SAST, DAST, and Runtime Testing Converge in AI-Powered Pipeline

On April 9, 2026, Invicti issued a press release from Austin, Texas, announcing a capability the application security market has chased for the better part of a decade: automated DAST-to-SAST correlation. The feature, Invicti stated, is "designed to help organizations rapidly identify and fix runtime vulnerabilities at pipeline speed." The announcement, carried by PRNewswire via Morningstar, landed 51 days after Anthropic released Claude Code Security and 34 days after OpenAI shipped Codex Security. The coincidence of timing is not an accident. The application security testing market, built for two decades on the three-legged stool of static analysis, dynamic analysis, and runtime instrumentation, is undergoing its fastest structural reordering since the shift-left movement began.

For most of the last fifteen years, SAST, DAST, and runtime testing operated in separate organizational silos. SAST scanned source code before deployment and produced findings developers often could not reproduce. DAST scanned running applications from the outside and produced findings developers often could not locate in code. Runtime tools like IAST and RASP sat in production or staging environments and produced signal that no one knew how to feed backward into the development pipeline. Each tool generated its own alert stream. Each alert stream had its own false-positive rate. And every triage queue was someone else's problem.

The false-positive problem alone has been severe enough to undermine SAST adoption inside large engineering organizations. A November 2025 study published by InfoWorld found that a "novel SAST-LLM mashup slashed false positives by 91% compared to a widely used standalone SAST tool." A 91% reduction is not an incremental improvement. It is a signal that traditional pattern-matching SAST, the kind built on taint analysis and predefined rule sets, was producing noise at a rate that made the entire category operationally questionable for DevOps teams working at modern release cadences. The InfoWorld finding became a reference point across the industry in early 2026, cited repeatedly by vendors making the case that AI-assisted correlation was not a feature but a category requirement.

Then came February and March. In a span of fourteen days, two of the largest AI labs turned their reasoning models on application security scanning, and the AppSec market noticed. On February 20, 2026, Anthropic released Claude Code Security, embedding the company's Opus-class reasoning model into a scanner that could read entire codebases, trace execution paths, and flag vulnerabilities by reasoning about programmer intent rather than matching signatures. On March 6, OpenAI answered with Codex Security, a scanner built on GPT-5-class reasoning that performed the same class of analysis but integrated directly into the ChatGPT and Codex developer surfaces. VentureBeat characterized the two-week window as the moment the labs "exposed SAST's structural blind spot," noting that both tools used "LLM reasoning instead of deterministic static analysis to find flaws that rule-based scanners miss."

The structural blind spot VentureBeat identified was not that traditional SAST missed vulnerabilities. It was that traditional SAST could not distinguish between a vulnerability an attacker could reach and a code pattern that merely looked suspicious. The AI reasoning scanners from Anthropic and OpenAI did something different. They could follow an attacker's likely path through a codebase, consider the runtime context without actually executing the application, and produce a finding that came with a chain of reasoning a developer could inspect and challenge. That reasoning chain is the critical difference. A SAST alert that says "SQL injection in line 427" demands a developer's time. A reasoning trace that says "user input from this endpoint flows to this query builder through these three functions, and here is why the sanitizer does not catch case X" gives the developer a starting point for a fix.

If you think SAST and SCA are enough, you're already behind. The future of app security is posture, provenance and proof, not alerts.CSOonline, January 2026

The CSOonline assessment, published in January 2026, captured a sentiment that had been building inside security engineering teams for years. The word "proof" is the operative one. A scanner that produces an alert has done half the job. A scanner that produces an alert accompanied by a verifiable chain of evidence has done most of the job. The remaining gap, the one Invicti's April announcement targeted, is whether that proof can be traced from the runtime exploit all the way back to the specific line of source code that introduced it. That gap is where DAST-to-SAST correlation lives.

