I ran Sanctum AppScan DE on a Windows 2000 system with 512MB of RAM and approximately 70GB of hard disk space. There are several editions of the tool aside from AppScan DE: Sanctum QA is for QA specialists verifying the caliber of Web site software's security; AppScan Audit is intended for auditors who must regularly monitor a site's "security health."
I tested AppScan DE on several example applications running in BEA WebLogic 7, as well as a small multiservlet application running on Tomcat 4.1 that I had written myself. I tested both automatic and interactive scans. Happily, AppScan found no security vulnerabilities in my application, though it did uncover a kind of metastable state that that the application could potentially reach if users passed certain parameters to one of the servlets out of order.