Application Security Technologies Assurance Metrics (ASTAM) is a U.S. Department of Homeland Security (DHS) Science and Technology Directorate funded research program developed by Secure Decisions. It aims to improve software security by developing and enhancing technologies that support the secure software development lifecycle (SDLC). ASTAM is composed of several independent capability modules: **Attack Surface Detector (ASD):** Plugins for Burp Suite and OWASP ZAP that use static analysis to enumerate hidden or unlinked endpoints, optional parameters, and data types in web application source code. Available for Struts, Django, Ruby on Rails, ASP.NET MVC/Web Forms, JSP/Java Servlets, and Spring MVC. A CLI version outputs endpoints to JSON for import into Burp or ZAP. **Code Pulse:** Provides insight into code testing coverage during penetration tests. **Hybrid Analysis Mapping (HAM):** Maps results from dynamic and static analysis to improve testing accuracy and coverage. **Application Security Metrics Dashboard and Reporting:** Provides metrics, status tracking, and trend reporting for application security to security analysts and cyber risk managers. **Automated Dynamic Application Pen Testing (ADAPT):** Automates dynamic application penetration testing processes. **ThreatVector / Application Threat Modeling:** Supports threat modeling for applications. **Pen Testing Automation (PTA):** Automates pen testing workflows. **Attack Simulator / Cyber Quantification Framework (CQF):** Simulates attacks and quantifies cyber risk. **Application Security Testing Orchestration (ASTO):** Orchestrates application security testing pipelines. **Combining Network and Application Vulnerabilities:** Correlates network and application-level vulnerability data. **Automated Triage Assistance:** Assists in triaging application security findings.