Veracode

Crashtest Security (Veracode DAST Essentials) test

Dynamic Application Security Testing · Category 9. DAST · Tier 2
CL Listed — Visible
Methodology v3.5 · OLIR Schema
Avril 2026
Evaluation Tier: Visible (Listed) Verified (CAE) Enterprise (EEE) Layer 1-2 only · Documentary assessment · All capabilities vendor-claimed
Executive Summary 30 seconds

What it is

Lightweight cloud-based Dynamic Application Security Testing (DAST) solution designed for automated vulnerability scanning of web applications and APIs. Originally an independent German startup, now integrated into the Veracode platform as DAST Essentials, targeting SMBs and mid-market teams seeking quick OWASP Top 10 coverage.

Best for

OWASP Top 10 compliance (automated detection of injection, XSS, misconfigurations), PCI DSS Req. 6.2 (web application vulnerability scanning), CI/CD pipeline gating for agile teams. Ideal for small-to-medium development teams needing fast, self-service DAST without heavy infrastructure.

What it does NOT do

No static analysis (SAST), no source code review, no SCA (Software Composition Analysis), no runtime protection (RASP), no WAF, no API discovery, no mobile application testing. Not a full AppSec platform — focuses exclusively on dynamic web and API vulnerability scanning.

CL Recommendation

Crashtest Security is a pragmatic entry-level DAST for teams that need automated web scanning without enterprise complexity. Strong on OWASP Top 10 detection and CI/CD integration. Best suited for PCI DSS 6.x web scanning requirements and OWASP compliance. Combine with SAST (Cat. 9), WAF (Cat. 6), and SIEM (Cat. 12) for full application security coverage. Consider upgrading to full Veracode platform for enterprise-scale needs.

Regulatory Fit Per regulation verdict
PCI DSS v4.0
~14% of requirements
● Moderate — Req. 6.2 (web app scanning), Req. 6.4 (public-facing app protection)
DORA
~8% of obligations
△ Supporting only — Art. 8(5) ICT testing methodologies
NIS2
~6% of Art. 21
△ Supporting only — Art. 21(2)(e) vulnerability identification
GDPR
~3% of articles
△ Minimal — Art. 32 (security of processing via secure apps)
HIPAA
~4% of provisions
△ Minimal — §164.312(e) transmission security via app hardening
OWASP Top 10
~8 of 10 categories
✔ Strong — A01-A10 automated detection (injection, XSS, misconfig, SSRF)
▼ Show detailed regulatory mapping (OLIR format)
PCI DSS v4.0 (PROPRIETARY)
FocalObligationOLIR Rel.Hub RefRationale
Req. 6.2.4Web application vulnerability scanningDirectRA-5 / ID.RA-01Functional
Req. 6.4.1Protect public-facing web appsContributingSA-11 / PR.PS-06Semantic
Req. 11.3.1External vulnerability scansContributingRA-5 / ID.RA-01Semantic
DORA (OPEN_GOV)
FocalObligationOLIR Rel.Hub RefRationale
Art. 8(5)ICT testing methodologiesContributingSA-11 / PR.PS-06Semantic
Art. 24(1)Threat-led penetration testingContributingCA-8 / RS.AN-02Semantic
NIS2 (OPEN_GOV)
FocalObligationOLIR Rel.Hub RefRationale
Art. 21(2)(e)Security in system acquisition/devContributingSA-11 / PR.PS-06Semantic
Art. 21(2)(d)Supply chain securityContributingSR-3 / GV.SC-05Semantic

Articles without contribution omitted. Full OLIR mapping available in Audit Pack export.

🎯 Buyer Guidance Decision support

✔ Consider When

  • + Need lightweight automated DAST for OWASP Top 10 compliance
  • + SMB or mid-market team without dedicated AppSec engineers
  • + PCI DSS Req. 6.2/6.4 web application scanning requirement
  • + CI/CD pipeline integration for continuous security testing
  • + Quick setup required — no on-prem infrastructure available
  • + Budget-conscious team needing affordable DAST entry point

❌ Avoid When

  • Enterprise-scale application security program needed
  • Need SAST, SCA, or IAST in addition to DAST
  • Complex authenticated scanning with multi-step workflows
  • Mobile application testing required
  • Need advanced API discovery and fuzzing capabilities
  • Require on-prem deployment for air-gapped environments
Capabilities 19 claimed · 4 groups · DR-2 Quality Tiers + Config Modifiers
Automated Scanning 4✓ 1● 0✗
OWASP Top 10 scanning
Automated detection of A01-A10 vulnerabilities
Specific Obl.Out-of-Box
Scheduled recurring scans
Cron-based automated scan scheduling
Control FamilyOut-of-Box
Multi-target scanning
Scan multiple domains/subdomains in parallel
Control FamilyConfig Change
Crawl-based discovery
Automatic sitemap and endpoint enumeration
Generic ControlOut-of-Box
Authenticated scanning
Login-based scanning with session management
Control FamilyConfig Change
Vulnerability Detection 4✓ 1● 0✗
SQL injection detection
Error-based, blind, time-based SQLi
Specific Obl.Out-of-Box
XSS detection
Reflected, stored, DOM-based XSS
Specific Obl.Out-of-Box
Security misconfiguration
Headers, CORS, SSL/TLS, directory listing
Specific Obl.Out-of-Box
SSRF detection
Server-Side Request Forgery identification
Control FamilyOut-of-Box
API vulnerability testing
REST API endpoint security testing
Control FamilyConfig Change
CI/CD Integration 4✓ 0● 0✗
Jenkins plugin
Native Jenkins pipeline integration
Control FamilyOut-of-Box
GitLab CI integration
YAML template for GitLab pipelines
Control FamilyConfig Change
GitHub Actions support
Marketplace action for GitHub workflows
Control FamilyConfig Change
REST API
Programmatic scan triggering and results retrieval
Control FamilyOut-of-Box
Reporting 4✓ 1● 0✗
OWASP Top 10 report
Pre-built compliance template with severity mapping
Specific Obl.Out-of-Box
PDF/HTML export
Downloadable scan results for auditors
Generic ControlOut-of-Box
Trend dashboard
Historical vulnerability trend tracking
Generic ControlOut-of-Box
Remediation guidance
Fix recommendations per vulnerability
Data SurfacedOut-of-Box
Jira/ticketing integration
Auto-create tickets for findings
Control FamilyConfig Change
🛡 MITRE ATT&CK Mapping Layer 4 — Derived via SP 800-53
M1016
Vulnerability Scanning
Full (claimed)
M1050
Exploit Protection
Partial (claimed)
M1013
Application Developer Guidance
Partial (claimed)

Score: 2.8 / 5.0 (56%) — All vendor-claimed. Techniques addressed: T1190, T1059, T1203 (exploitation & injection family).

▼ Show ATT&CK techniques detail
TechniqueNameHow AddressedProvenance
T1190Exploit Public-Facing ApplicationDAST scanning identifies exploitable web app vulnerabilities before attackersDERIVED via M1016
T1059Command and Scripting InterpreterDetects injection flaws (SQL, OS command injection) in running applicationsDERIVED via M1016
T1203Exploitation for Client ExecutionIdentifies XSS and client-side injection vulnerabilitiesDERIVED via M1050
📄 Evidence Pack DR-2 §5.1 — Proof of value
DAST scan reports (PDF/HTML)
Detailed vulnerability findings with OWASP mapping. Exportable.
OWASP Top 10 compliance report
Pre-built compliance template with pass/fail per category.
CI/CD pipeline logs
Scan execution logs with pass/fail gate decisions.
Remediation recommendations
Fix guidance per vulnerability with code examples.
Third-party validation
No independent third-party testing publicly available.
SOC 2 Type II report
Available via Veracode parent company.

Evidence level: Documentary review only (CL Listed). For verified evidence, upgrade to CAE (Examine + Interview) or EEE (+ Test).

