AI pen testing isn't replacing DAST.
It's replacing the $40k manual pentest you run twice a year.
Different cadence, different scope, different job.
Read the full breakdown of DAST vs. AI pentesting: www.stackhawk.com/blog/dast-vs...
StackHawk will be at @owasp.org SnowFROC '26 on April 16–17.
400 practitioners. Two days of talks and hands-on training.
If you're going and want to talk about how AppSec programs actually keep up with AI development velocity, come find us🦅
snowfroc.com
That's a wrap on RSAC 2026.
It was a packed week of dinners, workshops, and incredible conversations with the AppSec community.
Big thanks to our partners, customers, and friends for making it one to remember.
Check out Payton O'Neal’s full recap: www.stackhawk.com/blog/rsac-20...
StackHawk is heading to @owasp.org BASC 2026 in Cambridge 🦅
April 11 at the Boston Marriott. We'll be there talking about how teams are running DAST and API security testing in CI/CD.
Come find us!
🔗basconf.org
On the night before SnowFROC 🏔️
We're joining Semgrep , SheHacksPurple, and OWASP for a panel on AI agents in AppSec.
Register here: semgrep.dev/events/agent...
StackHawk CSO & Co-founder Scott Gerlach is joining Semgrep at RSAC for an interactive demo.
When: March 25, 10 AM PT in SF
Can't make it? Catch us at Semgrep's booth #1743 on March 24 at 11 AM PT for an in-person demo on the floor.
Register here: semgrep.dev/events/sast-...
The Women in Security Documentary is an award-winning film on the real stories behind women shaping the security industry.
The San Francisco premiere is a red carpet event at AMC Metreon 16 on March 24 and 25 at 4 PM PT.
Register here: docs.google.com/forms/d/e/1F...
JSON-RPC powers blockchain, IoT, MCP, and most DAST tools completely ignore it.
The attack surface hides in the method namespace, not the URL. StackHawk now fuzzes every method, every parameter. REST, GraphQL, gRPC, and now JSON-RPC.
We test it all.
stackhawk.com/blog/json-rp...
Joe Sullivan (former CSO at Uber, Facebook, and Cloudflare) is leading a fireside chat at RSAC.
StackHawk is co-hosting with @endorlabs.bsky.social, Cyberhaven, and Brinqa.
Learn more and RSVP here: www.endorlabs.com/events/ciso-...
We’re excited to welcome Regional Sales Director Suzy McClure to the team!
Suzy has spent 15+ years in SaaS and cybersecurity sales, with deep channel experience at every stop.
Welcome to the flock, Suzy!
We're a proud sponsor of PBC Connect at RSAC 2026 with ArmorCode Inc.
The Purple Book Community is bringing together CISOs and security leaders for a full day of panels and networking at RSAC.
Register for free here: thepurplebook.club/pbc-connect-...
Get Joe’s full take on why he’s excited to be joining StackHawk’s BOD: stackhawk.com/blog/joe-sul...
Joe Sullivan's word for 2026: runtime.
He led security at Meta, Uber, and Cloudflare. His read: AI tools are solving code-level security. Runtime is what’s needed.
That's exactly what StackHawk is built for. And that’s why he's joining our board.
Welcome, Joe!
Copilot. Cursor. Full APIs in an afternoon.
New endpoints. New attack surface. Nothing in any spec.
Security testing not in the pipeline doesn't run at all.
The AI-DLC changed everything → www.stackhawk.com/blog/what-is...
Where you run DAST determines what you can actually test for.
No single stage catches everything. Each one tests what the others can't. That only works if your scanner can actually run at every stage.
That's the architecture StackHawk was built on.
www.stackhawk.com/blog/dast-in...
ICYMI, AppSec is in a full-blown hype cycle. Everyone has a hot take. But at the end of the day, AppSec testing tools are here to stay.
In this Q&A with @helpnetsecurity.com, StackHawk’s CEO Joni Klippert breaks down the nuances of using AI when it comes to DAST.
Learn more 👇
Most teams don't fail ISO 27001 audits because they skipped security testing.
They fail because they can't prove it was systematic.
A pentest from last quarter isn't a process. CI/CD-native DAST is.
stackhawk.com/blog/iso-270...
AI is breaking AppSec testing.
Alerts multiply, static analysis gets automated—but is a vuln exploitable in YOUR environment?
That requires runtime. Business logic, broken auth, prompt injection live only at runtime.
DAST's moment is here.
www.cybersecuritydive.com/spons/the-fu...
BFLA isn't about accessing someone else's data.
It's about performing actions your role shouldn't allow.
Your API checks authentication ✅
But forgets authorization ❌
Regular users executing DELETE requests. #5 on OWASP.
www.stackhawk.com/blog/underst...
90% test coverage of 60% of your attack surface isn't coverage. It's false confidence.
Only 30% of AppSec teams are "very confident" they know what exists in their environment.
Intelligence = context + action. Most programs have neither.
Learn more👉
www.stackhawk.com/blog/appsec-...
StackHawk is sponsoring GuidePoint CKO in Orlando this week and is excited that GuidePoint is an inaugural partner for our new SHARP program.
Connecting with security teams about application security testing and shift-left strategies.
www.stackhawk.com/blog/introdu...
Authentication vs Authorization.
Most developers know the difference, but BOLA vulnerabilities say otherwise.
BOLA has been the #1 API risk since 2019. Not because it's complex, but because it's easy to overlook. www.stackhawk.com/blog/underst...
The problem isn't that AI writes vulnerable code. 🤖
The problem: when velocity increases 5-10x, findings increase 5-10x. 50% of AppSec teams spend 40%+ of their time just triaging.
Manual processes weren't built for this. www.stackhawk.com/blog/ai-codi...
4 business days to disclose material incidents + annual proof of risk management = you need proactive prevention.
Do you have complete attack surface visibility? Can you prove what was tested? Do you have metrics for board oversight?
Read more: stackhawk.com/blog/sec-cyb...
AppSec programs haven't evolved to match AI-driven development. Yet.
We're sponsoring Cycode's Product Security Summit on Jan 28 to dig into what's actually working.
Register here: cycode.com/product-secu...
🔍 Next week: API Security for the AI Era
Source-based discovery. LLM threat testing. Prevention before production.
Jan 27 | 3 PM ET
Don’t miss out! Register to save your spot → www.stackhawk.com/resources/gi...
The 2026 AppSec reality:
87% adopted AI coding assistants, but 50% spend 40%+ of their time just triaging alerts.
73% can't confidently answer board questions about risk posture.
Learn more: stackhawk.com/blog/2026-st...
Download the guide: stackhawk.com/resources/gu...
PCI DSS v4.0.1 is mandatory.
𝗧𝗵𝗲 𝘀𝗵𝗶𝗳𝘁: annual pen tests → continuous testing
StackHawk = pre-prod DAST in minutes, not hours. Runtime validation. AI-powered API discovery.
Read how we help meet the requirements 👇
www.stackhawk.com/blog/pci-dss...
⏰ 2 weeks: API Security for the AI Era
Why GigaOm recognized StackHawk: source-based discovery finds APIs before production.
Jan 27 | 3 PM ET
Learn the Discover → Test → Govern framework.
Register → www.stackhawk.com/resources/gi...
AI tools let devs generate complete APIs in minutes.
Traditional security tools? Still catching up weeks later.
We're demoing how StackHawk keeps pace at
Liminal's AppSec in the Age of AI Demo Day.
📅 Jan 28 | Our session starts at 10:30 AM ET
liminal.co/demo-day/app...
