Gin & Juice Shop Benchmark: How DAST Tools Really Stack Up

This month, we set out to compare our DAST against some of the established names in Dynamic Application Security Testing. We’ve already benchmarked our scanner on vulnerable apps like VAMPI and DVGA, and now we’re putting it up against Qualys, ZAP, and Intruder (available in free trial) on Gin & Juice Shop.

Why are we doing this? Our scanner uses in-house built web crawling and business logic testing algorithms, designed from scratch to handle modern applications. Naturally, we get asked “How does Escape compare to legacy DAST tools?” all the time.

The goal of the benchmark isn’t about claiming we’re the best and trying to sell you immediately (though, of course, we’d love for you to consider Escape for your DevSecOps program). We want to take an honest look at what we and others do well, and what we and others can improve.

🔑 The core user story we are validating is the one customers ask for most often:  Ryzen 9 7900X processor and 64 GB of RAM.

“Find a maximum of business logic vulnerabilities in an authenticated scan, with the minimum configuration required.”

This focus is intentional. Each tool on the market provides extensive configuration option that can significantly alter results, but the reality is that AppSec engineers do not want to become tool experts. They want to run authenticated scans out-of-the-box, discover business logic issues that matter, and avoid spending weeks fine-tuning.  

Let’s dive in.

Building a benchmark for web app scanners

According to our previous market survey on what is wrong with the current state of DAST, the key frustrations with the existing were very clear: 

• Too much configuration is required to get value – fine-tuning is complex and makes scaling nearly impossible.  
• False positives remain high with many tools, leading to wasted time in triage.  

That’s why we designed our benchmark differently. Instead of investing days into tweaking and implementing custom test cases, we ran all scanners on their standard configurations, exactly as a typical team would when first adopting a tool.  

Modern AppSec teams care about ease of setup, effectiveness, coverage, and a practical triage workflow. To be useful, a DAST tool must show:  

• Can it crawl and understand the real structure of the app?  
• How many requests does it send (signal vs. noise)?  
• How quickly can teams reach value (setup friction)?  
• How long does a scan take (fit into developer workflow)?  
• Is reporting clear, actionable, and able to separate true vulnerabilities from background noise?  
• Most importantly: does it find vulnerabilities that matter in real applications, not just contrived testbeds?  

By testing each scanner against this scenario, we’re benchmarking them on the metric that truly matters: how well they serve the most common, high-value use case with minimal setup.

This benchmark evaluates:

• Effectiveness: Did the scanner find actual Gin & Juice vulns?
• Coverage: Could the scanner crawl the app, handle authentication?
• Efficiency: Number of requests vs. findings.
• Set up friction: How long to set up and get first results?
• Scan duration: Total scan runtime.
• Depth of reporting: Quality, accuracy, evidence, and triage readiness.

Why we chose Gin & Juice

In an ideal world, testing a scanner against a production application or your own would be the best approach. While we could have tested on vulnerable apps built by Escape, we wanted to avoid any bias and use a widely recognized, deliberately vulnerable application that the industry trusts.

That’s why we chose Gin & Juice, developed by the PortSwigger research team. This app incorporates many of the modern technologies found in today’s web applications, including extensive use of JavaScript and CSRF tokens. It also features a wide range of real-world vulnerabilities, such as client-side template injection, DOM XSS, client-side prototype pollution, vulnerable JavaScript dependencies, and XML external entity (XXE) injection.

Not only does Gin & Juice provide a solid testing environment, but it’s also compact enough to allow us to assess a scanner’s performance efficiently, without an overwhelming number of duplicate issues.

For more detailed information on the specific vulnerabilities within Gin & Juice, you can refer to this page.

How we set up the testbed

Target: For Escape, Qualys, and Intruder - Gin & Juice was added directly into each scanner's UI for testing. For ZAP, we followed the official tutorial from zaproxy. You can find the configuration file below.

Authentication: We configured username/password and session management for each scanner to simulate authenticated access to the app.