By May, the AI reasoning scanner category had moved from experiment to enterprise procurement cycle. On May 12, 2026, OpenAI launched Daybreak, a broader cybersecurity initiative built on top of Codex Security that automated vulnerability detection and patching workflows, as MSN reported. Nineteen days later, on May 31, 2026, Tech Times reported that Anthropic's Claude Security had entered public beta, powered by Claude Opus 4.7, with IBM joining its Glasswing enterprise program after the scanner had found 10,000 flaws during the trial period. The number is worth pausing on. Ten thousand flaws found by one reasoning model during a single beta program suggests the legacy SAST tools deployed inside those same organizations were missing vulnerabilities at a rate that was not marginal but structural.

While the AI labs were capturing headlines, the runtime testing segment was undergoing its own quiet transformation. On March 18, 2026, Waratek launched its IAST product at JavaOne, making a claim that cut directly at the false-positive problem that had weakened SAST: the company stated that Waratek IAST "reports flaws that are exploitable with 100% accuracy," as carried by The Shreveport Times. The 100% figure is a precision claim, not a recall claim. It means that every finding Waratek IAST reports has been observed during actual application execution. A finding that is observed at runtime is not a theoretical vulnerability. It is a verified fact. The tradeoff, familiar to anyone who has deployed runtime instrumentation, is that IAST only sees the code paths that are actually exercised during testing. SAST sees all paths but cannot verify reachability. DAST sees reachable paths but cannot pinpoint source. Each leg of the triad sees part of the truth.

What Invicti's Correlation Actually Does

Invicti's DAST-to-SAST correlation capability, announced on April 9, 2026, addresses the handoff between the dynamic and static legs. When Invicti's DAST scanner identifies a confirmed runtime vulnerability on a staging or production application, the new correlation engine maps the HTTP request, the injected payload, and the application's response back to the specific source-code location where the vulnerable code path begins. A developer receiving that correlated finding sees not only the DAST proof of exploitability but also the SAST trace showing the precise file, line number, and data flow that produced the vulnerability. The remediation workflow, Invicti argued in its press release, collapses from a multi-team investigation into a single ticket that a developer can resolve at pipeline speed.

The technical challenge that made DAST-to-SAST correlation difficult for years is the impedance mismatch between the two testing modalities. A DAST scanner interacts with an application through HTTP requests. It has no access to source code, no knowledge of internal variable names, and no visibility into the framework routing logic that maps URLs to handler functions. A SAST scanner, conversely, has full access to source code but no knowledge of how the running application processes a specific request payload. Mapping a DAST finding to a SAST location requires the correlation engine to reconstruct the application's internal routing graph, match the DAST request pattern to the correct handler, and then trace the payload through the SAST data-flow model. Invicti's announcement did not detail the specific technique the company uses to perform this mapping, but the availability of the capability as a commercial product marks a threshold: correlation that previously required manual forensics is now an automated step in the pipeline.

On June 3, 2026, Invicti bundled the correlation capability into a broader platform launch called Invicti AppSec Core, an all-in-one application security platform for DevSecOps teams, as Yahoo Finance reported. The platform play is consistent with how the market has been consolidating. The vision that emerges across the Invicti platform, the Anthropic and OpenAI reasoning scanners, and the Waratek IAST launch is of a testing stack that no longer treats SAST, DAST, and runtime as separate tools with separate dashboards but as three sensors feeding a single correlated findings pipeline.

The systemic version of this single-vendor consolidation is a question the market has not yet answered. A large enterprise today might run Snyk or GitHub Advanced Security for SAST, a separate DAST tool from Invicti or HCL AppScan, and a runtime agent from Contrast Security or Waratek. Each tool is procured by a different team, managed under a different budget, and integrated into a different stage of the CI/CD pipeline. The vision of a unified triad implies either that one vendor will own the entire stack or that an open standard for cross-tool correlation will emerge. Neither has happened yet. The Invicti announcement is a single-vendor solution to the correlation problem. The AI reasoning scanners from Anthropic and OpenAI are currently free and do not integrate with existing DAST or IAST tools at all. The pieces are arriving, but the integration layer that would make the triad actually work as a triad remains hand-assembled by security engineering teams.

