In 2025, we engineered a truly new era of modern DAST.

We unlocked next-gen assessments with “infinite” payloads, eliminated the trade-off between broad attack surface visibility and deep application testing, and found the ultimate balance between human ingenuity and machine intelligence with our AI Researcher, Alfred. The result? A modern DAST product that delivers unmatched innovation and accuracy in the AppSec space.

Read on for our highlights of the year and a look at the top vulnerabilities we found

**Detectify: DAST + ASM **

The AppSec space is moving decisively past the idea that “knowing what you have” and “testing what you have” are separate problems. We’ve long argued that attack surface discovery & mapping is the first, non-negotiable phase of dynamic testing. If you fail here, the subsequent phases—crawling, fuzzing, and verification—are useless for the assets you missed.

In 2025, we saw the “traditional” DAST model—where you manually configure scan profiles for known assets—struggle to keep up with decentralized, multi-cloud environments. Vulnerabilities often arise at the interfaces between microservices and cloud components, areas that static lists of IPs often miss.

By combining DAST with Attack Surface Management (ASM), we reinvented DAST as a method applied to the entire attack surface, not just a tool for isolated apps. This approach allows us to feed context into the scanner, ensuring that we aren’t just finding assets, but understanding their technology stack to be able to recommend which ones you should be deep testing.

• Read more:Guide to Dynamic Application Security Testing
• **Resource: **DNS & Subdomain Takeover: The AppSec Blind Spot

Product updates roundup

We shipped a great number of features this year, focusing on depth, accuracy, and “breaking the illusion of coverage.”

Next-gen Assessment: API Scanning with Dynamic Payloads

APIs are the connective tissue of the modern web, and traditional scanners relying on finite wordlists simply can’t cover the complexity of custom endpoints. This year, we introduced Dynamic Payloads, a fuzzing engine capable of generating over 922 quintillion unique payloads for a single vulnerability type (like prompt injection).

How does it work? We introduced the concept of a “seed number”—a value that deterministically generates a specific subset of payloads from an “infinite” list. This allows us to run massive, randomized fuzzing campaigns while ensuring every scan is reproducible.

• Smart Fuzzing: The system uses Machine Learning to identify which “seeds” are most effective at finding bugs, prioritizing them for future scans.
• Response Comparison: The engine analyzes anomalies—like a 403 flipping to a 200 or unexpected content length changes—to detect logic flaws without needing prior knowledge of the API’s internal workings.

We’ve significantly enhanced our API Scanner since its launch, rolling out new updates to streamline the automation of security testing. This includes supporting a wider variety of APIs, particularly those utilizing modern OAuth flows, and dramatically improving our coverage for broken authentication issues, such as weak JSON Web Token (JWT) implementations.

• Learn more:API Scanning
• The tech:Infinite Payloads: The future of API testing with dynamic fuzzing

Intelligent Recommendations and Classifications

Our research found a startling stat: organizations are missing 9 out of 10 of their complex, content-rich web applications when selecting targets for deep scanning. To solve this, we launched Asset Classification.

This feature mimics hacker reconnaissance by analyzing response data to categorize assets. We look for specific indicators of “complex web apps”:

• Status Codes & Body Length: Filtering for 200 OK and bodies >100 characters.
• Interaction Points: Identifying login forms, input fields, and even cookie consent forms.
• Tech Stack: Analyzing headers (like CSP) and frameworks.

Based on this “complexity score,” Detectify now provides Intelligent Scan Recommendations, telling you exactly which assets warrant a full DAST assessment and which can be monitored lightly. This ensures you aren’t wasting time configuring scans while leaving your business-critical apps exposed.

• Blog:Redefining AppSec testing with intelligent scan recommendations
• E-book:The AppSec Guide to Asset Classification

Solving Scan Interference

A clean scan report should mean you are secure, not that your WAF successfully blocked the scanner. This year, we released Scan Interference Detection.

We now actively verify if our scanner is being throttled or blocked by sending specific “wafcheck” payloads (e.g., /x?wafcheck=…) and comparing the response to a clean request. If we detect interference, we flag it immediately so you can whitelist our improved scanner IPs. This transparency ensures your results reflect the true state of your application, not the configuration of your firewall.

