Most guides on dynamic code analysis tools stop at web-app DAST — Burp Suite, OWASP ZAP, done. That leaves half the picture missing. Native applications, system daemons, parsers, and embedded firmware are tested with an entirely different family of tools: runtime sanitizers, memory profilers, and coverage-guided fuzzers. This guide covers both worlds — web DAST and systems-level dynamic analysis tools — with honest assessments, CI/CD placement maps, and a decision matrix so you can build the right stack for your use case.
What Is Dynamic Code Analysis?
Dynamic code analysis is the practice of examining a program's behavior while it executes rather than inspecting its source code at rest. The core insight is that many bug classes — authentication bypasses, memory corruption, race conditions, uninitialized variable reads — only manifest when real inputs flow through real execution paths at runtime. No amount of source-code inspection can substitute for observing the program in motion.
Dynamic analysis operates at two distinct layers:
- Application layer — tools that interact with a running application over its public interface (typically HTTP/S for web apps). These are called DAST tools (Dynamic Application Security Testing). They require no source code or special build flags; they treat the application as a black box.
- Systems layer — tools that instrument compiled binaries or intercept system calls at runtime. Sanitizers, memory debuggers, and fuzzers live here. They require either a specially compiled binary (sanitizers) or a binary executed inside a dynamic instrumentation framework (Valgrind, DynamoRIO).
Both layers are genuinely distinct disciplines. A web application is also native code under the hood — its C runtime, TLS library, and compression codec are all susceptible to the memory-safety bugs that DAST cannot probe. Conversely, runtime sanitizers cannot speak HTTP and will never find an authentication bypass. A complete dynamic analysis program uses tools from both families.
Dynamic analysis complements — but does not replace — static application security testing (SAST). The standard recommendation from OWASP DAST guidance and NIST is to run static analysis on every pull request and dynamic analysis against every staging deployment, layering coverage rather than choosing one approach over the other.
Static and Dynamic Code Analysis Tools: How They Differ
The two categories of tooling answer fundamentally different questions about code quality and security. Understanding the boundary helps you decide which tool family to deploy first and where each fits in your pipeline.
| Dimension | Static analysis tools | Dynamic analysis tools |
|---|---|---|
| What they examine | Source code, bytecode, or binaries — without execution | Running program behavior, memory state, network responses |
| When they run | CI — on every PR/commit, before deployment | Against deployed staging env (DAST) or in sanitizer builds (runtime) |
| What they find well | Hardcoded secrets, injection patterns, insecure crypto, taint flows | Auth bypasses, memory corruption, race conditions, runtime config errors |
| What they miss | Anything that requires runtime context or live inputs | Dead-code vulnerabilities that execution paths never reach |
| False-positive rate | Higher — no execution context to confirm exploitability | Lower — findings are observed, not inferred |
| Setup cost | Low — add to CI with a YAML step | Medium-high — requires a running environment or sanitizer build |
For a deep-dive into the static side of this equation, see the complete guide to static code analysis tools. Java teams looking for static-only coverage can also consult the Java static code analysis tools guide. This article focuses on the dynamic half of the stack.
The phrase static and dynamic code analysis tools is often used in procurement conversations to mean "full-spectrum analysis." In practice, the two families have almost no overlap — they share no underlying techniques and target different bug classes. Buying one does not make the other redundant.
DAST vs Runtime Sanitizers: Two Worlds of Dynamic Analysis
Even within dynamic analysis tools, there is a critical architectural divide that most buying guides gloss over. DAST tools and runtime sanitizers are not competing products for the same job — they operate at entirely different abstraction layers.
DAST: Black-Box HTTP Testing
DAST tools interact with a deployed application over its public network interface. They crawl endpoints, authenticate, and fire crafted payloads — SQL fragments, XSS strings, path traversal sequences, deserialization gadget chains — observing the HTTP responses and any observable side effects. The tool has no visibility into memory or source code. Its findings are exploitable by definition: if a payload causes a visible error or data leak over HTTP, the vulnerability is real and reachable.
DAST is the right tool when you need to verify that a deployed web application is secure from an attacker's perspective. It catches server misconfigurations, authentication weaknesses, and injection vulnerabilities that survive all the way to production.
