FREE Dastardly, from Burp Suite

Secure web development should be more than just a pipe dream

A free DAST web application scanner for your CI/CD pipeline

Set up and use for free:

TeamCity logo Jenkins logo GitHub Actions logo Platform independent

Find 7 issues you care about - in 10 mins or less

Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline. It looks at your application from the outside - just like an attacker - giving it the sort of accuracy that most static analysis tools can only dream of. Scans run no longer than 10 mins.

Learn more about Dastardly scans
Alex - Technical product manager
Jonny - Web developer

Catch security issues before they become painful

Let's face it - fixing bugs in old code is a pain in the ass. No one enjoys it. It's difficult, annoying, and takes much longer than doing the same job while still in context. So why wait for a pentester to point out any holes in your code?

Learn more about Dastardly scans

The scanner trusted by security professionals

Although you may not have heard of Burp Suite, your pentester has (just ask them). It's the world's leading toolkit for web security testing, used by over 16,000 organizations. And Dastardly is based on the exact same groundbreaking scanner.

Learn more about Dastardly scans
Chloe - Customer champion
Atlassian Amazon GitHub Valve

Learn more about Dastardly

Yes, Dastardly is completely free to use. There are no restrictions on how many applications you can scan or how many scans you can run.

No, you don't need to create an account or provide any billing details to use Dastardly. Just grab the container and go.

Dastardly can be up and running in your CI/CD pipeline in just two minutes. Follow our step-by-step guides to get started:

Dastardly uses a free version of the same browser-powered scanning engine used by Burp Suite Professional and Burp Suite Enterprise Edition, packaged in a way that makes it easier to integrate to your CI/CD pipelines and that gives you results in 10 minutes or less.

By default, Dastardly will fail your pipeline build should it find any vulnerabilities determined to have a severity level higher than INFO (LOW, MEDIUM or HIGH).

Dastardly reports its findings in JUnit XML format, which most CI tooling can render.

Where issues have been found, Dastardly brings you free, actionable advice from the Web Security Academy - enabling you to easily tweak your code.

The dynamic (DAST) security testing methodology used by Dastardly looks at an application from the outside in, just like an attacker. This means that DAST is far less prone to producing false positives than static (SAST) security testing methods, which look at an application's source code.

Dastardly can scan any deployed web app where you can run a container (e.g, your CI/CD pipeline).

Note that Dastardly cannot navigate login mechanisms. If your application uses authentication, you should consider disabling this functionality when scanning with Dastardly, or you might find that Burp Suite Enterprise Edition is right for you.

Dynamic application security testing (DAST) is different to static (SAST) testing because it looks at the target application in its deployed state, rather than simply looking at source code. This means that it doesn't matter what language you have written your application in. This enables it to detect vulnerabilities that SAST will not find.

DAST produces fewer false positives than SAST because it looks at an application from the outside in, just like an attacker. Fewer false positives can save you a great deal of time when investigating the results of your scans. You'll also be able to detect vulnerabilities that you would otherwise have missed.

If you are looking to scale your web application security practices, consider our full versions of Burp Suite. These enable you to:

We're keen to hear your thoughts on Dastardly; tell us what you think here.

Set up and use for free:

TeamCity logo Jenkins logo GitHub Actions logo Platform independent

What our customers say about us


Net Promoter Score.


of AppSec engineers perform more effectively with Burp Suite.


of our customers would recommend Burp Suite.


of penetration testers said Burp Suite is "best in class" software.

Based on a recent TechValidate survey of Burp Suite Professional users TechValidate

Dastardly vs. Burp Suite Enterprise Edition

Level up your DAST scanning with Burp Suite Enterprise Edition, including over 160 scan checks.

Dastardly logo

A lightweight, free DAST scanner for your CI/CD pipeline.

 Burp Suite Enterprise Edition large logo

Unleash AppSec expertise to supercharge engineering, deliver fast feedback to software teams, and achieve DevSecOps.

What's included?

  • Scans for seven key security issues.

  • Lightweight scans in 10 minutes or less.

  • Scan from within your CI/CD pipeline.

  • Scans for over 160 security issues, including SQL injection, DOM-based XSS, and HTTP request smuggling.

  • Pre-set scan modes and custom scan configurations.

  • Authenticated scanning support, including recorded login sequences.

  • Dashboards and custom reporting, including OWASP Top 10, and PCI DSS.

  • Recurring scheduled scans, as and when you need them.

  • Out-of-the-box integrations with Jira, GitLab and Trello for issue tracking, and more.

  • Rich GraphQL-based API and REST API to enable custom integrations.

  • Role-based access control and single sign-on.

  • And much more ...

See the rest of the Burp Suite range