Fluid Attacks

Fluid Attacks

Category: DAST
License: Commercial
Visit Website →

Fluid Attacks is a Colombian security company offering a holistic platform that combines DAST, SAST, SCA, penetration testing (PTaaS), and secure code review.

Their approach emphasizes deterministic vulnerability detection with AI-powered remediation guidance, keeping false positives exceptionally low.

What is Fluid Attacks?

Fluid Attacks takes a comprehensive approach to application security by combining automated scanning with human expert verification.

Rather than offering separate tools for each testing methodology, the platform provides unified coverage across static analysis, dynamic testing, and composition analysis, all backed by their team of ethical hackers.

The company became a CVE Numbering Authority (CNA) in 2021, meaning they can assign CVE identifiers to vulnerabilities they discover.

This status reflects their research capabilities and commitment to responsible disclosure.

Their open-source CLI tool is approved by the App Defense Alliance for validating CASA (Cloud Application Security Assessment) tier 2 requirements, making it valuable for organizations pursuing Google Play compliance.

Key Features

Multi-Methodology Testing

Fluid Attacks combines multiple testing approaches in one platform:

  • DAST: Dynamic scanning of running applications using refined attack vectors
  • SAST: Static code analysis across 30+ languages
  • SCA: Open-source dependency scanning with license compliance
  • PTaaS: Continuous penetration testing by certified ethical hackers
  • Secure Code Review: Manual analysis by security experts

Results from all methodologies appear in a single dashboard with deduplicated findings.

Deterministic Vulnerability Detection

The DAST scanner uses carefully refined attack patterns designed to trigger only when a genuine vulnerability exists.

By avoiding speculative or heuristic-based detection, Fluid Attacks maintains an industry-leading low false positive rate.

When a finding appears in the dashboard, development teams can trust that it represents a real security issue requiring remediation.

AI-Powered Fix Suggestions

For each detected vulnerability, the platform generates customized fix suggestions using generative AI.

These recommendations consider:

  • The specific programming language and framework
  • The context of the vulnerable code
  • Common remediation patterns
  • Security best practices for the technology stack

Developers receive actionable guidance rather than generic vulnerability descriptions.

Continuous Security Testing

Unlike point-in-time scans, Fluid Attacks provides continuous testing that monitors applications for new vulnerabilities as code changes.

The platform integrates with version control systems to:

  • Scan every commit and pull request
  • Track vulnerability trends over time
  • Alert teams to regressions
  • Enforce security gates before deployment

Expert Verification

Critical findings from automated scanning are verified by Fluid Attacks’ team of ethical hackers.

This human review layer confirms exploitability and ensures that reported vulnerabilities are genuine, further reducing noise for development teams.

How to Use Fluid Attacks

Getting Started

Sign up for the Fluid Attacks platform and configure your first project:

# Install the Fluid Attacks CLI
pip install fluid-attacks-cli

# Authenticate with your API key
fluid-attacks auth --api-key $FLUID_ATTACKS_API_KEY

# Initialize a project
fluid-attacks init --name "My Application" --type web

Configuring Scans

Create a configuration file for your project:

# .fluidattacks.yaml
project: my-application
target: https://staging.example.com

scans:
  dast:
    enabled: true
    crawl_depth: 5
    authentication:
      type: form
      login_url: /login
      credentials:
        username: ${FA_USERNAME}
        password: ${FA_PASSWORD}

  sast:
    enabled: true
    include:
      - src/
      - lib/
    exclude:
      - tests/
      - vendor/

  sca:
    enabled: true
    package_managers:
      - npm
      - pip
      - maven

findings:
  severity_threshold: medium
  fail_build: true

Running Scans

Execute security scans locally or in CI/CD:

# Run all configured scan types
fluid-attacks scan --config .fluidattacks.yaml

# Run only DAST
fluid-attacks scan --type dast --target https://staging.example.com

# Run SAST on local code
fluid-attacks scan --type sast --source .

# Check open-source dependencies
fluid-attacks scan --type sca

CI/CD Integration

Add Fluid Attacks to your build pipeline:

# GitHub Actions
name: Security
on:
  push:
    branches: [main]
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'

      - name: Install Fluid Attacks CLI
        run: pip install fluid-attacks-cli

      - name: Run SAST scan
        run: |
          fluid-attacks auth --api-key ${{ secrets.FA_API_KEY }}
          fluid-attacks scan --type sast --source .

      - name: Deploy to staging
        run: ./deploy-staging.sh

      - name: Run DAST scan
        run: |
          fluid-attacks scan --type dast \
            --target ${{ vars.STAGING_URL }} \
            --wait

      - name: Check findings
        run: |
          fluid-attacks findings list \
            --severity high,critical \
            --fail-on-findings

GitLab CI integration:

include:
  - remote: 'https://fluidattacks.com/gitlab-template.yml'

stages:
  - test
  - security
  - deploy

sast-scan:
  stage: security
  image: fluidattacks/scanner:latest
  script:
    - fluid-attacks auth --api-key $FA_API_KEY
    - fluid-attacks scan --type sast --source .
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

dast-scan:
  stage: security
  image: fluidattacks/scanner:latest
  needs:
    - deploy-staging
  script:
    - fluid-attacks scan --type dast --target $STAGING_URL
  artifacts:
    reports:
      dast: gl-dast-report.json

Viewing Results

Access findings through the web dashboard or CLI:

# List all findings
fluid-attacks findings list

# Filter by severity
fluid-attacks findings list --severity critical,high

# Export to SARIF
fluid-attacks findings export --format sarif --output results.sarif

# Get fix suggestions
fluid-attacks findings describe VULN-12345 --include-fix

When to Use Fluid Attacks

Fluid Attacks suits organizations seeking comprehensive security testing with minimal false positives.

The combination of automated scanning and human verification provides high confidence in findings.

Consider Fluid Attacks when you need:

  • Multi-methodology testing (DAST, SAST, SCA) in one platform
  • Low false positive rates through deterministic detection
  • AI-generated remediation guidance for faster fixes
  • Human expert verification of critical vulnerabilities
  • Continuous penetration testing alongside automated scanning
  • CASA tier 2 compliance for Google Play requirements
  • CVE research and responsible disclosure support

The platform is particularly valuable for organizations that have struggled with high false positive rates from other tools, or those seeking to augment automated testing with expert human review.

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools