Skip to content
Fluid Attacks

Fluid Attacks

Category: DAST
License: Commercial
Visit Fluid Attacks
Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated May 19, 2026
6 min read
Key Takeaways
  • Fluid Attacks combines DAST, SAST, SCA, and PTaaS with human expert verification for near-zero false positive rates.
  • Designated CVE Numbering Authority and CASA tier 2 approved, supporting 13+ languages including Java, Python, Go, and Swift.
  • AI-powered scanning is validated by human security experts who verify findings before they reach development teams.
  • Continuous Hacking model provides ongoing penetration testing rather than point-in-time assessments.
Latest Updates
  • Fluid Attacks migrates platform authentication to Auth0 (removing OTPs for Google, Microsoft, and Bitbucket logins) and announces ISO/IEC 27001:2022 and 27701:2019 certification, SOC 2 Type II / SOC 3 attestations, and PCI DSS v4.0.1 validation. source
  • VS Code Custom Fix panel adds Safe Update and Complete Fix options for vulnerable dependencies, the platform shows the percentage of repositories under assessment, the Lines table gains Supported and Tested columns, and the previously announced Docker image scanning and… source
  • SCA fixes now present three remediation versions per vulnerable package (Minimal, Safe, Complete) for direct and transitive dependencies, the MCP server includes SAST and SCA scanners, package-manager coverage adds CocoaPods, Bun, and RubyGems .gemspec, and mobile findings… source

Fluid Attacks combines DAST, SAST, SCA, and penetration testing in a single platform. Automated scanners find the bugs.

Their team of ethical hackers confirms the critical ones are real.

This two-layer approach β€” machine scanning plus human verification β€” is the main selling point. False positive rates stay very low because a person has actually validated exploitability before the finding reaches your dashboard.

The company is based in Colombia, became a CVE Numbering Authority in 2021, and their CLI tool is CASA tier 2 approved for Google Play compliance.

Fluid Attacks platform showing the vulnerability management dashboard with weakness list, severity overview, priority scores, and treatment status for an organization group

Key features at a glance

FeatureDetail
Testing MethodsDAST, SAST, SCA, PTaaS, secure code review
SAST LanguagesJava, Python, JS, TS, Go, Ruby, PHP, C#, C/C++, Kotlin, Swift, Scala
False Positive ApproachDeterministic detection + human expert verification
CVE AuthorityCNA status since 2021 β€” can assign CVE identifiers
CASA ComplianceTier 2 approved for Google Play requirements
AI Fix SuggestionsLanguage and framework-aware remediation guidance
APIGraphQL-based API for programmatic access
IDE PluginsVS Code, IntelliJ, Cursor
ConnectivityCloud (HTTPS/SSH), Egress (static IP), Connector (Cloudflare ZTNA)
Severity ScoringCVSSF (proprietary metric beyond standard CVSS)

What is Fluid Attacks?

Most DAST tools are fully automated β€” you point them at a target, they scan, they report. Fluid Attacks takes a different approach by adding human verification on top of automated scanning.

The automated layer runs DAST against running applications, SAST against source code in 13 languages, and SCA against your dependency tree. Findings from all three scanners land in one dashboard with deduplication built in.

The human layer is where it gets interesting. Fluid Attacks’ team of certified ethical hackers reviews critical findings, confirms exploitability, and weeds out false positives.

They also run continuous penetration testing alongside the automated scans.

CVE Numbering Authority
Fluid Attacks has been a CNA since 2021, meaning they can assign CVE identifiers to vulnerabilities they discover during research and testing. This is unusual for a testing vendor and reflects active involvement in vulnerability disclosure.
Automated + Human
Automated scanners (DAST, SAST, SCA) run continuously. Ethical hackers verify critical findings and perform manual testing that automated tools can’t replicate.
Low False Positives

Deterministic detection patterns trigger only on confirmed vulnerabilities. Human verification adds a second filter.

