Table of Contents

There is a moment every AppSec leader knows too well. The scanner is ready. The target is ready. But there is a backlog. It’s not checker coverage or crawling finesse—it is the login screen. Test accounts have expired again. Multifactor authentication (MFA) codes are inconsistent across apps. Scripts that worked last month now fail because a button label moved. The team opens tickets, hunts down owners, and loses another week. Multiply that by hundreds or thousands of applications and “authenticated DAST” becomes a program of exceptions rather than a program at scale.

If dynamic application security testing (DAST) is going to keep pace with modern development, authentication has to become boring. It has to take minutes, not days. It has to survive UI drift, respect MFA, and fit cleanly into audit narratives. That has been our north star for the past year, and it led to two concrete innovations that remove the biggest blocker our customers face.

A new baseline for authenticated DAST

First, Polaris fAST Dynamic now uses a generative large language model (LLM) to assist authentication. You provide the login URL and credentials, and the system interprets the rendered login experience, signs in reliably, and begins the scan. It handles common patterns, including staged pages when paired with multipage login and time-based, one-time password (TOTP)-based MFA, so teams stop authoring brittle scripts for everyday flows. Privacy is preserved by design. The model evaluates screenshots of the login experience only. URLs and credentials are not sent to the model. The practical effect is simple: Time to first authenticated scan drops from days to minutes, especially in proofs of value and during broad onboarding waves.

Second, Continuous Dynamic™ now integrates natively with enterprise secrets managers. Credentials are retrieved at scan time from the customer’s vault, used to authenticate, and not stored in the platform. Rotation policies remain where they belong—in the customer’s vault—so scans keep working as secrets change. This aligns cleanly with separation-of-duties expectations and removes the RFP friction around credentials at rest in a vendor system. Security teams see fewer failed runs due to stale passwords and fewer tickets chasing app owners. Auditors get a straightforward story to verify.

These are not flashy features. They are operational pressure-valves that turn “we will get to it next sprint” into “we started the scan.”

See both experiences live—as well as how little setup is required—in the webinar, including TOTP in Polaris fAST Dynamic and vault-sourced credentials in Continuous Dynamic.

Sign up for the webinar

Two lanes, one program

Most mature programs separate concerns by environment. In development and test, Polaris fAST Dynamic gives teams a quick, repeatable way to unlock authenticated coverage inside CI pipelines without hand-authoring flows. In production, Continuous Dynamic keeps secrets out of the platform and rides through rotations while continuously assessing live applications at enterprise scale. Results roll up into familiar dashboards and exports, so leadership can track trends, prove remediation, and allocate effort where it moves risk the most.

When these lanes work together, three things change. Your onboarding waves get shorter. Your scan failure rate drops because authentication is stable. And your audit narrative improves because credential handling is explicit and least-privilege by design.

What this means for your teams

Consider a portfolio of 800 web applications across multiple business units. In the old model, each onboarding required a small project: create or find the test account, coordinate MFA, document steps, record a fragile sequence, rework it after the next UI change, repeat. In the new model, everyday logins are handled by the generative LLM in Polaris fAST Dynamic. MFA stays on. Edge cases still use a deterministic fallback, but the long tail of routine apps stops consuming expert time. In production, Continuous Dynamic connects to your vault once with a scoped service identity and then simply asks for the right secret at runtime. Rotations continue on policy. Scans do not stop.

The outcome is not theoretical. Customers report faster time to first authenticated scan, fewer authentication-related failures, less operational churn, and cleaner audit answers to the most common questions: where are credentials stored, who can see them, and how are rotations handled.

In the webinar, see a simple demo: two preproduction targets in Polaris fAST Dynamic, and one lower-risk production app in Continuous Dynamic.

Sign up for the webinar

Security and privacy in plain language

Leaders ask three questions immediately. Do you send secrets to the model? Do you store credentials in the platform? How do we prove it to an auditor? The answers are direct. Polaris fAST Dynamic evaluates screenshots of the login experience and does not send URLs or credentials to the model. Continuous Dynamic retrieves credentials from your vault at scan time and does not persist them. Access is scoped to the specific secret paths required for each target, and you can show evidence of that configuration and behavior during audit.

There are boundaries. CAPTCHA-gated or biometric logins are best handled with a deterministic method such as Chrome recording or form-mapped flows. Highly bespoke Identity Provider handoffs may require explicit steps. The point is not to eliminate expert techniques, it is to remove repetitive, low-value work so specialists focus on edge cases and higher-value testing.

Where the market is going

Authenticated DAST at scale is no longer about writing the perfect script for every application. It is about applying generative LLMs to remove friction where patterns are consistent and using enterprise secrets managers to keep credentials out of scanning platforms while honoring rotation and audit requirements. The result is broader authenticated coverage across more applications, faster, with stronger control.

If you want to see what that feels like in practice, join our webinar. We will keep the demo short, walk through the rollout pattern, and take your toughest questions.

Continue Reading

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
IAST
M&A
Manage Security Risks
OSS License Compliance
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Web Application Security