What it is#
tools exercise a deployed application over its real protocols, typically HTTP and HTTPS, without needing source code. They crawl endpoints, mutate parameters, inject payloads, and watch for responses that indicate a vulnerability. Because runs against a live target, it naturally captures environmental configuration — TLS, headers, cookies, CDN rules — that static analysis cannot see.
Why it matters#
Most exploitable defects only surface when code, data, and configuration interact at runtime. is the closest analogue to an external attacker’s viewpoint: it observes what the service actually emits, not what a static analyser infers it should emit. For API-heavy services, a modern that speaks OpenAPI and GraphQL introspection gives meaningful coverage per scan hour.
Mitigation direction#
Pair with authenticated sessions and a realistic seed corpus so crawlers reach deep routes, not just the login page. Treat its findings as hypotheses that must be promoted to proof before triage, and automate re-runs against staging so regressions surface inside CI rather than production.