If there’s one thing everyone agrees on, it’s this: DAST is hard to run at scale. The blocker isn’t the scanner’s brains—it’s getting past login, keeping that access reliable, and doing it across dozens or hundreds of apps without a thicket of brittle scripts and expiring credentials. That’s the constraint we set out to remove in Polaris fAST Dynamic.

Earlier this quarter we introduced AI assisted authentication for fAST Dynamic, designed to make authenticated DAST start in minutes. You give Polaris a login URL, a username, and a password; a vision-capable LLM interprets the rendered page, completes sign-in (including common second-factor paths), and hands control to the scanner. Credentials remain in Polaris—only screenshots are analyzed—so secrets are not sent to the model. The result is simple: authenticated coverage that’s fast to onboard and consistent to operate.

Since that launch, we’ve been shipping a steady stream of enhancements that harden the experience and broaden coverage—so security teams can scale authenticated testing with less hand-holding and fewer do-overs.


Raising the floor on authentication reliability

Generative models are powerful, but they need guardrails in enterprise workflows. We tightened the interaction pattern between fAST Dynamic and the model, so logins stay on script and exit early when a terminal condition is reached (for example, invalid credentials). In practical terms, you see more dependable authentication success when inputs are correct, and quicker failure when they aren’t—no more wasted minutes on unproductive retries.

We also tuned the failure paths. When customers accidentally supply bad secrets, the system now recognizes the terminal state faster and surfaces the right error sooner. That means your team can fix what matters and rerun, instead of waiting on a stuck attempt.

Today, AI assisted authentication works with standard username/password flows and supports common staged logins via Multi-Page Login. Time-based one-time passwords (TOTP) are supported in the UI; email-code MFA is available via configuration while UI setup rolls out. If an application’s flow requires precise, repeatable steps, you can still use form-based mapping or Chrome recordings—the AI doesn’t replace those options; it makes them the exception rather than the rule.

Making scripted logins less brittle (when you need them)

Not every environment is a match for AI on day one, and some teams prefer scripted control. We added the ability to mark actions in Selenium recordings as optional—perfect for elements that only appear sometimes (think cookie banners or occasional challenges). Operationalizing those steps keeps the flow resilient without forcing you to add custom logic or maintain multiple recordings.

Expanding coverage for modern front ends

Modern React/Node deployments often optimize for client performance by sending partial pages. That can confuse traditional crawlers and slow discovery. fAST Dynamic now requests a server-rendered version of those pages for analysis, producing a fuller DOM for the scanner to traverse. You’ll see better link discovery, fewer dead ends, and cleaner, faster scans on these architectures.

Sharpening the signal with targeted rule updates

Rule quality is the backbone of any DAST engine. We shipped targeted checker improvements—such as CSRF and server-error scenarios. The aim is simple: fewer misses, clearer findings, and evidence that travels cleanly into issue trackers. You’ll notice this in triage speed as much as in counts.

Operational fit: Built for real pipelines

All of the above is designed to meet teams where they work:

  • CI-friendly by default. Use CI Bridge to orchestrate scans from Jenkins or GitHub Actions; for internal targets, secure connectivity is handled as part of the job.
  • Privacy by design. The model analyzes screenshots of rendered login screens; credentials and URLs stay within Polaris. Use dedicated test accounts and least-privilege access for MFA inboxes.
  • Audit-ready outcomes. Findings include request/response evidence and remediation guidance; exports to Jira/Azure DevOps carry the context engineers need to fix, not just to file.

What this unlocks

When authentication isn’t a blocker, dynamic analysis scales. Teams that used to spend days scripting per app can onboard in batches with a few inputs, use AI where it fits, and fall back to recordings for edge cases—without creating maintenance overhead. Combined with broader front-end coverage and targeted rule updates, the path from first setup to dependable authenticated results is dramatically shorter.

Continue Reading

Explore Topics