This integration is configured through the Invicti ASPM product.
IAST overview
What is IAST?
Interactive Application Security Testing (IAST) analyzes applications from the inside during runtime by instrumenting the application with a security agent. Unlike SAST (which reads source code) or DAST (which tests from the outside), IAST monitors the application's internal execution paths as it runs, providing highly accurate findings with very low false positive rates.
Invicti AppSec Core includes a preconfigured Invicti SCA scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own SCA tools instead. See AppSec Core scanners overview for details on the built-in scanner.
How it works
IAST deploys a lightweight agent that is embedded within the application — typically in the application server or runtime. The agent then:
- Instruments code execution — monitors internal data flows, method calls, and execution paths during normal application use or automated test runs.
- Detects vulnerable code paths — identifies precisely where untrusted input reaches sensitive operations such as SQL queries, shell commands, or file operations.
- Correlates with test traffic — findings are tied directly to the request that triggered them, making them immediately actionable.
- Generates low false positives — because IAST observes actual execution, it only reports vulnerabilities that were genuinely reached and triggered.
IAST vs. SAST vs. DAST
| SAST | DAST | IAST | |
|---|---|---|---|
| Testing approach | Static code analysis | Black-box external testing | Runtime instrumentation |
| When | At code commit | Against running application | During runtime / testing |
| Source code required | Yes | No | No |
| False positive rate | Higher | Lower | Lowest |
| Best for | Early code-level detection | Runtime behavior testing | High-confidence runtime findings |
IAST works well alongside SAST and DAST to provide layered coverage across the development lifecycle.
What it can discover
IAST detects vulnerabilities across the following categories:
| Category | Examples |
|---|---|
| Injection | SQL Injection, Command Injection, LDAP Injection, XPath Injection |
| Cross-Site Scripting (XSS) | Reflected XSS, Stored XSS, DOM-based XSS |
| Insecure data handling | Path traversal, insecure deserialization, sensitive data exposure |
| Authentication and session | Weak session management, insecure cookie handling |
| Security misconfigurations | Missing security headers, insecure transport configurations |
| Third-party library vulnerabilities | Known CVEs in libraries actively used during runtime |
Supported IAST tools
The following IAST integrations are available through Invicti ASPM:
| Tool | Type | Authentication |
|---|---|---|
| Contrast IAST | Connection | API token |
| Seeker (Synopsys) | Connection | API token |
Need help?
The Invicti Support team is ready to provide technical assistance. Go to Help Center