Vulnerabilities and threats

Our scanning engine is powered by a unique combination of automated crawling and human ingenuity. This year, that combination got even smarter with Alfred, our fully autonomous AI security researcher. It has revolutionized how we build security tests for CVEs, delivering over 450 validated tests with a 70% “zero manual adjustment” rate during the first six months.

Since Q4, Alfred sources both vulnerabilities and active threat actor data. This allows it to prioritize **actively weaponized CVEs **those being used right now by APTs and cybercriminals. This shift ensures that Detectify customers are tested against the vulnerabilities that have the highest probability of being exploited in the wild, often within hours of disclosure.

• Read the update:Alfred gets smarter with threat actor intelligence
• Lab notes on how we built Alfred:AI Agents building security tests

Featured vulnerabilities of the year

2025 was a year where “legacy” misconfigurations collided with modern framework failures. From the panic of new RCEs in React to the relentless exploitation of edge devices, the threat landscape was unforgiving. Thanks to the combined power of our Crowdsource community, internal research team, and Alfred’s enhanced threat intelligence, we were able to weaponize tests for these critical issues (often within hours of disclosure).

Here are the vulnerabilities that defined the year, selected by our researchers for their severity, ubiquity, and the sheer panic they caused in the security community.

CVE-2025-55182: The “React2Shell” Crisis (CVSS 10.0)

This CVSS 10.0 vulnerability demanded attention as it exposed React’s Server Components to unauthenticated remote code execution, affecting millions of modern websites. It generated Log4Shell-levels of panic and was immediately weaponized by China-nexus state actors to compromise web infrastructure globally.

CVE-2025-54253: Adobe AEM’s “Perfect” Storm (CVSS 10.0)

With a CVSS 10.0 severity, this misconfiguration in Adobe Experience Manager allowed unauthenticated attackers to execute code via the exposed Struts2 “DevMode.” It is clear example of how a single forgotten debug endpoint can lead to total system takeover in high-value enterprise environments.

CVE-2025-25257: FortiWeb SQL Injection (CVSS 9.8)

This critical SQL injection vulnerability allowed unauthenticated attackers to execute commands as root on Fortinet’s Web Application Firewalls. It stands out because it compromised the very device meant to protect the network, turning the shield into a weapon for attackers.

CVE-2025-53770 & CVE-2025-53771: The “ToolShell” Chain (SharePoint) (CVSS 9.8 and 6.5)

This chained vulnerability allowed attackers to bypass authentication via header spoofing (53771) and subsequently execute arbitrary code (53770) on on-premise SharePoint servers. Nominated for its ubiquity and severity, the “ToolShell” chain was rapidly adopted by ransomware gangs to breach internal networks and encrypt entire file repositories.

CVE-2025-0282: The Ivanti Zero-Day (CVSS 9.0)

This vulnerability from early in the year allowed unauthenticated attackers to hijack VPN sessions, continuing the relentless trend of edge exploitation. It was exploited as a zero-day by suspected espionage groups (UNC5221), who used it to deploy webshells before a patch was even available.

Detectify vs. Competitors

The DAST market is crowded, and on the surface, many tools look identical. But dig a little deeper, and the differences in philosophy become clear.

Some platforms are built for the SOC (casting a wide, shallow net to gather compliance data and potential risks across infrastructure). Others, like Detectify, are more focused on **AppSec **and uniquely designed to go broad and deep, source the latest CVEs and non-CVE threats, prove exploitability with payloads, and fit seamlessly into your workflows.

In 2025, we published a transparentDetectify vs. Competitors blog series to help you navigate these differences. Whether you need the broad compliance reporting of a platform giant or the hacker-driven precision of a modern DAST, we believe you should choose the tool that fits your team’s DNA.

Need a framework to decide? We also released theDAST Buyer’s Guide 2026. It moves beyond simple feature checklists and evaluates the market across 8 technical criteria—from discovery capabilities to developer workflow. Use it to answer the only question that matters: what do you need to do?