SAST/DAST Detection Rate Benchmark
These benchmarks measure how accurately SAST and DAST tools find real vulnerabilities, reporting recall, precision, and false-positive rate against a labeled ground-truth corpus. Per-category breakdowns and false-positive rates drive real tool selection.
SAST/DAST detection rate benchmarks evaluate how well application security testing tools find genuine vulnerabilities. Static Application Security Testing (SAST) analyzes source or compiled code without running it; Dynamic Application Security Testing (DAST) probes a running application from the outside. The benchmark scores each tool's ability to detect real flaws while minimizing false alarms.
These benchmarks are critical because security tools are judged less on raw findings count than on signal quality. A tool that floods developers with false positives gets ignored, while one that misses real issues provides false assurance.
What It Measures
Core metrics are recall (true vulnerabilities found divided by all true vulnerabilities present), precision (true findings divided by all findings reported), false-positive rate, and a combined F-score. Results are usually broken down by vulnerability class (injection, cross-site scripting, broken access control, secrets exposure) because tools vary widely by category.
Methodology
Benchmarks use test suites with a known ground truth, where every real vulnerability and safe construct is labeled in advance. Standardized corpora such as the OWASP Benchmark, deliberately vulnerable applications, or curated real-world codebases provide this ground truth. Each tool scans the corpus, and findings are matched against the labels to count true positives, false positives, and false negatives. From these counts the benchmark computes recall, precision, and F-score overall and per category. Fair comparison fixes the same test set, the same vulnerability taxonomy, and consistent rules for what counts as a match. DAST benchmarks additionally require the application to be deployed and reachable, with authentication and crawling configured equivalently across tools.
How to Interpret Results
Recall and precision must be read together: a tool can achieve perfect recall by reporting everything, but its precision and developer trust will collapse. Look at per-category breakdowns, because SAST excels at data-flow issues while DAST excels at runtime and configuration issues; the two are complementary, not interchangeable. A high false-positive rate predicts alert fatigue and is often the deciding factor in adoption. Compare tools only on the same corpus, since scores are meaningless across different test sets. Treat synthetic-corpus scores as a relative ranking rather than an absolute promise of real-world performance.
Limitations
Synthetic benchmarks like OWASP Benchmark contain patterns that tools can be tuned to recognize, inflating scores relative to messy real code. Ground-truth labeling is hard and disputed, especially for context-dependent issues like access control. SAST and DAST cover different vulnerability classes, so a single combined score can mislead. Real performance depends heavily on configuration, custom rules, and how findings integrate into developer workflow, none of which a static benchmark captures. Scores should guide tool selection, not replace evaluation on your own codebase.