Dynamic Application Security Testing treats the app as a black box. It drives a deployed instance with crafted HTTP requests, a headless browser, or a fuzzing harness, and watches how the system responds: does an unauthenticated request reach an admin route, does the login form leak which usernames exist, are security headers present, does a malformed payload trigger a 500 with a stack trace.
DAST's strength is that it sees the system as an attacker does — the real deployment, with its real configuration, middleware, and infrastructure. It finds whole categories of issue that source analysis structurally cannot: a reverse proxy that forwards an internal header, a cookie missing the Secure flag in production, a content-security-policy that was never applied.
The cost is that DAST needs something running and reachable, it lands later in the lifecycle, and a finding tells you the symptom (an exposed endpoint) without always pointing at the line of code responsible. Good pipelines run DAST against staging on every deploy and feed the results back to the team that owns the code.