Crawling: Each scanner was allowed to crawl the application without restrictions, ensuring thorough coverage of all accessible paths.

Scan Profiles: We used the default read-and-write settings for each scanner, aiming to capture the broadest possible range of vulnerabilities.

Control: The tests were run in single-user mode, with no concurrent scans, to maintain consistency across results.

Tool configurations & setup experience

In this section, we describe how we configured and used the four different tools : Escape, Zap Proxy, Intruder and Qualys DAST.

Escape

Configuring Escape was very straightforward.

The platform provides a clear and accessible UI/UX, which makes the setup process quick and user-friendly.
We can directly, create a new scan profile:

To set authentication, we used Playwright authentication feature by directly providing login link and details:

After that, we can directly start a scan.

ZAP

Setting up ZAP Proxy was also quite straightforward.  

The tool offers a solid balance between flexibility and usability, although its UI/UX is more technical compared to platforms like Intruder.  

We simply followed the official tutorial from zaproxy and ended up with this configuration file for automation:

env:
  contexts:
  - name: Gin N Juice Shop
    urls:
    - https://ginandjuice.shop
    includePaths:
    - https://ginandjuice.shop.*
    excludePaths:
    - https://ginandjuice.shop/logout
    authentication:
      method: browser
      parameters:
        loginPageUrl: https://ginandjuice.shop/login
        browserId: firefox-headless
        loginPageWait: 1
        steps: []
      verification:
        method: poll
        loggedInRegex: \Q 200 OK\E
        loggedOutRegex: \Q 302 Found\E
        pollFrequency: 60
        pollUnits: requests
        pollUrl: https://ginandjuice.shop/my-account
        pollPostData: ""
    sessionManagement:
      method: headers
    users:
    - name: carlos
      credentials:
        password: hunter2
        username: carlos
  parameters: {}
jobs:
- type: spider
  parameters:
    context: Gin N Juice Shop
    user: carlos
- type: spiderAjax
  parameters:
    context: Gin N Juice Shop
    user: carlos
    browserId: firefox-headless
    excludedElements:
    - description: Logout
      element: a
      text: Log out
- type: passiveScan-wait
  parameters: {}
- type: activeScan
  parameters:
    context: Gin N Juice Shop
    user: carlos
  policyDefinition:
    defaultStrength: medium
    defaultThreshold: medium
- parameters:
    template: "modern"
    reportTitle: "ZAP Scanning Report"
    reportDescription: ""
  name: "report"
  type: "report"

We only need to run the automation script.

Since ZAP runs locally, we consider it important to specify that the scan was performed on a computer equipped with a Ryzen 9 7900X processor and 64 GB of RAM.

At the time of the scan, Firefox was at its latest version, 143.0.3.

We ran ZAP using the following command to allocate 32 GB of RAM instead of 15 GB.

./zap.sh -Xmx32G

Intruder

Setting up Intruder was extremely easy.

The platform provides a very clean and intuitive interface, making it straightforward to navigate. All we had to do was add a web application, and like Escape, we can directly configure the authentication. Then, we can launch the scan.

Qualys

Configuring Qualys was a bit more challenging compared to the other tools.

The platform’s UI and UX are less intuitive, which makes the setup process slightly more time-consuming.

First, we had to add a new web application:

After completing the 5 steps, to create the Web Application, we need to create an authentication in a separate environment:

With Qualys, it's impossible to verify whether authentication worked for the application in question before launching the scan.

After setting up the auth configuration, we could finally start the scan.

The results

Here's the detailed head-to-head comparison of Escape, Qualys, ZAP, and Intruder's Gin & Juice scanning.

Vulnerabilities found

The scans identified several coritical vulnerabilities, including XSS, SQL Injection, and Cross-site scripting (reflected), depending on the path, with Escape standing out for its ability to find a solid range of vulnerabilities, particularly in client-side issues.

