Antoine Carossio - Escape DAST - Application Security Blog

Introducing Multi-User Testing with Natural Language Queries in Escape DAST

Most of today’s SaaS structures are multi-tenant environments. Making sure that each tenant’s data and resources are securely isolated from others is critical. Weaknesses or misconfigurations in tenant isolation can lead to unauthorized access or data leaks between tenants, compromising the security of the entire system. If you’

Application Security

Gin & Juice Shop Benchmark: How DAST Tools Really Stack Up

This month, we set out to compare our DAST against some of the established names in Dynamic Application Security Testing. We’ve already benchmarked our scanner on vulnerable apps like VAMPI and DVGA, and now we’re putting it up against Qualys, ZAP, and Intruder (available in free trial) on

Pentesting

Top Automated Pentesting Tools (2025)

Explore the best automated pentesting tools of 2025. Learn how modern pentesting solutions detect business logic flaws and scale continuous security testing, so security teams can replace manual pentests with faster, more accurate coverage.

Application Security

Top Vulnerability Scanning tools 2025

In 2025, vulnerability scanning tools are essential for modern security teams, but running a scan is rarely the hard part anymore. The real challenge is automating it at scale: across thousands of assets, spanning APIs, web applications, and cloud services, in environments that can change by the hour. Security engineers

How to Efficiently Implement DAST in CI/CD (2025 Guide)

Working with multiple customers implementing DAST in CI/CD has allowed us to learn a lot about what works, what doesn’t, and most importantly how to do it efficiently. The truth is, it’s not about adopting just any tool. It's about making testing for runtime vulnerabilities

GraphQL

The Paradox of Disabling GraphQL Introspection: Lessons from the Parse Server GraphQL API vulnerability

Last week, the security community was alerted to a vulnerability in Parse Server GraphQL API, which allowed public access to the GraphQL schema without requiring a session token or the master key. It is now identified as CVE-2025-53364. So, the question comes up: Should we disable introspection entirely in production

Application Security

How we built Escape DAST's proprietary web application crawling algorithm and what makes it innovative

In this article, we'll show how we created our web application crawling algorithm to ensure complete testing coverage for modern applications.

DAST

Top 10 DAST Tools for DevSecOps in 2025: API Security, CI/CD Integration & Business Logic Coverage

Discover the top 10 DAST tools for 2025, built for SPAs, APIs (REST, GraphQL...), business logic vulnerabilities, and CI/CD pipelines. Compare strengths, weaknesses, and key features that matter to AppSec and DevSecOps teams.

Application Security

The Alternative to Acunetix DAST: Escape DAST

Explore how Escape DAST serves as a superior alternative to Acunetix, offering advanced vulnerability detection for web applications and APIs, seamless integration into modern development workflows, and scalable solutions for enterprises.

Application Security

Escape + Wiz: Unified Security for Modern, Cloud-Native Applications

A new technology partnership enables mutual customers to gain full cloud and application context, establish clear ownership, and accelerate the remediation of critical risks.

DAST

We benchmarked DAST products, and this is what we learned

When we started, we wanted to understand how to validate the quality of Escape's scanner findings and be able to benchmark them. Dynamic application scanning solutions are notorious for not being able to scan complex vulnerabilities, specifically the business logic vulnerabilities, and other deficiencies, and even though we

API Security

DAST is dead, why Business Logic Security Testing takes center stage

“DAST is dead” - that’s the phrase that appears every year on social media and in cybersecurity newsletters. But what if in 2024, it finally came true? DAST, Dynamic Application Security Testing (even though we see a new terminology “Dynamic API Security Testing” popping up here and there within

API Security

Escape's proprietary Business Logic Security Testing algorithm: what makes it innovative

Testing APIs for Business Logic vulnerabilities is hard. Actually, this is a mission that old-school DAST solutions like ZAP (formerly OWASP ZAP) cannot handle. I'm Antoine Carossio, passionate about Computer Science for more than 15 years now and cofounder & CTO of Escape. With my team, we'

API Security

Escape vs Burp Suite DAST: Which Tool Fits Modern AppSec?

Finding the right tools for your AppSec team can be a daunting task. Especially when it comes to testing modern applications like SPAs, APIs, and Microservices. Today, attackers prioritize exploiting an application's business logic flaws and truly understanding the underlying logic is challenging for most DAST tools without

API Security

Top 6 API security testing tools in 2025: a full review

When it comes to securing applications and APIs, the best API security testing tools are indispensable. These advanced solutions detect vulnerabilities by continuously scanning for weaknesses and simulating real-world attacks. But how do you choose between all API security testing vendors? Agentless API security tools are transforming application security by

API Security

Introducing business logic security testing for REST APIs

After one year and a half of approaching API security through the lenses of GraphQL, we are proud to introduce full support for REST API Security Testing in Escape, in addition to GraphQL 🚀 You like us on GraphQL. You will love us on REST. It's been a ride

GraphQL Query Cost Analysis

You must have understood that GraphQL is a very powerful language! Indeed, it is the query language used by the world's largest social network: Facebook (they created it in 2012 and made it public in 2015). However, these benefits and power also come with added complexity. This complexity

Attack Surface Management

Unveiling the GraphQL API Catalog

Escape launches the first Asset Inventory and Attack Surface Management solution for GraphQL APIs with its new API Catalog feature.

GraphQL

Introducing Seamless GraphQL Compliance

As your go-to partner in GraphQL Security, we at Escape are constantly innovating to simplify and streamline security for you. We're proud of our reputation for crafting modern, dynamic application security testing (DAST) tools tailored to GraphQL, beloved by developers and trusted by security teams worldwide. From comprehensive

GraphQL

GraphQL Input Validation & Sanitization

Why input validation and sanitization are important in GraphQL? GraphQL allows you to identify the data and validate inputs based on type information. By default, GraphQL Specification has the Int, Float, String, Boolean and ID Scalar types. But as a conscious API developer, you've probably come across situations

Say Hi to SecureGPT: The free Security Tool for ChatGPT Developers

👋 tl;dr Are you a ChatGPT plugin developer who wants to ensure the safety and security of your creations? Look no further. Escape is thrilled to announce the release of SecureGPT, a lightning-fast and free security tool designed specifically for ChatGPT plugins. Secure your ChatGPT plugins in seconds with SecureGPT

GraphQL Vulnerability

Demystifying GraphQL Security: A Comprehensive Guide to GraphQL Introspection

Whether or not to disable introspection in GraphQL has been a common debate among GraphQL developers since its inception. In this blog post, we will explain why completely disabling GraphQL introspection is not necessary and why it can be counterproductive. I can't really find any good reasons for

Introducing API Security Posture Management for GraphQL

tl;dr The Escape Team is excited to announce the release of its latest feature, API Security Posture Management for GraphQL. This feature proposes a single API Catalog view to explore the security, integrity, and performance of all GraphQL operations in one place. See it for yourself in action With

Introducing OpenAPI.Security, a free tool to quickly check the security of REST APIs

tl;dr We released OpenAPI.security, an online tool that performs a dozen of security tests on any given OpenAPI/Swagger-based API, with no signup or email required Our team at Escape is mainly focused on securing GraphQL APIs. For this, we developed a new approach called feedback-driven API exploration,

Escape is proud to be backed by Y Combinator!

Escape is proud to announce that we are backed by Y Combinator, the world's most prestigious and well-known startup accelerator, joining the YC Winter 23 batch! Y Combinator, known for investing in and mentoring early-stage startups, has an impressive portfolio of successful companies such as Airbnb, Dropbox, and