Skip to content
Book demo
Back to Tools

Best DAST Tools for Enterprise Security (2026)

Jul 13, 2026
Molisha Shah
Molisha Shah
Best DAST Tools for Enterprise Security (2026)

The best DAST tools for enterprise security combine proof-based validation, native API and SPA coverage, and CI/CD integration. Invicti, Checkmarx DAST, Veracode, and Burp Suite DAST rank highest in this guide because of benchmark results, integration depth, and analyst recognition. I evaluated 13 tools against the constraints that actually break DAST across large application portfolios, from authentication handling and false-positive rates to API discovery and pricing behavior in microservice environments.

TL;DR

Enterprise DAST scanners test running applications by injecting malicious payloads and observing behavior. This catches runtime flaws SAST misses. Conventional evaluations rely on vendor accuracy claims that independent benchmarks contradict. This guide ranks tools by benchmark data from two 2026 DAST benchmarks, including detection accuracy and vulnerability coverage.

The DAST vendors in this guide market themselves on low false positives and API coverage, but one benchmark measured false-positive rates from 2% for HCL AppScan to 23% for Invicti among tools cited in this guide. Invicti claims 99.98% accuracy, yet the same benchmark measured a 23% false-positive rate for the same tool. That gap between claimed and measured performance is the central problem in DAST procurement.

Continuous shipping, weekly API changes, and AI-generated code shaped the weighting in this guide. Each pressure requires runtime validation beyond source review alone. DAST cannot reach source-level runtime assumptions from the outside. I also note where Augment Cosmos, a cloud agents platform that runs review, testing, and incident-response experts across the software development lifecycle, catches source-level assumptions and cross-file dependencies that scanners cannot observe externally. This guide evaluates each tool against those realities, including detection accuracy, CI/CD integration, pricing across hundreds of services, and the one limitation every leading scanner still shares. You will learn which tool fits your architecture and where each falls short.

What DAST Tools Do and Why Enterprise Selection Is Hard

Dynamic Application Security Testing analyzes a running application to find vulnerabilities by simulating external attacks, without access to source code. DAST tools interact with an application like an attacker would: sending requests, receiving responses, and detecting issues based on system behavior by injecting malicious payloads. This black-box approach means DAST uncovers runtime vulnerabilities that surface only during execution. These issues include SQL injection, XSS, authentication flaws, misconfigurations, and exposed admin paths.

Enterprise selection gets hard when demo coverage meets authenticated workflows, developer trust, and microservice pricing. Authentication gaps determine coverage; if a scanner cannot log in or handle multi-step workflows, it skims surface-level functionality and floods dashboards with noise. The scanner leaves protected areas untested. False-positive rates erode developer trust when tools see input reflected and assume vulnerability without confirming execution. Pricing adds another strain because per-application models designed for monoliths escalate exponentially in microservice architectures.

DAST integrates at multiple SDLC stages. Teams run scans during early development to catch issues before later stages, then again at staging where the app is fully deployed as it will be in production. Automated DAST supports build-fail gates that block deployment when critical vulnerabilities appear. A practical ownership model puts security teams in charge of strategy while embedding scans into developer workflows.

Section takeaway: Evaluate DAST tools against authenticated, API-heavy applications rather than demo targets, because authentication depth and false-positive rates determine whether findings are actionable or ignored.

How I Evaluated These DAST Tools

I weighted the evaluation toward the criteria that determine whether a DAST tool survives contact with an enterprise codebase. I used a practitioner framework that assigns explicit weights to each category. The framework weights core detection capabilities at 25%, DevSecOps integration at 25%, performance and scalability at 15%, and compliance and reporting at 15%.

The criteria that mattered most in my testing:

  • Detection accuracy against benchmarks: I prioritized independent measurements from two DAST benchmarks over vendor accuracy claims, since the two diverge significantly.
  • API and SPA coverage: Modern DAST must treat APIs as first-class targets, natively supporting REST, GraphQL, and gRPC by consuming OpenAPI specs or Postman collections.
  • Authentication resilience: MFA, SSO, OAuth, and multi-step login support determine whether authenticated scans reach protected areas.
  • CI/CD integration depth: Scan speed must align with pipeline requirements, because slow scans get bypassed.
  • Pricing behavior across hundreds of services: How per-application, per-seat, and platform-bundled models behave across hundreds of services.

