products that rely solely on unspecified AI magic to identify vulnerabilities, the Invicti Platform provides the world’s fastest and most accurate DAST even without the AI enhancements and features enabled. But enabling them takes the platform to a whole new level.

Risk insights before scanning, deeper probing during scans

To give you just two examples of the many ways that AI is used to enhance the core DAST capabilities, the Invicti Platform features Predictive Risk Scoring in the discovery phase and AI-aided form filling when scanning. Each feature uses a different type of AI model that is optimized for the task at hand.

Predictive Risk Scoring uses a proprietary machine learning model (a type of decision tree) to quickly estimate if a discovered website is likely to have serious vulnerabilities and should be given priority for scanning. This is done by evaluating over 200 model parameters that correspond to various technical signals commonly found in vulnerable websites. You can think of it as the ML version of an experienced pentester who takes one look at a website and immediately sees telltale signs of an old and likely vulnerable installation.

Other AI-aided DAST features on the Invicti Platform use customized LLMs to improve various aspects of crawling and testing. One of the most impactful is the AI form filler, which takes advantage of the strengths of LLMs to help the scanner get through web form validation and scan the form’s backend for vulnerabilities. This solves a very real problem faced by DAST scanners that encounter complex forms, essentially using the LLM to replace a human user and correctly fill out a form depending on the business context. When it knows what values to use for a valid form submission, the scanner can test endpoints and systems that were previously inaccessible without manual intervention.

While there are plenty of other AI enhancements (with more in development), just these two features combined give the scanner two abilities previously reserved for manual penetration testing and vulnerability assessments: Predictive Risk Scoring acts like a security expert deciding what looks immediately suspicious before starting an assignment, while the AI form filler does the job of a tester completing a complex form to probe the backend.

No magic, only the world’s best DAST made even better

The Invicti Platform puts DAST front and center to coordinate and fact-check a wide array of integrated application security testing technologies, from native API security, IAST, and dynamic SCA to partner-supplied SAST, static SCA, and container security. This DAST-first approach to risk posture management is unique in the industry and lets you prioritize work on vulnerabilities that are exploitable at runtime and carry real risk.

Being DAST-first is only possible because we first built the world’s best DAST without AI—and then thoughtfully used AI to solve real problems and bring real value.