Runtime Sanitizers: Instrumented Binary Analysis
Runtime sanitizers — AddressSanitizer, ThreadSanitizer, MemorySanitizer, UBSan — are compiler plugins that rewrite your program at build time, inserting checks at every memory access, thread synchronization, and arithmetic operation. When the instrumented program runs and violates a memory safety rule, the sanitizer terminates the process and prints a precise, symbolized diagnostic: the bad-access address, the allocation site, the call stack at the point of violation.
Sanitizers are the right tool when you need to certify the memory safety and concurrency correctness of C, C++, Rust unsafe blocks, or any language with native extensions. They find bugs that DAST will never see because the bugs exist below the HTTP layer — in the TLS implementation, the JSON parser, the image decoder.
The Overlap: Runtime Behavior of Web Applications
Modern web applications run native code for performance-critical paths. A Node.js server runs a native V8 engine. A Python web app links against a C cryptography library. A Go service uses CGo to call a C library. For these components, combining DAST (testing the HTTP surface) with sanitizer builds of the underlying native code (testing memory safety) produces genuinely comprehensive dynamic code scanning coverage.
Top Dynamic Code Analysis Tools for Web Applications
The web DAST category has a clear tier structure: a dominant commercial leader, a widely adopted open-source alternative, and several specialized or enterprise-grade options. Here is an honest assessment of each for 2026.
Burp Suite (PortSwigger)
Burp Suite Professional remains the gold standard for manual-assisted web application security testing. Its intercepting proxy, Repeater, Intruder, and Scanner modules give security engineers precise control over every HTTP interaction. The automated scanner covers the OWASP Top 10 with high accuracy; the manual tooling lets researchers dig deeper into authentication flows, business logic, and multi-step attack chains that automated crawlers miss.
Burp Suite Enterprise Edition (2026 pricing: from $6,995/year per application) adds scheduled CI/CD scanning, a REST API for pipeline integration, and centralized report management. For teams that need DAST at scale without manual intervention, Enterprise is the cleaner choice. For security engineers doing manual penetration testing, Professional is still the industry standard.
OWASP ZAP (Zed Attack Proxy)
OWASP ZAP is the most widely deployed open-source entry among free dynamic code scanning tools and the default choice for teams with a limited security budget. Its automation framework supports full CI/CD integration via Docker, GitHub Actions, and a YAML-based rules engine. The 2024 transition to ZAP 2.14 and the active-scan rule improvements make it genuinely production-capable for most web application stacks.
ZAP's strengths: zero cost, full scriptability, strong community support, and a Docker image that integrates with any pipeline in a few lines of YAML. Its limitations: the authenticated scan setup is more labor-intensive than commercial tools, and false-positive management requires manual tuning. For teams willing to invest in configuration, ZAP delivers 80–85 percent of what commercial DAST tools offer at no licensing cost.
Acunetix (Invicti)
Acunetix focuses on depth over breadth — its DeepScan technology uses a headless browser to crawl JavaScript-heavy single-page applications more accurately than traditional HTTP spiders. It excels at finding vulnerabilities in Angular, React, and Vue frontends that simpler crawlers treat as impenetrable. Acunetix Standard starts at approximately $4,500 per year for five targets; the Enterprise tier adds network scanning and multi-user management. Well-suited to teams with complex SPAs or heavy use of client-side rendering.
Nuclei (ProjectDiscovery)
Nuclei takes a template-driven approach to dynamic code scanning: a large community-maintained library of YAML templates defines checks for known CVEs, misconfigurations, exposed panels, and exposed secrets. Nuclei is not a full DAST scanner — it does not generate novel attack payloads — but it is exceptionally fast at verifying whether a known vulnerability class is present across a large attack surface. It is free, open-source, and integrates easily into CI/CD via GitHub Actions. Teams use it alongside ZAP or Burp for broad-surface CVE sweeps and asset discovery.
HCL AppScan
HCL AppScan (formerly IBM AppScan) is an enterprise DAST and SAST platform targeting regulated industries — banking, healthcare, government — that require FedRAMP, PCI DSS, and HIPAA compliance reporting out of the box. Its DAST engine covers REST and SOAP APIs in addition to traditional web UIs, and its policy framework maps findings directly to compliance control requirements. The trade-off is cost and complexity: AppScan is designed for dedicated AppSec teams, not developer self-service.
