What is IAST (Interactive Application Security Testing)?

A hybrid testing approach that instruments a running application to observe security-relevant behavior during test execution.

Full explanation

IAST agents sit inside the running application (similar to APM agents) and observe data flows, detecting when tainted input reaches a sink. IAST finds bugs faster than DAST with lower false-positive rates than SAST but requires deploying an agent in your test environment.

Example

Contrast Security, Checkmarx IAST, Veracode IAST.

FAQ

Do I need IAST if I have SAST + DAST?

For most startup-stage apps, SAST + sandbox DAST (like Securie) is enough. IAST shines at larger scale with mature QA testing.