In this weighted framework, detection accuracy and DevSecOps integration dominated the ranking because each category carries 25% of the evaluation. I treated speed claims as incomplete when they conflicted with the benchmark finding that "extremely fast scans usually came at the cost of greatly reduced coverage," unless the tool also had benchmark evidence for coverage.

Section takeaway: Detection accuracy and integration each carry 25% weight in this evaluation because a tool that misses vulnerabilities or gets bypassed in CI/CD leaves teams with missed bugs or bypassed gates regardless of other features.
[ Free report ]

The Agentic SDLC

How teams like Stripe, Ramp, and Uber move from solo coding agents to a coordinated, team-level system.

The Agentic SDLC report cover

Best DAST Tools at a Glance

The table below summarizes all 13 tools by primary differentiator and ideal buyer profile, using analyst recognition and benchmark data.

ToolPrimary DifferentiatorBest For
InvictiProof-Based Scanning; scans thousands of websites at once; critical-vulnerability benchmark found Invicti delivered the most accurate vulnerability detectionEnterprise false-positive reduction
Checkmarx DASTDAST+SAST+SCA+ASPM correlation; AI-code validationEnterprise AppSec platform buyers
VeracodeUnified platform; AI-powered remediationCentralized AppSec / platform buyers
Burp Suite DAST500+ BApp extensions; weekly scanner updates for hybrid manual+automated testingSecurity researchers, pentesters
HCL AppScanHighest vuln coverage in one independent benchmarkComplex legacy enterprise apps
Rapid7 InsightAppSecSIEM integration; Attack Replay; on-prem engineSOC-integrated enterprise teams
StackHawkCI/CD-native; config-as-code; AI API discoveryDevOps/developer-first teams
Qualys WASTruRisk scoring; cloud-scale asset discoveryExisting Qualys customers
Contrast SecurityIn-app ADR; runtime attack blocking; IASTRuntime security / regulated industries
Bright SecurityAI validation; AI code generation for fixesMid-market API-first companies
OWASP ZAPFree, open-source, extensibleBudget-constrained / learning teams
AcunetixDetects 12,000+ vulnerabilities; transparent pricingBreadth of detection
Data Theorem#1 Cloud Native Apps in a 2025 analyst critical-capabilities ranking; 5-product coverageCloud-native, API, container security

1. Invicti: Proof-Based Scanning for False-Positive Reduction

Invicti (formerly Netsparker) ranked highest in the cited critical-vulnerability test through Proof-Based Scanning, which automatically verifies vulnerability exploitability before reporting a finding. In the independent 2026 DAST scanner security benchmark, Invicti was the only tested tool to detect all 31 critical vulnerabilities present in the test applications. The benchmark covered 11 targets, including APIs, SPAs, GraphQL services, and traditional web apps.

Invicti's enterprise evaluation depends on crawler depth, API coverage, and platform scope:

  • Crawler depth: Invicti's internal crawler uses a fully functional browser capable of interacting with AJAX-heavy sites and can scan 1,000+ sites simultaneously across global regions.
  • API coverage: It supports REST, SOAP, GraphQL, and gRPC APIs.
  • Platform scope: The platform has expanded to include SAST, SCA, and ASPM, plus an IAST component called Invicti Shark that confirms DAST findings from inside the application.

It ships with 50+ workflow integrations, which makes the tool stronger for rollout across many teams than for narrow single-app scanning.

For API-heavy portfolios, the critical-vulnerability benchmark carried more practical weight than the broader coverage benchmark, which told a different story: 64% vulnerability coverage, a lower number that shifts the risk calculus even with the false-positive rate already noted above.

Configuration can take time for large multi-target environments. Third-party pricing estimates place enterprise licensing between $15,000 and $60,000 per year for 1 to 10 targets. Pricing scales to $60,000-$250,000 for 10 to 50 targets. Professional services add $10,000-$50,000.

Best for: Enterprises focused on false-positive reduction and broad concurrent scanning coverage across mixed web and API targets.

2. Checkmarx DAST: Cross-Signal Correlation for Platform Buyers

Checkmarx DAST differentiates by correlating runtime findings with SAST, SCA, API Security, and ASPM signals to prioritize fixes, simulating real-world attacks against running applications to confirm exploitability.