Veracode Dynamic Analysis
Veracode's Dynamic Analysis module is the DAST component of the broader Veracode platform. Its primary advantage is unified policy management across SAST, DAST, and SCA in a single dashboard — attractive for enterprises already using Veracode Static Analysis. The scanner itself is comparable to Acunetix in depth; the differentiated value is the integrated reporting, ticketing integrations, and compliance dashboards rather than raw scan accuracy.
| Tool | Type | Best for | Pricing | CI/CD |
|---|---|---|---|---|
| Burp Suite Pro | Commercial | Manual pen testing, deep research | $449/yr per user | Via Enterprise edition |
| OWASP ZAP | Open source | CI/CD automated scanning, budget teams | Free | Native Docker/Actions |
| Acunetix | Commercial | SPA / JavaScript-heavy apps | From $4,500/yr | REST API + Jenkins |
| Nuclei | Open source | CVE sweeps, asset surface validation | Free | GitHub Actions |
| HCL AppScan | Commercial | Compliance-driven enterprises | Custom | Jenkins, Azure DevOps |
| Veracode Dynamic | Commercial | Unified platform buyers | Custom | Veracode platform API |
Runtime and Memory Dynamic Analysis Tools
Systems-level dynamic analysis tools operate on compiled binaries. They are indispensable for any project with C or C++ code, Rust unsafe blocks, or native extensions to higher-level languages. Unlike DAST tools, they do not require a network interface — they run during unit tests, integration tests, or fuzz campaigns.
Valgrind (Memcheck)
Valgrind is the longest-standing dynamic analysis framework for Linux native programs. Its default tool, Memcheck, instruments every memory operation via binary translation — no recompilation required. Memcheck detects heap buffer overflows, use-after-free accesses, use-of-uninitialized values, memory leaks, and invalid frees with high precision.
The trade-off is runtime overhead: Valgrind programs typically run 20–50x slower than uninstrumented code. This makes it unsuitable for production monitoring or CI pipelines with tight time budgets, but ideal for targeted debugging sessions when a crash needs a precise root cause. Valgrind's Callgrind and Massif tools extend the framework to CPU profiling and heap profiling respectively.
AddressSanitizer (ASan)
AddressSanitizer
is a compiler-based sanitizer included in both GCC and Clang. Compile
with -fsanitize=address and ASan inserts shadow-memory checks at every load
and store. It catches heap and stack buffer overflows, use-after-free, use-after-return,
and use-after-scope bugs with a runtime overhead of roughly 2x — fast enough to run the
full test suite in CI on every pull request.
ASan produces symbolized stack traces that pinpoint the exact source line of both the bad access and the allocation that was corrupted. Combined with DAST scanning on the HTTP surface, running the server binary under ASan during integration tests gives you memory-safety coverage of the code paths that DAST exercises — catching bugs that DAST's HTTP-level view can never observe.
ThreadSanitizer (TSan)
ThreadSanitizer detects data races — unsynchronized concurrent accesses to shared memory
where at least one access is a write. Data races are notoriously hard to reproduce because
they depend on precise thread interleaving. TSan instruments every memory access and lock
operation, maintaining a happens-before graph that can detect races even when they do not
manifest as visible crashes. Compile with -fsanitize=thread; TSan cannot be
combined with ASan in the same build (use separate ASan and TSan builds in CI).
MemorySanitizer and UBSan
MemorySanitizer (MSan, -fsanitize=memory) detects reads of uninitialized
memory — a class of bug that ASan misses. It requires Clang and a fully instrumented
standard library, which makes setup more involved. UndefinedBehaviorSanitizer (UBSan,
-fsanitize=undefined) catches signed integer overflow, out-of-bounds array
indexing, misaligned memory access, and other C/C++ undefined behavior — errors that are
technically illegal but often silently produce wrong results rather than crashes.
DynamoRIO
DynamoRIO is a dynamic binary instrumentation framework for Windows and Linux. Where sanitizers require recompilation, DynamoRIO instruments binaries at runtime via a JIT compiler. This makes it useful for analyzing closed-source components, system libraries, or legacy binaries where source is unavailable. Its client API enables custom analysis tools — Dr. Memory (a Memcheck equivalent for Windows), cache simulators, and custom taint-tracking tools are all built on DynamoRIO.
