Dastardly Review 2026: Free DAST Tested

Dastardly is a free DAST scanner from PortSwigger that runs the Burp Suite scanning engine in a Docker container. Give it a URL, get JUnit XML results in under 10 minutes. No API keys, no configuration files, no account required.

PortSwigger built Dastardly for one purpose: fast, high-confidence security checks in CI/CD pipelines. It does not try to be a full DAST scanner.

It finds a focused set of vulnerabilities with minimal false positives.

Dastardly Docker scan run showing crawler output, three findings (Reflected XSS, CORS misconfiguration, vulnerable JS library), and exit code 1 failing the build

What are Dastardly’s key features?

Feature	Details
Price	Free, no limits
Scan engine	Burp Suite scanner core
Scan time	Under 10 minutes (hard cap)
Output	JUnit XML
Deployment	Docker container
Configuration	Zero — just provide a target URL
Auth scanning	Not supported
API keys	Not required

Burp Scanner Engine

Same detection logic that powers Burp Suite Professional, refined through PortSwigger’s decades of web security research and the Web Security Academy program.

10-Minute Cap

Every scan finishes within 10 minutes regardless of site size. This hard limit keeps Dastardly from becoming a bottleneck in your build pipeline.

Zero Configuration

No config files, API keys, or account setup. Run the Docker container with a target URL and get results. That is the entire workflow.

Dastardly is a black-box web vulnerability scanner — it tests a running application from the outside without source-code access. It does not perform authenticated dynamic scans, full SQL injection / XSS probing across every parameter, or API security testing against REST or GraphQL endpoints.

For those broader DAST capabilities — authenticated scans against logged-in user sessions, payload mutation across input vectors, and protocol-level API testing — I cover commercial scanners further down.

Vulnerability Coverage

Dastardly checks for a focused set of high-confidence vulnerability types. Reflected XSS appears in the OWASP Top 10 under injection flaws, and the Verizon DBIR consistently identifies web application attacks as one of the top breach vectors — making even this narrow coverage valuable as a CI/CD safety net.

Reflected cross-site scripting (XSS)
CORS misconfigurations
Vulnerable JavaScript dependencies
Content-type mismatches
Multiple content types specified
HTML does not specify charset
Duplicate cookies set

The limited scope is intentional. Every reported issue is a real problem worth fixing. Dastardly will not flood your pipeline with noise.

Dastardly vulnerability coverage table showing all 7 check types — Reflected XSS and CORS at High severity, vulnerable JS libraries and content-type issues at Medium, charset and duplicate cookies at Low — with note that everything is out-of-scope for full DAST

Focused by Design

Dastardly does not attempt full DAST coverage. It finds the most common, highest-confidence web vulnerabilities in under 10 minutes.

For deeper scanning with authenticated testing, see Burp Suite DAST edition.

CI/CD Integration

GitHub Actions

name: Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - name: Run Dastardly
        uses: PortSwigger/dastardly-github-action@main
        with:
          target-url: "https://staging.example.com"

      - name: Upload Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: dastardly-report
          path: dastardly-report.xml

Docker (any CI system)

docker run --user $(id -u) --rm \
  -v $(pwd):/dastardly \
  -e BURP_START_URL=https://your-app.example.com \
  -e BURP_REPORT_FILE_PATH=/dastardly/dastardly-report.xml \
  public.ecr.aws/portswigger/dastardly:latest

GitLab CI

dast:
  stage: test
  image: public.ecr.aws/portswigger/dastardly:latest
  variables:
    BURP_START_URL: "$STAGING_URL"
    BURP_REPORT_FILE_PATH: "/dastardly/gl-dast-report.xml"
  artifacts:
    reports:
      junit: gl-dast-report.xml

The JUnit XML output works natively with Jenkins, GitHub Actions, GitLab CI, CircleCI, Azure DevOps, and virtually every other build system.

How do I get started with Dastardly?

Pull the Docker image — docker pull public.ecr.aws/portswigger/dastardly:latest

Run a scan — Pass your target URL and an output file path. That is the only configuration.

Read the results — Open the JUnit XML file or let your CI system parse it. Each finding includes the vulnerability type, affected URL, and confidence level.

Best For

Teams that want a free, zero-friction security gate in CI/CD. Run it on every pull request. If Dastardly finds something, it is almost certainly real.

Think of it as a smoke test for web security, not a full assessment. When you need deeper scanning, upgrade to Burp Suite DAST.

What are Dastardly’s limitations?

Dastardly does not support authenticated scanning, custom scan profiles, or API specification imports. It cannot test pages behind login forms.

The 10-minute cap means large applications get incomplete coverage. It checks a narrow set of vulnerability types compared to full DAST tools .

For authenticated scanning, API testing, or full OWASP Top 10 coverage, you need a commercial DAST tool like Acunetix or Invicti .

Our free DAST tools guide covers other no-cost options, including ZAP which offers broader coverage. Dastardly is the entry point, not the replacement.

What are alternatives to Dastardly?

If Dastardly’s narrow coverage or unauthenticated-only scope blocks you, these are the alternatives I’d consider in the DAST tools landscape :

ZAP — The free OWASP scanner. Broader vulnerability coverage than Dastardly, supports authenticated scans, and handles API testing via OpenAPI imports. Heavier setup and longer scan times, but no usage cap.
Nuclei — Template-based scanner that runs YAML-defined checks across HTTP, DNS, TCP, and headless targets. Fastest CI option when you have a curated template set, though it’s not a crawler-driven web scanner.
Burp Suite Professional — Same engine as Dastardly with the full feature set: authenticated scans, manual proxy testing, extensions, and session handling. Per-user annual license — verify pricing on portswigger.net before budgeting.
StackHawk — CI-native DAST with API-spec imports and PR-blocking gates. Built for engineering teams that want a managed product around the ZAP engine.
Invicti — Enterprise DAST with proof-based scanning. Different price tier from Dastardly, but the right fit when you need authenticated coverage and compliance reporting at scale.

Visit Dastardly View source on GitHub (295★)

Frequently Asked Questions

What is Dastardly?

Dastardly is a free, lightweight DAST scanner from PortSwigger. It runs the Burp Suite scanning engine inside a Docker container, completes in under 10 minutes, and outputs JUnit XML for CI/CD integration.

Is Dastardly free?

Yes, completely free with no usage limits, no API keys, and no hidden tiers. PortSwigger positions it as an on-ramp to their commercial Burp Suite DAST product.

What vulnerabilities does Dastardly detect?

Dastardly checks for a focused set of high-confidence issues: reflected XSS, CORS misconfigurations, vulnerable JavaScript dependencies, content-type mismatches, missing charset declarations, and duplicate cookies. It prioritizes accuracy over breadth.

Can Dastardly do authenticated scanning?

No. Dastardly does not support authenticated scanning, custom configurations, or login sequences. It is designed as a quick security gate for unauthenticated surfaces only.

How does Dastardly compare to full DAST tools?

Dastardly trades coverage for speed and accuracy. It checks fewer vulnerability types but finishes in under 10 minutes with very few false positives. For deeper scanning, PortSwigger recommends upgrading to Burp Suite DAST.