Checkmarx's buyer case depends on platform scope, customer scale, and analyst recognition:

  • Platform scope: Checkmarx One is a single cloud-native platform combining SAST, SCA, DAST, and ASPM.
  • Customer scale: Checkmarx One serves 40% of the Fortune 100 with 1,800+ customers in 70 countries.
  • Analyst recognition: The 2025 application security testing analyst evaluation named Checkmarx a Leader for the 7th consecutive time, and positioned it furthest on the Completeness of Vision axis out of all 16 evaluated vendors.

Checkmarx also stewards OWASP ZAP, now branded ZAP by Checkmarx. The platform positions its DAST as a way to validate that AI-generated code behaves securely at runtime. That gives teams a compensating control for the increased velocity of unreviewed code paths.

False positives are a recurring theme in 2024-2025 software review data, and Kotlin and emerging-language scanning produces higher false-positive volumes. One review source describes Checkmarx as requiring real time investment to tune rules, with out-of-the-box false positives frustrating developers. Minimum pricing sits around $30,000. Third-party estimates put the DAST component near $59,000+ per year. For organizations that must prove coverage against specific CWE categories, Checkmarx's granularity is hard to match because its platform correlates DAST with SAST, SCA, API Security, and ASPM signals.

Best for: Enterprise AppSec teams needing authenticated dynamic testing for modern web apps and APIs, especially to validate that AI-generated code behaves securely at runtime.

That runtime-validation use case also exposes review limits before merge. Runtime behavior often diverges from what the source suggests, and traditional review catches problems only at the final PR where fixing them costs the most. I tested the Deep Code Review expert in Augment Cosmos on the source-level assumptions DAST cannot reach. It surfaced more potential defects before merge because the reviewer is an agent tuned for recall over precision, catching every possible issue instead of only the few worth a human's time.

3. Veracode Dynamic Analysis: Platform with AI Remediation

Veracode Dynamic Analysis combines scheduled scans with portfolio-level reporting and integrates with SAST, SCA, and manual penetration testing.

Veracode's centralized AppSec case includes reporting, remediation, SPA support, and risk governance:

  • Analyst recognition: The 2025 application security testing analyst evaluation named Veracode a Leader for the 11th consecutive time.
  • AI remediation: Veracode Fix is an AI engine that Veracode trained on a decade of proprietary data. It automates remediation and provides secure code suggestions directly in the IDE.
  • SPA support: The 2022 Crashtest Security acquisition added SPA support for React, Angular, and Vue.
  • Risk governance: Veracode Risk Manager ingests findings from Veracode and third-party tools, deduplicates alerts, and prioritizes vulnerabilities based on business criticality.

FedRAMP and SOC 2 certifications simplify compliance audits for regulated industries, and its compliance reporting includes portfolio-level reporting and audit trail workflows.

For centralized AppSec requirements, Veracode's cross-tool reporting stood out more than standalone DAST accuracy. Dynamic Analysis sits beside SAST, SCA, manual penetration testing, Risk Manager, FedRAMP, and SOC 2 workflows. That platform fit matters most when a security team needs one reporting layer across multiple testing methods.

Both Checkmarx and Veracode generate false positives that waste senior engineering time. Veracode Fix only works with Pipeline Scan findings, excluding findings from other scanners, and users report it proposes libraries that go against enterprise architecture design. A 2025 software security report disclosed a 252-day industry median time to remediation. Veracode uses custom enterprise pricing and does not publish prices.

Best for: Platform buyers and centralized AppSec teams at large enterprises needing a single SAST+DAST+SCA platform.

4. Burp Suite DAST: Request/Response Evidence for Security Teams

Burp Suite DAST provides request/response technical evidence for findings and supports 500+ extensions via the BApp Store. PortSwigger renamed it from Burp Suite Enterprise Edition in April 2025.

Burp works best when security engineers own configuration and review request/response evidence:

  • Research cadence: Burp Scanner is updated weekly with research from PortSwigger Labs, and the scanner is frequently early to detect new zero-day patterns.
  • Automation path: The Enterprise Edition extends Burp's capabilities to automated, large-scale deployments via REST API for CI/CD integration.
  • Evidence quality: A Senior Director of Engineering praised Burp's request/response evidence, automation, scale across multiple countries, and low false positives for regional security requirements.
  • CI output: CI-driven scans run from a Docker container in any CI/CD environment. They save results as JUnit or Burp XML files.