Operational Metrics & Anti-Hype DR-2 §5.1 + §9.2
MetricEssentials (Single Target)Professional (Multi-Target)Enterprise (Full Veracode)
Implementation1-2 days1-2 weeks4-8 weeks
FTE Required0.1 FTE0.25 FTE0.5 FTE
Time to first valueDay 1 (first scan results within hours of signup)
Time to productionWeek 1-4 (all targets onboarded, CI/CD gates active, scan schedules configured)
Anti-Hype: Marketing vs. Reality
Full OWASP Top 10 coverage
Covers 8 of 10 categories effectively. A04 (Insecure Design) and A08 (Software Integrity) require manual review.
Partial
5-minute setup
Basic scan can start in minutes. Authenticated scanning and CI/CD integration require additional configuration.
Partial
Enterprise-grade DAST
SMB-focused tool. Lacks advanced features like macro recording, complex auth flows, and IAST correlation.
Misleading
Seamless Veracode integration
Integration with Veracode platform is ongoing post-acquisition. Some features still operate independently.
Partial
Zero configuration needed
Works out-of-box for simple sites. SPAs, APIs, and authenticated areas require significant configuration.
Misleading
Strengths & Cautions

✔ Strengths

  • + Extremely fast time-to-value — first scan in minutes
  • + SMB-friendly pricing and self-service model
  • + Strong OWASP Top 10 automated detection
  • + Native CI/CD integration (Jenkins, GitLab, GitHub Actions)
  • + Cloud-native SaaS — no infrastructure required
  • + Clean UI with actionable remediation guidance
  • + Part of Veracode ecosystem for future growth path

⚠ Cautions

  • ! Limited to DAST only — no SAST, SCA, or IAST
  • ! Authenticated scanning capabilities are basic compared to enterprise tools
  • ! Post-acquisition Veracode integration still maturing
  • ! No on-prem deployment option
  • ! Limited API testing depth — no GraphQL or gRPC support
  • ! No mobile application testing capability
  • ! All capabilities VENDOR-CLAIMED (no CL independent testing)
📈 Competitive Positioning Category 9 — DAST
CapabilityCrashtest Security (Veracode DAST Essentials) testInvictiHCL AppScanAcunetix
OWASP Top 10 scanning
Authenticated scanning
API security testing
CI/CD integration
IAST capability
On-prem deployment
Pricing entrySMB-friendlyEnterpriseEnterpriseMid-market

Competitive data based on public information. CL has not evaluated these alternatives — for detailed assessment, see individual CL Listings.

📑 Framework Views Hub: CSF 2.0 + 800-53r5 + ISO 27001
▼ Show NIST SP 800-53, CSF 2.0, ISO 27001 mapping tables
NIST SP 800-53 Rev 5
ControlNameContributionProvenance
RA-5Vulnerability Monitoring & ScanningdirectDERIVED via PCI DSS 6.2
SA-11Developer Testing & EvaluationcontributingDERIVED via PCI DSS 6.4
SI-10Information Input ValidationdirectDERIVED via OWASP A03
CA-8Penetration TestingcontributingCL-ORIGINAL
NIST CSF 2.0
ControlNameContributionProvenance
IDENTIFYID.RA-01 Vulnerability identificationdirectDERIVED via RA-5
PROTECTPR.PS-06 Secure software developmentcontributingDERIVED via SA-11
DETECTDE.CM-09 Software monitoringcontributingCL-ORIGINAL
RESPONDRS.AN-02 Impact analysiscontributingCL-ORIGINAL
ISO 27001:2022 Annex A
ControlNameContributionProvenance
A.8.29Security testing in dev & acceptancedirectDERIVED via NIS2-ISO
A.8.8Management of technical vulnerabilitiesdirectDERIVED via OWASP-ISO
A.8.25Secure development life cyclecontributingCL-ORIGINAL
A.8.9Configuration managementcontributingCL-ORIGINAL
▼ Show Vendor Security Practices (SSDF / CRA)
SSDF IDPracticeStatus
PW.1Risk-based secure designClaimed
RV.2Timely vulnerability remediationClaimed
PO.5Secure development environmentClaimed
PS.3SBOM availableNot stated
RV.1Vulnerability disclosure programClaimed
PS.2Code signingUnknown
Compliance Labs · Software Listing v3.5 · OLIR Schema Hub: CSF 2.0 ↔ 800-53r5 ↔ ISO 27001 · Avril 2026
Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Vendor
  • Category
  • CL Tier
  • Short description
  • Website
  • What it is
  • Best for
  • Does NOT do
  • CL verdict
  • Regulatory coverage
  • Frameworks tested
  • Capabilities
  • MITRE ATT&CK
  • Strengths
  • Cautions
  • Anti-hype claims
  • Operational metrics
  • Evidence pack
Compare
Compare ×
View comparison Continue browsing software