There is also the question of what AI reasoning scanners do to the economics of the AppSec market. Claude Code Security and Codex Security were both released at no charge, a pricing strategy that has historically been a prelude to platform bundling rather than standalone monetization. If AI labs treat application security scanning as a feature of their developer platforms rather than a standalone product category, the existing SAST vendors face a pricing reset. The Forbes Technology Council framed the question in February 2026 as a shift from "shift left" to "shift smart," arguing that AI agents will replace static analysis by performing the same function with reasoning rather than rules. Whether replacement is the right word or not depends on whether the reasoning models can achieve recall parity with deterministic SAST on vulnerability classes that require precise taint tracking across large codebases. The recall question is still open.

The GovInfoSecurity webinar titled "The Brass Ring of AppSec: Is AI Finally Making DAST to SAST Correlation Possible?" that ran in late March 2026 captured the industry's mood. The title itself is revealing. DAST-to-SAST correlation has been described as the "brass ring" of application security for so long that its arrival, when it finally came, felt less like a breakthrough and more like a long-overdue delivery. The question mark in the webinar title reflected the skepticism that remained. Correlation is hard not because the algorithms are novel but because the underlying data models of SAST and DAST tools were never designed to interoperate. AI reasoning models can bridge that gap, but only if they have access to both the SAST and DAST data streams. Invicti solved this by owning both scanners. The industry-wide version of the solution does not yet exist.

What to Watch For

Four things will determine whether the SAST-DAST-runtime convergence actually delivers on the promise of pipeline-speed remediation. First, the false-positive rate of the correlated findings. If DAST-to-SAST correlation produces a finding that a developer can act on without a second round of triage, the time-to-fix compression is real. If the correlation engine produces ambiguous mappings that require a security engineer to validate, the bottleneck merely moves from one queue to another. Second, the integration surface between AI reasoning scanners and runtime instrumentation. At present, Anthropic and OpenAI scanners operate on source code alone, with no runtime telemetry. Waratek IAST operates on runtime execution alone, with no static reasoning. The combination of the two would be more powerful than either alone, but nobody has shipped it yet.

Third, the procurement question. Enterprises do not buy application security testing tools the way they buy developer tools. The AppSec procurement cycle runs through the CISO's office, involves a proof-of-value period, and typically takes nine to eighteen months from evaluation to deployment. The AI labs shipping free scanners into developer workflows are bypassing this procurement cycle entirely, creating a shadow AppSec stack that the CISO may not know exists. When a developer runs Claude Code Security on a repository without telling the security team, the findings are invisible to the organization's risk dashboard. Fourth, and most important, is the recall question on AI reasoning scanners. A scanner that produces fewer false positives but misses a class of vulnerability that deterministic SAST would catch is not an improvement; it is a tradeoff. No public third-party benchmark has yet measured the recall of Claude Code Security or Codex Security against the OWASP benchmark or the NIST Juliet test suite. Until those benchmarks exist and are published, security directors are making procurement decisions on incomplete information.

The eight weeks between mid-February and mid-April 2026 compressed more change into the application security testing market than the preceding five years combined. The SAST-DAST-runtime triad, long an architectural diagram that no one could operationalize at pipeline speed, is now being rebuilt by vendors who recognize that correlation, reasoning, and runtime verification are not separate products but a single problem. The Invicti DAST-to-SAST correlation capability that shipped on April 9 is one piece. The AI reasoning scanners from Anthropic and OpenAI are another. Waratek's IAST is a third. No one has yet assembled all three into a single pipeline. The team that does will have answered the question the CSOonline piece posed in January: what comes after SAST, SCA, and DAST. The answer, when it arrives, will not be another scanner. It will be a system that produces proof.