For hybrid manual-plus-automated workflows, the 500+ BApp Store extensions and request/response evidence make Burp stronger for security engineers than for developer-led pipeline ownership. The same depth creates operational friction when one team has to configure dozens or hundreds of APIs individually.

Burp operates as an isolated security testing tool that requires dedicated security engineers to configure and manage each application individually. That model becomes a bottleneck when testing dozens or hundreds of APIs. Users report a steep learning curve, resource-intensive behavior on low-end systems, and challenges handling SPAs with client-side routing. One Product Security Lead observed dissatisfaction with finding quality, noting that even true positives are often relatively low-impact. Professional Edition costs $475 per user per year. Enterprise pricing is custom, with third-party estimates at $5,000-$7,000+ per year.

Best for: Security consultants, penetration testers, and research teams needing request/response evidence and hybrid manual-plus-automated workflows.

5. HCL AppScan: Highest Benchmark Coverage for Legacy Portfolios

HCL AppScan delivers the highest vulnerability coverage among independently benchmarked tools.

The benchmark and enterprise signals are specific:

  • Coverage: HCL AppScan achieved 66% vulnerability coverage in one independent benchmark.
  • Prioritization: HCL AppScan achieved 60% prioritization accuracy, the highest tested.
  • False positives: HCL AppScan achieved a 2% false-positive rate, the lowest tested.
  • Platform coverage: It provides logic analysis for complex legacy applications and AppSec coverage combining SAST, DAST, IAST, and SCA in one platform, plus an AppScan Marketplace for on-demand scans.

Integration spans Jenkins, Azure DevOps, GitHub, GitLab, Jira, Visual Studio, ServiceNow, and AWS. Note one gap: the GitHub Action covers SAST only, excluding DAST, and DAST support in the Jenkins plugin requires AppScan 360° v1.4.0+.

Against benchmark-first selection criteria, HCL AppScan scored better than every peer in that benchmark on the two numbers developers care about most. The procurement risk sits elsewhere: despite those measured results, HCL AppScan did not appear in the analyst shortlists reviewed for this article, and the research available did not capture user-reported weaknesses.

Third-party pricing estimates run $30,000-$80,000+ annually under legacy enterprise licensing.

Best for: Enterprises with complex legacy application portfolios needing AppSec coverage in a single platform.

6. Rapid7 InsightAppSec: SOC-Integrated Scanning

Rapid7 InsightAppSec is a cloud-based DAST with SIEM integration that can scan applications on closed networks with an optional on-premise engine.

The SOC-oriented strengths and constraints separate into validation, pricing, and API coverage:

  • Validation workflow: Its Attack Replay feature allows developers to independently validate vulnerabilities.
  • User signal: A Cyber Security Lead at a 201-500 employee company rated it 4.5/5 and called it stable, scalable, and fairly priced with a user-friendly UI and attack replay.
  • Published price: The official starting price is $175 per month per application, billed annually.
  • API limitation: InsightAppSec lacks API discovery and inventory, treats APIs and applications the same, and requires manually uploading schemas when they change.

Users in this evaluation describe long scanning times and high false positives. One comparison source concluded the tool targets security operations center workflows rather than CI/CD developer workflows. It also lacks actionable remediation code snippets. One reviewer wanted improved scan configuration management and better 24/7 support.

For SOC-integrated requirements, the on-premise engine and Attack Replay align well with closed-network validation and developer confirmation workflows. For API-first CI/CD criteria, the lack of API discovery and manual schema upload requirement makes InsightAppSec weaker for teams whose schemas change weekly.

Best for: Enterprises already invested in the Rapid7 platform needing scalability and threat context integration with their SOC.

7. StackHawk: CI/CD-Native for Developer-First Teams

StackHawk started as a CI/CD testing tool. It uses a configuration-as-code approach for API testing and AI-powered API discovery from source code repositories, with a claimed 20-minute setup. This repository-driven workflow reduces the security-team bottleneck that isolated scanners create. Pricing has shifted to two tiers built around AI coding agents. Wingman runs $10 per user per month for individual developers working in Claude Code, Cursor, or Copilot, while Scale is custom-priced for security teams that need org-wide coverage and reporting.