Fuzzing as Modern Dynamic Code Scanning
Fuzzing — also called fuzz testing — is a dynamic code scanning technique that generates large volumes of semi-random inputs, feeds them to the target program, and monitors for crashes, assertion failures, sanitizer errors, or hangs. Modern coverage-guided fuzzers instrument the binary to track which code branches each input exercises, then use that coverage feedback to mutate inputs toward unexplored paths. The result is a self-steering test suite that methodically explores the program's attack surface faster than any human-written test suite could.
libFuzzer + AddressSanitizer
libFuzzer is LLVM's built-in coverage-guided fuzzing engine. Compile a fuzz target with
-fsanitize=fuzzer,address and libFuzzer drives the target with mutated inputs,
using ASan to detect memory corruption the moment it occurs. This combination — libFuzzer
for input generation, ASan for bug detection — is the standard approach for fuzzing C and
C++ parsers, codecs, protocol handlers, and cryptographic implementations. Google's
internal data shows libFuzzer+ASan has found more critical memory safety bugs than any
other technique in their C++ codebase.
AFL++ (American Fuzzy Lop plus plus)
AFL++ is the community-maintained successor to the original AFL fuzzer, with substantially improved mutation strategies, QEMU mode for black-box binary fuzzing, and persistent mode for in-process fuzzing. It is particularly effective for file-format parsers (image decoders, archive extractors, document parsers) where the input grammar is complex enough to make pure random mutation ineffective. AFL++'s QEMU mode allows fuzzing binaries without source code — bridging the gap between DAST-style black-box testing and source-level fuzzing.
OSS-Fuzz
OSS-Fuzz is Google's continuous fuzzing service for critical open-source projects. Once a project integrates with OSS-Fuzz (by providing a build script and fuzz targets), Google runs the fuzzers on a large cluster around the clock, automatically filing bugs and verifying fixes. Since its 2016 launch, OSS-Fuzz has found over 13,000 vulnerabilities and fixed more than 50,000 bugs in projects including curl, OpenSSL, SQLite, FFmpeg, and the Linux kernel. If your project is open source and security-critical, integrating with OSS-Fuzz is the highest-ROI fuzzing investment available.
Dynamic Analysis in CI/CD Pipelines
Integrating dynamic analysis tools into a CI/CD pipeline requires more thought than adding static analysis, because dynamic tools need a running environment. The following placement map works for most teams:
CI Stage (Per Pull Request)
- Sanitizer builds — compile with ASan + UBSan and run the full unit and integration test suite. This adds roughly 2x runtime but catches memory and UB bugs on every merge. TSan builds can run on a slower nightly schedule if the test suite is large. The binary-analysis angle is also relevant here — see the binary comparison guide for techniques to diff instrumented and uninstrumented build outputs.
- Nuclei CVE sweep — run against a preview environment spun up by the CI job to catch known CVEs introduced by dependency updates or configuration changes.
CD Stage (Post-Deploy to Staging)
- DAST scan — trigger ZAP, Burp Suite Enterprise, or Acunetix against the freshly deployed staging environment. Gate promotion to production on a clean scan or an approved baseline. Configure authenticated scans to cover protected endpoints; unauthenticated scans miss 30–50 percent of vulnerabilities in typical web applications.
- IAST (if deployed) — if your stack supports IAST instrumentation (Contrast Security, Seeker), run the regression test suite against the staged application with the IAST agent active to collect confirmed, code-pinpointed findings.
Continuous Fuzzing (Separate Infrastructure)
- libFuzzer / AFL++ corpora — maintain a persistent fuzzing cluster or use OSS-Fuzz. Do not block CI on fuzzing jobs; fuzzing is most effective as a background process running between releases.
- Crash triage — fuzz crashes are deduplicated by stack trace signature and filed as bugs automatically. Review the crash cluster weekly and prioritize security-relevant classes (heap-buffer-overflow, use-after-free) over benign assertion failures.
For the complementary static side of this pipeline, the full guide to SAST and DAST testing tools covers where static analysis fits and how to combine both categories into a unified DevSecOps program.
Common Vulnerabilities Only Dynamic Analysis Catches
Static analysis is powerful but fundamentally limited to what can be inferred from code structure without execution. The following vulnerability classes require dynamic observation to detect reliably:
Authentication and Authorization Bypasses
A static analyzer can flag insecure function calls, but it cannot model the actual authentication logic that emerges from the interaction of middleware, session management, cookie attributes, and business-logic code. DAST tools discover bypasses by actually attempting authenticated actions without credentials, replaying tokens, and probing privilege escalation paths — observations that only make sense against a running application.
