Thanks for your feedback. In the meanwhile I was able to do a proof of concept where I tested twi IAST solutions. It was very easy in both tools to set them up. Include a .jar in the starting routine, run your tests and get impressed by the results. We found security issues we never seen before.
From my experiences:
IAST will change the security testing task from a task to an ongoing monitoring task which also could be done by DevOps/Operations. Integrating the IAST tool into existing defect reporting tools, like Jira and chat channels, like slack, will bring security into the game of a daily task instead of doing “security tests at the end because it needs to be done”.
Also I have learned that there is a solution to have ZERO (!) false positives!
Look for the OWASP Security Benchmark and see that all our activities in web applications have really a problem: We only find <30% of the issues and often we have many, many false positives, especially in the static code analysis area (SAST tools) which meets my experiences.
IAST is really a good thing for security testing.