For developer-owned pipelines, configuration-as-code and source-driven API discovery map directly to workflows where security teams cannot manually maintain every service definition. The limitation is evidence depth: StackHawk did not appear in the independent benchmarks reviewed, so I could not compare its coverage against Invicti's critical-vulnerability benchmark result or HCL AppScan's broader coverage benchmark result.

StackHawk targets teams that want DAST embedded directly in DevOps pipelines with less appetite for a full AppSec platform with portfolio-wide reporting.

Best for: Developer-centric organizations running API-first architectures who want DAST in their pipelines with minimal security-team overhead.

That API-first workflow creates a code-level gap when scanners cannot follow cross-file dependencies. I tested Augment Cosmos on cross-file API flows that pipeline scans could not see from the outside. Its review agents surfaced risks because they run on top of a Context Engine that processes entire codebases across 400,000+ files through semantic dependency graph analysis.

8. Qualys WAS: TruRisk Scoring for Existing Qualys Customers

Qualys WAS fits organizations already standardized on Qualys because it combines TruRisk scoring with asset discovery across cloud environments. In the pricing model comparison for this guide, Qualys appears under the per-application/target model, so teams running hundreds of discrete microservices should validate how that model behaves across those services before committing.

Best for: Existing Qualys customers needing asset discovery across cloud environments and TruRisk scoring in a DAST workflow.

9. Contrast Security: Runtime Attack Blocking for Regulated Industries

The 2025 application security testing analyst evaluation named Contrast Security a Visionary. Contrast positions in-app Application Detection and Response (ADR) as its differentiator. ADR combines runtime-informed testing, attack blocking, and automated remediation. It uses Contrast Graph, a runtime-powered digital twin of the application, and positions Contrast Assess as its primary IAST product for runtime-informed testing.

Open source
augmentcode/augment.vim607
Star on GitHub

Contrast addresses DAST's core weakness through instrumentation rather than black-box scanning alone. Because DAST tools rely on a signature-based engine, they face false-positive and false-negative challenges. Contrast's instrumentation-based approach sidesteps some of that. This fits financial services, healthcare, and government use cases that require runtime security with active attack blocking.

Best for: Regulated industries (financial services, healthcare, government) requiring runtime security with active attack blocking.

10. Bright Security: AI Validation for API-First Companies

Bright Security targets mid-market API-first companies with AI validation and vulnerability remediation that generates fix code automatically. Its developer-first design supports security testing as early as the unit testing phase. Bright reports its own false-positive rate at 3%. Pricing starts at $99 per month with a per-scan licensing model, which can create unpredictable costs in CI/CD pipelines running frequent scans.

Best for: Mid-market API-first companies that want AI validation and AI code generation for fixes.

11. OWASP ZAP: Free and Extensible Open-Source Scanning

OWASP ZAP (ZAP by Checkmarx) is a free, extensible scanner offering passive and active scanning, plugin extensibility, and API testing with strong CI/CD integration. The trade-off is coverage. One independent benchmark measured just 29% vulnerability coverage, 22% prioritization accuracy, and a 15% false-positive rate for the tool. It has a steep learning curve, limited enterprise features, and setting up authenticated scans for modern applications often requires complex manual configuration.

Best for: Budget-constrained and learning teams that need a free, open-source, extensible DAST scanner.

12. Acunetix: Broad Vulnerability Detection with Transparent Pricing

Acunetix (by Invicti Group) offers 12,000+ vulnerability detections including CMS-specific issues, cross-platform compatibility, and proof-based scanning. One independent benchmark recorded a 0% false-positive rate but 27% vulnerability coverage, notably lower than Invicti's 64% from the same benchmark. Pricing is transparent at $4,500 to $26,600 annually across six tiers, though one G2 reviewer noted the licensing model requires planning for scaling up or down.

Best for: Buyers prioritizing breadth of detection, transparent pricing, and 12,000+ vulnerability checks.

13. Data Theorem: Cloud-Native and API Coverage

Data Theorem ranked #1 in the Cloud Native Apps Use Case in the 2025 analyst critical-capabilities evaluation for AST. The same evaluation also called out rankings for container security, API security, and IaC testing. Its five integrated products (Mobile Secure, API Secure, Code Secure, Web Secure, and Cloud Secure) cover mobile, API, code, web, and cloud security across the cloud-native stack.

