Escape – The Application Security Blog

Methodology: How we discovered over 2k high-impact vulnerabilities in apps built with vibe coding platforms

Hey there, With Halloween around the corner, what’s scarier for organizations than vulnerabilities in their web applications? And it's even scarier when the development of these applications is in the hands of users not familiar with security practices. This year, the Escape research team has focused on

Product updates

Introducing Multi-User Testing with Natural Language Queries in Escape DAST

Most of today’s SaaS structures are multi-tenant environments. Making sure that each tenant’s data and resources are securely isolated from others is critical. Weaknesses or misconfigurations in tenant isolation can lead to unauthorized access or data leaks between tenants, compromising the security of the entire system. If you’

Application Security

Gin & Juice Shop Benchmark: How DAST Tools Really Stack Up

This month, we set out to compare our DAST against some of the established names in Dynamic Application Security Testing. We’ve already benchmarked our scanner on vulnerable apps like VAMPI and DVGA, and now we’re putting it up against Qualys, ZAP, and Intruder (available in free trial) on

Attack Surface Management

Why context is king in Attack Surface Management (ASM): Key insights from my conversations with security leaders

When I launched this research, my goal was to understand the current perception of security practitioners regarding Attack Surface Management (ASM) solutions. Unlike in my previous article, "What is wrong with the current state of DAST?" I didn't start with an overall negative perception from the

Product updates

Introducing AI-Powered Exploit Validation and Remediation Guidelines

Security teams know that finding a vulnerability is only half the battle. The harder part is validating that it can be exploited and applying the right fix with confidence. Too often, remediation guidance is static, generic, or incomplete, leaving engineers guessing. This also strains the relationships between security and developers.

Application Security

[Webinar] From Business Logic Vulnerabilities to Actionable Insights: AI-powered Pentesting + ASM in Action

For years, security teams have relied on human penetration testers to uncover critical vulnerabilities hidden in complex business logic. These flaws are subtle, context-dependent, and unique to every system’s workflow. Even modern scanners struggle to capture them, focusing only on a limited range of vulnerabilities displayed in their UI.

Product updates

August Product Updates: Enhancements to the Escape Public API and CLI, and the Introduction of Global Configuration Management

August is usually synonymous with vacations, beach days, and relaxation. But here at Escape, we’re not taking a break from empowering security teams (just kidding, we still took a break, but we shipped more efficiently!). While many are winding down, we’re cranking up the pace with some exciting

Pentesting

Top Automated Pentesting Tools (2025)

Explore the top automated pentesting tools of 2025. Learn how modern platforms detect business logic flaws, deliver true positives, and scale continuous security testing, so security teams can replace manual pentests with faster, more accurate coverage.

Podcast

Security Culture: When Are We Really Creating Change? with Marisa Fagan

Discover insights from The Elephant in AppSec episode with Marisa Fagan.

Application Security

Top Vulnerability Scanning tools 2025

In 2025, vulnerability scanning tools are essential for modern security teams, but running a scan is rarely the hard part anymore. The real challenge is automating it at scale: across thousands of assets, spanning APIs, web applications, and cloud services, in environments that can change by the hour. Security engineers

Application Security

How to Automate Your Penetration Testing?

AI is revolutionizing penetration testing, transforming traditionally manual exploits, once spanning several days, into automated systems that can now handle reconnaissance, scanning, and fuzzing in a matter of hours. "AI is already transforming pentesting. If you look at automated reconnaissance and scanning, finding those low-hanging fruits, or threat intelligence

Podcast

The Future of Pentesting: Can AI Replace Human Expertise? ⎥ Jyoti Raval

Discover insights from The Elephant in AppSec episode with Jyoti Raval

Podcast

Security Wins Only When Institutionalized – Here’s Why! ⎥ Kevan Bard

Discover insights from The Elephant in AppSec episode with Kevan Bard.

Podcast

Why Your Security Program Might Be Failing Before It Even Starts ⎥ Sean Finley ⎥The Elephant in AppSec Podcast

Discover insights from The Elephant in AppSec episode with Sean Finley.

Announcement

Escape Honored with Inaugural Wiz Integrations (WIN) Partner Award

Escape has been recognized by Wiz as a winner in the inaugural WIN awards, earning the WINvaluable Award for its outstanding partnership! This recognition highlights Escape's track record of delivering real outcomes for joint customers through the WIN program. 💡Launched in 2023, WIN is Wiz’s open, bidirectional

How to Efficiently Implement DAST in CI/CD (2025 Guide)

Working with multiple customers implementing DAST in CI/CD has allowed us to learn a lot about what works, what doesn’t, and most importantly how to do it efficiently. The truth is, it’s not about adopting just any tool. It's about making testing for runtime vulnerabilities

GraphQL

The Paradox of Disabling GraphQL Introspection: Lessons from the Parse Server GraphQL API vulnerability

Last week, the security community was alerted to a vulnerability in Parse Server GraphQL API, which allowed public access to the GraphQL schema without requiring a session token or the master key. It is now identified as CVE-2025-53364. So, the question comes up: Should we disable introspection entirely in production

Application Security

Feedback From Escape Customers: Securing AI-Driven Applications with DAST

“You ask the developer why they wrote the code the way that they did, and they don’t have an answer anymore. They’re like, ‘Well, AI wrote it.” - Seth Kirschner, DoubleVerify AI is now deeply embedded in software development workflows, and the implications for application security teams are

Product updates

More Support for Complex Authentication Flows: TOTP MFA and Text-Based CAPTCHA

This June, we’re making it easier to test real-world applications with complex authentication flows without sacrificing automation. Security teams need to test applications exactly as they exist in production, including MFA and CAPTCHA-protected flows. Historically, these protections aren’t "scanner-friendly" and often introduce friction into DAST workflows.

Application Security

How we built Escape DAST's proprietary web application crawling algorithm and what makes it innovative

In this article, we'll show how we created our web application crawling algorithm to ensure complete testing coverage for modern applications.

Application Security

[Webinar] Securing AI-driven applications with DAST

Join us for a live webinar with application security experts and Escape clients - Seth Kirschner (DoubleVerify), Nathan Byrd (Applied Systems), Nick Semyonov (PandaDoc), as they break down how their teams are rethinking testing strategies to keep up with AI-influenced codebases.

Compliance

Why DAST Is Critical for Cyber Resilience Act Compliance

The EU’s Cyber Resilience Act is reshaping how companies build and secure digital products. Learn why modern DAST is critical for CRA compliance from secure development to incident response and how to prepare before the 2027 deadline.

Product updates

Meet Escape Copilot: Automate App and Scan Management via MCP

Meet Escape Copilot. Powered by the MCP over the Escape Public API, it helps you boost productivity and get more done with less context switching inside Escape.

DAST

Top 10 DAST Tools for DevSecOps (2025)

Discover the top 10 DAST tools for 2025, built for SPAs, APIs (REST, GraphQL...), business logic vulnerabilities, and CI/CD pipelines. Compare strengths, weaknesses, and key features that matter to AppSec and DevSecOps teams.

Product updates

From Alert to Action: Escape’s Jira Integration Explained

Ticketing systems are an essential part of modern DevSecOps. They orchestrate cross-functional collaboration, ensure accountability, and drive issues to resolution. But in application security, the value of ticketing hinges on one critical factor: context. Too often, security tools generate vague alerts or findings without right context associated with them that

Escape DAST - Application Security Blog