When a finding hits your dashboard, it’s almost certainly real.

AI Fix Suggestions
For each finding, the platform generates fix recommendations specific to your programming language and framework. Not generic advice β€” actual code-level guidance.
CASA Tier 2
The free CLI tool is approved by the App Defense Alliance for Google Play CASA compliance validation. Useful for mobile teams needing to pass Play Store security requirements.

Multi-methodology testing

All scan types run through one platform. DAST probes running applications with targeted attack patterns.

SAST reviews source code in 13 languages. SCA checks open-source dependencies for known vulnerabilities and license issues.

The OWASP Testing Guide recommends combining multiple testing methodologies because each catches different vulnerability classes β€” DAST finds runtime issues, SAST catches code-level flaws, and SCA surfaces vulnerable dependencies.

Results from all three appear in a single dashboard. Duplicate findings across methodologies get merged automatically, so you don’t waste time triaging the same bug reported by two different scanners.

Fluid Attacks analytics dashboard showing exposure over time chart with CVSSF scores trending from 2020 to 2023 and exposure management percentage breakdown by quarter

Connectivity options

Fluid Attacks supports three ways to reach your applications:

  • Cloud: HTTPS/SSH encrypted connections with OAuth, SSH, or HTTPS authentication
  • Egress: Cloudflare-based static IP whitelisting for firewall rules
  • Connector: Zero Trust Network Access via Cloudflare Tunnel for private network testing

The Connector option is worth noting β€” it lets Fluid Attacks scan internal applications without opening inbound firewall ports.

IDE integration
Fluid Attacks ships plugins for VS Code, IntelliJ, and Cursor that surface findings and AI-powered fix suggestions directly in your editor. Fixes come with code-level context for the specific language and framework you’re using.

How to use Fluid Attacks

1
Create a project β€” Sign up and configure your first application in the Fluid Attacks platform. Choose your connectivity method (cloud, egress, or connector).
2
Connect your repos β€” Link source code repositories for SAST and SCA. Configure Git access via SSH or HTTPS.
3
Set up DAST targets β€” Add target URLs for dynamic scanning. Configure authentication if testing protected areas.
4
Review findings β€” Check the unified dashboard for results across all scan types. Critical findings include human verification status and AI fix suggestions.

CI/CD integration

Fluid Attacks integrates with GitLab, Azure DevOps, and other CI/CD platforms. The pipeline can break builds when findings exceed your severity threshold.

# Using the Fluid Attacks Docker image
docker run --rm -v $(pwd):/code fluidattacks/cli:latest \
  skims scan /code/config.yaml

Fluid Attacks primarily works through their platform for continuous scanning and human verification. The CLI tool (skims) takes a YAML configuration file that defines scan targets and rules.

For CI/CD integration, connect your repositories directly through the Fluid Attacks platform, which handles build-breaking policies and finding deduplication across scan types.

What does Fluid Attacks integrate with?

These integrations are how I plug Fluid Attacks into a broader DevSecOps workflow β€” alongside other options in the DAST tools landscape like Invicti when you want pure automation, or Burp Suite when manual testing leads.

Development
GitLab GitLab
Azure DevOps Azure DevOps
Jira Cloud Jira Cloud
VS Code VS Code
IntelliJ IntelliJ

When to use Fluid Attacks

Fluid Attacks makes sense when you want automated scanning verified by actual humans. The combination eliminates most false positives, but it costs more than pure-automation tools and the human review adds time to the triage cycle.

Good fit when you need:

  • Multi-methodology testing (DAST + SAST + SCA) in one place
  • Human expert verification of critical findings
  • Very low false positive rates
  • Continuous penetration testing alongside automated scanning
  • CASA tier 2 compliance for Google Play
  • CVE-level vulnerability research support

Teams that prioritize speed over accuracy, or those on a tight budget, may prefer fully automated DAST tools like StackHawk or ZAP .