Race Conditions and Data Races
Concurrency bugs depend on thread scheduling decisions made at runtime. A data race may be present in the source code for years without triggering a visible bug, then cause silent data corruption or a crash under production load. ThreadSanitizer detects data races during any test run by observing actual concurrent accesses, regardless of whether the race caused an observable failure during that particular run. No static tool reliably achieves this at scale.
Use-After-Free and Heap Corruption
Use-after-free vulnerabilities are the most exploited memory-safety bug class in 2026, responsible for a majority of browser and kernel CVEs. Static analysis can flag some obvious patterns, but the actual life-cycle of heap allocations — particularly in event-driven code, reference-counted objects, and concurrent data structures — is typically too complex for static taint analysis to model correctly. AddressSanitizer and Valgrind observe actual deallocation events and flag every subsequent access, making them authoritative for this bug class.
Memory Leaks
Memory leaks are runtime phenomena: they accumulate over time as a program allocates and fails to release heap memory. Valgrind's Memcheck and ASan's leak sanitizer report leaked allocations at program exit, with the full allocation call stack. Static analysis can sometimes infer missing frees in simple code paths, but it cannot model arena allocators, reference counting cycles, or leaks that only occur on specific error paths.
Server-Side Configuration Errors
Misconfigured CORS headers, missing security headers (HSTS, CSP, X-Content-Type-Options), open redirects, and verbose error pages are configuration-layer bugs that have no manifestation in source code at all. They exist in deployment configuration, server middleware, or runtime-loaded modules. DAST tools observe HTTP responses and flag these issues directly; static tools have no way to analyze a production server's runtime configuration.
Uninitialized Variable Reads
Reading uninitialized memory in C/C++ is undefined behavior that often goes undetected in normal test runs because the memory happens to be zeroed by the OS. On other runs, or under different allocation patterns, the uninitialized read produces subtly wrong outputs — a category of intermittent bug that static analysis frequently misses because the control flow leading to the uninitialized read is legitimate. MemorySanitizer instruments every memory read and poisons all unallocated regions, making every uninitialized read a deterministic, immediate failure.
How to Choose a Dynamic Code Analysis Tool
With two distinct families of dynamic code analysis tools — DAST for web applications and sanitizers/fuzzers for native code — the first decision is simply which world you operate in. Most teams need both.
| Situation | Recommended tool(s) | Priority |
|---|---|---|
| Web app, limited budget | OWASP ZAP + Nuclei | High — free, CI-ready, covers OWASP Top 10 |
| Web app, SPA / JavaScript-heavy | Acunetix or Burp Suite Enterprise | High — headless browser crawling required |
| Web app, enterprise / compliance | HCL AppScan or Veracode Dynamic | Medium — compliance reporting justifies cost |
| C / C++ application or library | ASan + UBSan (CI), Valgrind (debugging) | Critical — memory safety is non-negotiable |
| Multi-threaded C/C++ or Go | ThreadSanitizer | High — data races are silent and serious |
| Parser / codec / protocol handler | libFuzzer + ASan, or AFL++ | Critical — fuzzing finds what tests miss |
| Open-source security-critical library | OSS-Fuzz integration | High — free continuous fuzzing at Google scale |
| Closed-source binary, no source | DynamoRIO, AFL++ QEMU mode | Medium — binary-level instrumentation |
A few additional criteria that frequently determine the final choice:
- Language and runtime — ASan and TSan are Clang/GCC tools; they work natively for C, C++, and Rust. Java, .NET, and Python applications have different profiling and security testing toolchains. Dynamic analysis for JVM applications typically means DAST for security and Java Flight Recorder or async-profiler for runtime performance.
- CI/CD integration depth — ZAP and Nuclei have well-maintained GitHub Actions; sanitizer builds integrate naturally with CMake and Meson. Commercial tools vary significantly in pipeline integration quality — evaluate the REST API and the quality of SARIF or JSON output before committing.
- Authenticated scan support — DAST scans of authenticated flows require session management configuration. Tools differ substantially in how well they handle modern authentication (OAuth 2.0, PKCE, JWT, SAML). Test authenticated scan coverage before signing a commercial contract.
- Complementary static coverage — if you are evaluating static and dynamic code analysis tools simultaneously, consider vendors that offer both (Veracode, Checkmarx, Semgrep) versus best-of-breed point solutions (Semgrep for SAST, ZAP for DAST). Unified platforms simplify reporting; point solutions give you more control and lower total cost.