Best for: Cloud-native environments with significant API, container, and mobile security needs where the scanning target is a distributed set of services rather than a monolithic web app.

Pricing Models and How They Behave Across Many Applications

DAST pricing splits into five models. The model matters more than the sticker price once you scale past a handful of applications. Most enterprise vendors do not publish pricing, so the estimates below combine official pages with third-party procurement data. Treat these estimates as directional.

ModelExamplesBehavior Across Many Applications
Per application/targetInvicti, Rapid7, Qualys, Tenable, AcunetixBecomes expensive in microservice environments
Per seat/userBurp Suite Professional, GitLabBenefits small teams scanning many applications
Per scan/usage-basedBright SecurityCan create unpredictable costs in CI/CD pipelines
Flat-rate enterpriseHCL AppScan, CheckmarxProvides cost predictability
Platform-bundledGitLab DAST, Checkmarx DASTCost depends on broader platform contract

The per-application model fits monolithic architectures. Organizations running hundreds of discrete microservices face exponential cost escalation under it, while flat-rate or platform-bundled models provide better predictability across hundreds of services. Only a few vendors publish prices. Rapid7 InsightAppSec starts at $175 per month per application, Burp Professional is $475 per user per year, StackHawk's Wingman tier runs $10 per user per month, GitLab DAST is bundled in the Ultimate tier at $99 per user per month, and Bright starts at $99 per month.

Hidden costs deserve attention during procurement. Implementation and onboarding can require weeks of professional services (Invicti professional services alone run $10,000-$50,000), and per-scan models can produce overage fees in high-frequency pipelines. Verify whether pricing is per scan, per asset, or per user, and confirm support and updates are included.

Section takeaway: Choose flat-rate or platform-bundled pricing if you run hundreds of microservices, because per-application models escalate across hundreds of discrete services.

The One Limitation Every DAST Tool Shares

No DAST tool on the market can validate business logic. This remains the main unsolved challenge in automated scanning. A 2026 comparison concluded that OWASP ZAP, Burp Suite, StackHawk, Invicti, Checkmarx DAST, Qualys WAS, Rapid7 InsightAppSec, Tenable.io WAS, and HCL AppScan cannot validate business logic. These tools are generic, built for applications in general rather than your custom code, so the most serious security issues, the ones deeply intertwined in business logic and custom application design, escape them.

DAST also carries structural limitations beyond business logic. As a black-box method, it cannot identify insecure coding patterns or vulnerabilities in unexercised code paths, the gaps that secure code review tools are built to close. It requires a running, deployed application before scanning can begin. Dynamic testing struggles to reach the entire codebase when many nested conditional statements exist, and "magic parameter" blind spots let applications expecting specific name-value pairs slip past automated crawlers.

These limitations explain why no single methodology delivers complete coverage. The recommended enterprise model layers approaches across the SDLC. Teams use SAST at the coding phase, IAST during QA and feature testing, and DAST at verification before deployment. Combining DAST with SAST, IAST, and manual penetration testing provides the coverage any one method lacks.

Section takeaway: Pair DAST with SAST and manual testing because DAST cannot validate business logic, race conditions, or source-code patterns regardless of which vendor you choose.

Choose Detection Accuracy Over Vendor Claims for Your Next Scanner

The gap between vendor accuracy claims and independent benchmark results should shape your proof-of-concept plan. Use the benchmark data as a starting point, then test scanners against your own authenticated, API-heavy applications before purchasing.

Runtime scanning works best paired with code-level analysis that understands your architecture. I tested Augment Cosmos, a cloud agents platform that runs review, testing, and incident-response experts across the software development lifecycle, against runtime blind spots in cross-file dependency flows. Its Deep Code Review expert caught cross-file dependency risks that external scanning missed, backed by a Context Engine spanning 400,000+ files and built for semantic dependency-graph reasoning across the codebase.

Frequently Asked Questions

Written by

Molisha Shah

Molisha Shah

GTM

Molisha is an early GTM and Customer Champion at Augment Code, where she focuses on helping developers understand and adopt modern AI coding practices. She writes about clean code principles, agentic development environments, and how teams are restructuring their workflows around AI agents. She holds a degree in Business and Cognitive Science from UC Berkeley.


Get Started

Give your codebase the agents it deserves

Install Augment to get started. Works with codebases of any size, from side projects to enterprise monorepos.