Imagine a mystery shopper entering a store. They do not know the internal rules, the staff manual, or the system behind the counter. They just test the service and see what really happens. DAST works the same way: it tests the real behavior of the application, not the code behind it.
DAST tools send real requests to the application. They try common attack patterns such as SQL injection, cross-site scripting (XSS), parameter tampering, and authentication bypass. They also check security headers and TLS configuration. This is one of the most useful testing tools for identifying vulnerabilities without touching the code.
The main strength of DAST is that it does not depend on the development team or on source code access. It can test software built in-house, purchased software, or an application maintained by a third party. It is also close to real-world attacks, because it checks what is actually reachable from outside.
The main limit is coverage. DAST only sees what is exposed at runtime. If a test scenario does not trigger a certain code path, the issue may remain hidden. DAST also needs a working version of the application, which means you need a stable environment before you can test it properly.