Comparing Runtime Traces and Scan Reports with a Diff Tool
One of the most underrated workflows in dynamic analysis programs is systematic before/after diffing of scan outputs. After fixing a vulnerability and re-running your DAST tool or sanitizer, you need to verify three things: the original finding is gone, no new findings were introduced, and the fix did not affect unrelated scan results. Doing this by eye across a 200-finding JSON report is error-prone and slow.
A text diff tool makes this comparison immediate. The workflow is straightforward:
- Run your dynamic analysis tool before the fix. Save the output as
scan-before.txt(or export as JSON/SARIF). - Apply the fix and re-run the same scan. Save as
scan-after.txt. - Diff the two files side by side to see exactly which findings disappeared and which (if any) are new.
The same technique applies to runtime traces. If you are diagnosing a performance regression or a behavior change between two builds, diff the two log files or trace outputs on Linux — or use the Unix diff command in a terminal — to identify exactly which execution paths changed. For a quick visual comparison in the browser, the Diff Checker extension compares two text payloads side by side with line-level highlighting, which is particularly useful for long sanitizer diagnostics or DAST JSON exports where the signal is buried in repeated boilerplate.
This workflow is not limited to security scans. Fuzzing triage benefits equally: when investigating whether two crash reports represent the same underlying bug, diffing the ASan stack traces immediately shows whether the crash sites and allocation call stacks are identical (duplicate) or diverge (distinct bugs). Deduplicating a large fuzzing crash bucket this way saves significant triage time before filing bug reports.
Diff Two Scan Reports in Seconds
When you re-run a dynamic analysis tool after fixing vulnerabilities, you need to know exactly what changed. Diff Checker compares two scan reports, log outputs, or runtime traces side by side — instantly highlighting new findings and resolved issues. Free, no signup.
Get Diff Checker FreeFrequently Asked Questions
What are dynamic code analysis tools?
Dynamic code analysis tools examine a program's behavior during execution rather than inspecting its source code at rest. They fall into two families: DAST tools (Burp Suite, OWASP ZAP, Acunetix) that test running web applications over HTTP, and runtime analysis tools (AddressSanitizer, Valgrind, ThreadSanitizer, libFuzzer) that instrument native binaries to detect memory errors, race conditions, and undefined behavior. Both are essential for a complete security and reliability program.
What is the difference between static and dynamic code analysis tools?
Static code analysis tools examine source code or bytecode without executing the program — they run at CI time on every pull request and catch code-level vulnerabilities like hardcoded secrets, injection patterns, and taint-flow bugs. Dynamic code analysis tools execute the program and observe actual runtime behavior — they find authentication bypasses, memory corruption, race conditions, and configuration errors that only manifest at runtime. The two categories are complementary: static analysis finds more issues earlier and cheaper; dynamic analysis confirms exploitability and catches what static tools miss.
What is the difference between DAST and runtime sanitizers?
DAST tools (Burp Suite, ZAP, Acunetix) test web applications over HTTP — they crawl endpoints, fire crafted payloads, and report exploitable vulnerabilities visible in HTTP responses. Runtime sanitizers (AddressSanitizer, ThreadSanitizer, Valgrind) instrument compiled native binaries and detect low-level memory and concurrency bugs that exist below the HTTP layer. DAST cannot see a heap-buffer-overflow in a C JSON parser; sanitizers cannot find a CORS misconfiguration. The two families target distinct vulnerability classes and do not overlap.
Is fuzzing a form of dynamic analysis?
Yes. Fuzzing is a dynamic code scanning technique that generates mutated inputs, feeds them to a running target, and monitors for crashes or sanitizer errors. Coverage-guided fuzzers (libFuzzer, AFL++) instrument the binary to track code coverage and steer mutations toward unexplored paths. Fuzzing has found tens of thousands of critical memory safety bugs in C and C++ codebases — it is one of the highest-ROI dynamic analysis techniques available for native-code projects.
Where do dynamic analysis tools fit in a CI/CD pipeline?
Sanitizer builds (ASan, UBSan) run in CI alongside unit tests on every pull request. DAST tools (ZAP, Burp Enterprise, Acunetix) run in CD after each deployment to a staging environment, gating promotion to production on a clean scan. Fuzzers are best run continuously in a dedicated background cluster rather than inline in CI, since effective fuzzing campaigns require hours to days of compute time. The combination gives you both fast, commit-level dynamic feedback and deep, ongoing exploration of the input space.