IAST (Interactive Application Security Testing)
IAST instruments the running application and observes data flow live — combining DAST's runtime view with SAST's taint reasoning.
Definition
Interactive Application Security Testing (IAST) combines aspects of SAST and DAST by instrumenting the running application (typically via an agent that hooks into the language runtime) and observing taint flow as real or synthetic traffic exercises it. The instrumentation tells you "input from this endpoint reached a SQL execution sink unsanitised at this stack frame" — closer to a DAST finding's reachability evidence than to SAST's hypothesis.
IAST is widely adopted in CI/CD-integrated security programs at large organisations. Open-source IAST is uncommon; the space is dominated by commercial vendors.
Mitigation
Not applicable.