For a comparison of testing approaches, see the guide on SAST vs DAST vs IAST . Fluid Attacks is for organizations willing to pay more for higher confidence in findings.

Teams focused purely on API security might also consider Escape , which specializes in business logic and BOLA detection.

How much does Fluid Attacks cost?

Fluid Attacks does not publish list prices on fluidattacks.com. Paid subscriptions are quoted by sales after a scoping conversation, and the human-verification component means pricing also factors in scope volume β€” a key cost driver beyond the automated scanners alone.

What drives cost is the number of applications under continuous testing, the testing methodologies enabled (DAST, SAST, SCA, plus optional manual pentest hours), and the depth of human review you select. The free CASA tier 2 CLI tool is the no-cost entry point for Google Play compliance validation.

I treat Fluid Attacks as an upper-mid-market platform β€” it sits in the price band you’d expect for a managed-service component layered on top of automated scanning. If you need a published-price option in the DAST tools landscape , StackHawk or open-source ZAP are easier to defend in procurement.

What are alternatives to Fluid Attacks?

If Fluid Attacks’ human-verification model or pricing posture does not fit, these are the alternatives I’d weigh in the DAST tools landscape :

  • Burp Suite Professional β€” Per-user annual license β€” verify pricing on portswigger.net before budgeting. The pentester standard for manual workflows; pair it with automated DAST rather than expecting full continuous coverage.
  • Invicti β€” Enterprise DAST with proof-based scanning and ASPM-style rollups. Better fit when you need broad regulated-industry compliance reporting and don’t need a managed human-review layer.
  • Acunetix β€” Sister product under Invicti Group, positioned for SMB and mid-market buyers. Same proof-based scanning core with lower entry friction. Stronger pure-DAST choice when human verification is not a requirement.
  • ZAP β€” The free OWASP scanner. Broader vulnerability coverage and authenticated scan support, no usage cap. Best when budget is the binding constraint and you can absorb manual triage internally.
  • Veracode DAST β€” Enterprise platform that bundles DAST, SAST, and SCA on a unified dashboard. Worth evaluating when your buyer profile is enterprise software security with FedRAMP or similar compliance pressures.
Visit Fluid Attacks

Frequently Asked Questions

What is Fluid Attacks?
Fluid Attacks is a Colombian security company that combines DAST, SAST, SCA, and penetration testing in one platform. Automated findings are verified by their team of ethical hackers, which keeps false positive rates very low.
Is Fluid Attacks free or commercial?
The full platform with human verification requires a commercial subscription. Their open-source CLI tool is free and CASA tier 2 approved for Google Play compliance validation.
What languages does Fluid Attacks support?
SAST covers 13 languages including Java, Python, JavaScript, TypeScript, Go, Ruby, PHP, C#, C, C++, Kotlin, Swift, and Scala. DAST and SCA are language-agnostic since they test running applications and dependencies respectively.
How does Fluid Attacks compare to alternatives?
The main differentiator is combining automated scanning with human expert verification. Most platforms are fully automated. Fluid Attacks uses ethical hackers to confirm critical findings, which reduces false positives but adds cost.
What is CASA tier 2 approval?
Cloud Application Security Assessment (CASA) tier 2 is a Google requirement for certain Play Store apps. Fluid Attacks’ CLI tool is one of the approved scanners for validating CASA compliance.
How I review tools Suggest an edit

Other DAST Tools

AppTrana
AppTrana

Fully managed WAAP with integrated DAST and WAF

ZeroThreat
ZeroThreat

AI-powered DAST with automated pentesting

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools

Complement with IAST

Pair dynamic testing with runtime instrumentation for broader coverage.

Contrast Security
Contrast Security

Runtime-Powered Application Security

Acunetix AcuSensor
Acunetix AcuSensor

Line-of-Code Details

See all IAST tools

Learn More

Best DAST Tools for APIs in 2026 Free DAST Tools What is DAST?

Explore all DAST guides and tools