AI-assisted development is increasing the volume and frequency at which applications are built and updated, putting pressure on AppSec teams to test more applications, more frequently, without scaling specialist resources at the same pace.
For many organizations, authenticated DAST has become one of the harder security workflows to scale operationally.
The authenticated DAST bottleneck isn’t the scan, it’s the onboarding
Most enterprise applications sit behind a login, which means dynamic testing requires a login macro: a recorded or scripted walkthrough of the application’s authentication flow. Building and maintaining those macros has traditionally required manual recording, scripting, and ongoing maintenance whenever interfaces or authentication flows changed.
OpenText recently launched Fortify DAST Aviator, a new capability inside Fortify DAST that automates login macro generation using LLM-driven analysis of authentication flows.
The impact is primarily operational:
- Time to first scan drops from hours or days to minutes
- Macro generation completes in seconds
- Teams no longer need to manually script login flows for every application
- Authenticated DAST coverage becomes easier to expand across large application portfolios
Authentication workflows are not simple browser automation tasks. Enterprise applications regularly involve redirects, MFA prompts, dynamically generated fields, session handling, and interfaces that change frequently. Reliability matters as much as automation speed.
Fortify DAST Aviator combines LLM-driven flow analysis with the existing object detection and execution capabilities of TruClient. The model analyzes the authentication flow, identifies required fields, handles redirects, and generates a structured, parameterized login macro automatically, while TruClient handles interaction execution.
The architecture also keeps credentials inside the customer environment. It does not transmit credentials to the underlying large language model or stored in the Fortify Aviator service. Aviator does not store application data beyond control and metric data such as accounts, licenses, and usage telemetry.
Organizations increasingly weigh that distinction as they evaluate where they will allow the deployment of AI-assisted tooling inside security programs.
Fortify DAST Aviator: From URL to authenticated scan in seconds
Fortify DAST has long supported authenticated scanning. ScanCentral DAST has long distributed workloads across sensor farms and Macros have long been integrated into CI/CD pipelines.
What changes with Fortify DAST Aviator is the automation of macro creation and maintenance itself.
Teams can now:
- Generate login macros from a URL and credentials in seconds
- Handle modern authentication flows automatically, including TOTP-based MFA using either a QR code or TOTP secret
- Update credentials on existing macros without regenerating them
- Regenerate a macro when an application interface changes
- Expand authenticated scanning coverage without scaling onboarding work at the same rate
Accelerating application delivery is pushing AppSec teams to maintain authenticated coverage across a growing number of applications and release cycles.
Fortify DAST Aviator is designed to reduce the manual onboarding burden that has historically limited how broadly authenticated DAST could be deployed.
Macros are generated directly inside ScanCentral DAST and Software Security Center and integrate into existing CI/CD workflows without requiring separate tooling or external browser automation platforms.
See Fortify DAST Aviator in action
Fortify DAST Aviator generates an authenticated scan macro from a URL and a set of credentials in seconds. Watch the demo video to see it run, or read the data sheet for the technical detail. To understand where it fits in your AppSec program, visit the Fortify DAST Aviator product page, and when you’re ready to set it up, the product documentation walks through login macro generation, MFA handling, and integration with ScanCentral DAST.
About OpenText Fortify
OpenText Fortify helps security and development teams secure any code, whether written by people or generated by AI. The portfolio brings static (SAST), dynamic (DAST), and software composition analysis (SCA) together on a unified platform with built-in application security posture management, using AI-driven automation through Fortify Aviator to find, prioritize, and fix vulnerabilities at scale. Backed by two decades of application security depth, Fortify supports any language and environment, with flexible deployment across public cloud, private cloud, on premises, and managed services.
