We performed a comparison between OWASP Zap and Acunetix based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Acunetix. Although both products have valuable features and have straightforward deployments, our reviewers found that Acunetix has high pricing, which is considered expensive by some users, especially for small organizations.
"The most valuable feature of Acunetix is the UI and the scan results are simple."
"It can operate both as a standalone and it can be integrated with other applications, which makes it a very versatile solution to have."
"It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
"We use the solution for the scanning of vulnerabilities like SQL injections."
"One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."
"I haven't seen reporting of that level in any other tool."
"The usability and overall scan results are good."
"Our developers can run the attacks directly from their environments, desktops."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The ZAP scan and code crawler are valuable features."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"Simple and easy to learn and master."
"It can be used effectively for internal auditing."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"It's great that we can use it with Portswigger Burp."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"The solution's pricing could be better."
"When monitoring the traffic we always have issues with the bandwidth consumption and the throttling of traffic."
"The vulnerability identification speed should be improved."
"It would be nice to have a feature to "retest" only a single vulnerability that the customer reports as patched, and delete it from the next scans since it has already been patched."
"There is room for improvement in website authentication because I've seen other products that can do it much better."
"We have had issues during upgrades where their scans worked on some apps better with previous versions. Then, we had to work with their tech support, who were great, to get it fixed for the next version."
"The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."
"There are some versions of the solution that are not as stable as others."
"Reporting format has no output, is cluttered and very long."
"Sometimes, we get some false positives."
"Lacks resources where users can internally access a learning module from the tool."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"The product reporting could be improved."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
Acunetix is ranked 13th in Static Application Security Testing (SAST) with 26 reviews while OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews. Acunetix is rated 7.6, while OWASP Zap is rated 7.6. The top reviewer of Acunetix writes "Fantastic reporting features hindered by slow scanning ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Acunetix is most compared with Tenable.io Web Application Scanning, PortSwigger Burp Suite Professional, HCL AppScan, Fortify WebInspect and Veracode, whereas OWASP Zap is most compared with SonarQube, Qualys Web Application Scanning, PortSwigger Burp Suite Professional, Veracode and Checkmarx One. See our Acunetix vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.