DAST Pricing: Comparison of Vendor's fees in 2024
He has experience working at private and government institutions. Altay discovered his interest for emerging tech after seeing its wide use of area in several sectors and acknowledging its importance for the future.
He received his bachelor's degree in Political Science and Public Administration from Bilkent University and he received his master's degree in International Politics from KU Leuven.
Dynamic Application Security Testing (DAST) tools play a crucial role in protecting web applications by detecting and addressing security flaws when the applications are in use. As online threats continue to advance, it’s essential for organizations to choose the right DAST tool to ensure strong security measures are in place.
With over 20 DAST tools on the market, selecting the most suitable one can be challenging due to their different features and pricing options. The following are important to consider when it comes to pricing:
- Features offered: The features included in a DAST tool will affect its price. This is why some vendors offer different pricing options based on the features of their products. For example, Tenable offers two versions of its products, Nessus Pro and Nessus Expert. While the Pro version is less expensive than the Expert, it does not have features such as Web Application Scanning and External Attack Surface Scanning. (See Figure 3)
- Licensing model: While some DAST tools are priced based on a subscription model, which can be billed monthly or annually, others are based on the number of scans or the number of resources used. For example InsightVM Rapid 7 prices its services based on the number of assets a customer wishes to cover (See Figure 4).
- Free version with limited features: Some Vendors offer a basic version of their product with limited features or capacity. Clients can upgrade to a paid version for additional functionality. Burp Suite Community edition and Indusface WAS basic edition are examples of this.
We’ve compiled publicly available information on vendors’ pricing strategies, making it easy to get an overview and estimate the likely costs you may face.
Pricing for Different Companies
| Vendors | Free Trial | Price |
|---|---|---|
| Invicti | ✅ | Not shared publicly |
| InsightVM Rapid7 | ✅ (30-day) | Pricing is asset-based (at least 512 assets). |
| PortSwigger Burp Suite | ✅ | Free community edition. Professional edition: $449/person/year. Enterprise edition: $49,000/year. |
| Tenable Nessus | ✅ (7-day) | Tenable Nessus has 3 pricing edition(s), from $3,990 to $5,990
annually.
|
| NowSecure | ✅ | Not shared publicly |
| Indusface WAS | ✅ (14-day) | Has a free “basic” plan. Advanced plan, priced at $59
per month. A premium plan at $199 per month.
|
| Contrast Assess | ❌ | Not shared publicly |
| Checkmarx DAST | ❌ | Not shared publicly |
| HCL AppScan | ✅ (30-day) | Not shared publicly |
Tenable Nessus
Tenable Nessus offers different versions of DAST tools, specifically Nessus Pro and Nessus Expert. Each has an annual subscription, but they differ in terms of cost and features. While Nessus Pro has a lower price, it does not have the most features offered in the Expert version (See Figure 1 & 2).
Figure 1. Nessus Pro Pricing 1
Figure 2. Nessus Expert Pricing 2
Figure 3. Tenable Nessus Expert vs Pro 3
InsightVM Rapid 7
Rapid7’s InsightVM utilizes a pricing model that is primarily based on the number of assets you wish to cover. The pricing begins at a minimum of 512 assets, billed annually. Additionally, InsightVM offers discounts for higher volumes of assets, which means that the more assets you have, the lower the per-asset cost can be.
There are also various other offerings within InsightVM’s suite, such as application security testing, which costs around $2,000 per application, and log management services, which costs $19 per GB. It’s important to note that these prices are indicative and may vary based on specific requirements and agreements with Rapid7.
Figure 4. InsightVM Pricing Model 4
PortSwigger Burp Suite
PortSwigger’s Burp Suite offers several pricing models to accommodate different needs, ranging from individual use to large enterprise solutions.
Burp Suite Community: This version is free and it is designed for manual security testing. The Community Edition includes essential features like the Burp Proxy, which allows you to intercept traffic, and the Burp Repeater tool for manual testing of web applications. However, it lacks the automated scanning capabilities and other advanced features available in the Professional and Enterprise editions.
Burp Suite Professional: This edition is geared towards individual users and small teams. It requires an annual subscription; the cost has been shown as $449 per user per year. (Figure 5)
Burp Suite Enterprise Edition: This edition is designed for larger organizations with more extensive scanning needs. It offers several plans (Figure 6). It should be noted that there is a significant price difference between Cloud and Self-Hosted versions, as the classic version of Cloud is 54.990 Euros per year while the Classic version of the Self-Hosted version is 19.121 Euros per year.
Figure 5. Burp Suite Professional Pricing 5
Figure 6. Burp Suite Enterprise Edition Pricing 6
Indusface WAS
Indusface WAS offers a subscription-based pricing model with different levels to accommodate various needs and budgets. They provide a free Basic tier, an Advance tier billed at $59 per app per month or $599 per app annually, and a Premium tier at $199 per app per month or $2388 annually. Volume discounts are also available upon contacting their sales team. (See Figure 7).
Figure 7. Indusface WAS Pricing 7
If you have further questions, reach us
Are there open-source alternatives to commercial DAST tools?
Yes, there are several open-source DAST tools available, such as OWASP ZAP (Zed Attack Proxy) and Arachni. While these tools may not offer the same level of support and advanced features as commercial solutions, they can be a cost-effective option for organizations with limited budgets.
What are some best practices for maximizing the value of DAST tools?
To maximize the value of DAST tools, organizations should regularly update their testing methodologies to account for new threats and vulnerabilities, integrate DAST testing into the software development lifecycle (SDLC), prioritize and remediate identified vulnerabilities promptly, and invest in training to ensure that team members are proficient in using the tool effectively.
How can organizations determine which DAST tool is right for them?
Organizations should consider factors such as their budget, the specific security requirements of their applications, the level of expertise available within their team, and the scalability and flexibility of the DAST tool when evaluating their options.
Are there any additional costs associated with DAST tools?
In addition to the base licensing fees, organizations may incur additional costs for services such as training, implementation, integration with existing systems, and ongoing support and maintenance.
How do DAST tools differ from other security testing tools?
DAST tools primarily focus on testing applications from the outside-in, simulating attacks from a potential hacker’s perspective. This is in contrast to Static Application Security Testing (SAST) tools, which analyze the source code, and Interactive Application Security Testing (IAST) tools, which combine elements of both DAST and SAST.
Why are DAST tools important?
DAST tools are essential for organizations to ensure the security of their web applications. They help identify vulnerabilities that could be exploited by hackers, leading to data breaches, financial losses, and damage to the organization’s reputation.
External Links
- 1. Tenable “Tenable Solutions”
- 2. Tenable “Tenable Solutions”
- 3. Tenable “Tenable Nessus Professional”
- 4. Rapid7 “InsightVM Pricing”
- 5. PortSwigger “Subscribe to Burp Suite Professional”
- 6. PortSwigger “Burp Suite Enterprise Edition Plans”
- 7. Indusface “Indusface WAS Pricing”
Next to Read
Mastering Ecommerce Price Monitoring in 2024
Top 5 Price Monitoring Tools in 2024: Vendor Selection Guide
Related research
Comments
Your email address will not be published. All fields are required.