Both Escape and Qualys missed some of the vulnerabilities, while Intruder found barely any. As for ZAP, with more configuration with the others, it manages to find interesting vulnerabilities, even one that all others are missing (Reflected XSS). Depending on the execution context, it seems like the DOM-based XSS can be found by ZAP, but we could not reproduce those result during this test.

While Qualys provided comprehensive results, it generated a significant number of false positives (79 vulnerabilities were shown in the recap, and more than 100 issues were shown in the detections):

In comparison, Escape delivered a more reliable set of findings, proving its efficiency in detecting actual risks without overwhelming the report with irrelevant results.

While there were only a couple of false positives, the AI-powered proof of exploit made it easy to verify whether the vulnerability was correctly identified. (This feature is also incredibly helpful during remediation! 😉)

Number of requests

Escape: 7630, Qualys: 82536, ZAP: 15164, Intruder: 73549

Despite generating significantly fewer requests than its counterparts, Escape was the most effective at finding vulnerabilities, suggesting a more targeted and efficient scanning approach. By generating fewer requests, Escape optimizes the scanning process, reducing the load on the target application and its server. This enables Escape's DAST scan to send the right requests faster, collect the necessary data, reuse it, and inject payloads more effectively. In contrast, while Qualys and Intruder generate a larger number of requests and provide more extensive scans, they are not as effective at pinpointing the most critical issues.

Setup time

Escape: 2 mins, Intruder: 2 mins, ZAP: 2 mins, Qualys: 6 mins

As mentioned earlier, both Escape and Intruder offer a user-friendly GUI that's intuitive and easy to navigate.The most inconvenient setup was with Qualys, where authentication had to be created separately and linked to the scan.

Scan duration

Escape: 1h 37mins, Qualys: 1h 1 mins, ZAP: 1h 31 mins, Intruder: 7h 43 mins

All scanners completed their scans in significantly different timeframes: Intruder clearly took the longest. Qualys, ZAP and Escape both had scan durations around the 1-hour mark for this specific application. All three scan durations are reasonable and ensure that security testing doesn't unnecessarily prolong the development lifecycle or delay software updates.

However, it’s important to remember that scan duration, coverage, and vulnerabilities should be considered together, as scan duration alone isn't a sufficient metric. Given that ZAP found almost no vulnerabilities, its faster scan time becomes less relevant.

The 37 minutes of additional time spent by Escape compared to Qualys makes no significant difference in the overall scan duration but provides a more thorough examination of potential vulnerabilities, leading to higher confidence in the results.

Coverage

Escape: 93.18%, Qualys: 27.27%, ZAP: 88.37%, Intruder: 86.36%

Escape demonstrated superior coverage, scanning 93.18% of the target application, while Qualys DAST showed the worst coverage among all four. Overall, extensive coverage is crucial for in-depth security testing and mitigation strategies. Scanning a larger portion of the application allows Escape to identify a wider range of vulnerabilities and security weaknesses, including those in less frequently accessed areas or functionalities. This comprehensive assessment helps organizations prioritize and address the most critical security risks, ultimately enhancing the application's overall security and reducing the likelihood of successful attacks.

Conclusion

We wanted to validate the effectiveness of Escape's scanner and establish benchmarks in a comprehensive comparison against industry-standard tools like Qualys DAST, ZAP, and Intruder. Our focus was on detecting various types of vulnerabilities within Web Apps, contrary to previously analyzed REST & GraphQL APIs.

Through rigorous testing on well-known vulner%able application like Gin & Juice Shop, Escape's proprietary AI-powered DAST algorithm consistently outperformed DAST competitors, identifying a wide range of vulnerabilities while consuming minimal system resources.

Our goal is to try to update this benchmark every once in a while for more vulnerable applications.. We are excited to hear your feedback and comments on this, so please don't hesitate to reach out to us!

💡 Want to learn more about DAST? Discover the following articles:

• The Top 10 DAST Tools in 2025 for Automating Application Security Testing
• DAST is dead, why Business Logic Security Testing takes center stage
• We benchmarked DAST products, and this is what we learned