Try our new research platform with insights from 80,000+ expert users
OWASP Zap Logo

OWASP Zap Reviews

Vendor: OWASP
3.8 out of 5
Leave a review

What is OWASP Zap?

OWASP Zap is a free and open-source web application security scanner. 

Get the OWASP Zap Buyer's Guide and find out what your peers are saying about OWASP Zap, SonarQube Server (formerly SonarQube), GitLab and more!
OWASP Zap is the #11 ranked solution in AST tools. PeerSpot users give OWASP Zap an average rating of 7.6 out of 10. OWASP Zap is most commonly compared to SonarQube Server (formerly SonarQube): OWASP Zap vs SonarQube Server (formerly SonarQube). OWASP Zap is popular among the large enterprise segment, accounting for 60% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 17% of all views.
Buyer's Guide
OWASP Zap
July 2025
Get the report
Helped 863,651 peers since 2012

Featured OWASP Zap reviews

Read more reviews

OWASP Zap mindshare

As of July 2025, the mindshare of OWASP Zap in the Static Application Security Testing (SAST) category stands at 4.6%, down from 4.8% compared to the previous year, according to calculations based on PeerSpot user engagement data.
Static Application Security Testing (SAST)

PeerResearch reports based on OWASP Zap reviews

TypeTitleDate
CategoryStatic Application Security Testing (SAST)Jul 27, 2025Download
ProductReviews, tips, and advice from real usersJul 27, 2025Download
ComparisonOWASP Zap vs SonarQube Server (formerly SonarQube)Jul 27, 2025Download
ComparisonOWASP Zap vs VeracodeJul 27, 2025Download
ComparisonOWASP Zap vs Checkmarx OneJul 27, 2025Download
Suggested products
TitleRatingMindshareRecommending
SonarQube Server (formerly SonarQube)4.022.7%81%116 interviewsAdd to research
GitLab4.22.5%97%85 interviewsAdd to research
 
 
Key learnings from peers

Valuable Features

OWASP Zap's valuable features include automated scanning, ease of use, open-source access, powerful API support for customization, effective reporting, and multilingual capability. Users appreciate the intercepting proxy, spidering, HUD, and ability to integrate with DevOps pipelines. The tool efficiently identifies vulnerabilities like XSS and SQL injections. It provides flexibility with manual and automatic scanning options, supported across various platforms, making it ideal for diverse security testing needs.
  • "I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs."
  • "OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."
  • "OWASP is quite matured in identifying the vulnerabilities."

Room for Improvement

OWASP Zap needs more comprehensive documentation and regular updates. Users desire advanced reporting features with better customization and PDF options. False positives are a concern, and improvements in automation and scan coverage are necessary. Enhanced integration with DevOps and support for additional feeds and vulnerabilities are suggested. Community feedback also highlights the need for a user-friendly interface and seamless cloud integration.
  • "When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking."
  • "OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."
  • "OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."

ROI

Users reported significant improvements in security measures, enhanced vulnerability detection, and increased overall protection. 

The tool was praised for its user-friendly interface, extensive features, and effectiveness in identifying potential threats. 

Users also highlighted the cost-effectiveness of OWASP Zap, as it provided robust security solutions without requiring substantial financial investments.

Pricing

OWASP Zap is an open-source, free-to-use tool under the Apache 2 license, often recommended for its ease of use and comprehensive features. Enterprises appreciate its zero-cost setup as it helps in initial evaluations without licensing concerns. Many companies opt for OWASP Zap for its no-cost capabilities comparable to commercial alternatives, like Burp Suite, which has known licensing fees. Some users note indirect costs related to deployment resources, yet benefit essential from community edition and ongoing flexibility.
  • "It is open source, and we can scan freely."
  • "The tool is open source."
  • "The tool is open-source."

Popular Use Cases

OWASP Zap is frequently used for scanning and evaluating web applications, APIs, and infrastructure to identify vulnerabilities. It's commonly integrated into DevSecOps pipelines for continuous security checks. Users leverage its capabilities for penetration testing, ensuring code security before releases, and analyzing HTTP methods for sensitive information exposure. It's also utilized to automate tests, generate reports, and spider websites, making it an essential tool in security testing for diverse applications and industries.

Service and Support

OWASP Zap users report a strong community but limited traditional technical support. Many prefer using forums and documentation, finding them comprehensive and resourceful. While a few had direct positive experiences with support, others rely solely on community interactions. Users rate technical interaction between 7 and 8 out of 10 when used. Some say maintainers have provided exceptional help. Most don't feel the need for direct contact due to the robust online resources.

Deployment

Installation and configuration of OWASP Zap are frequently described as straightforward and easy for individuals with technical knowledge. Some users find it challenging when dealing with the API, requiring additional effort. Most appreciate the clear documentation and tutorials while setting up on Windows and Linux platforms is common. A few mention the need for experienced personnel for complex environments, but generally, it takes a short duration to complete the process.

Scalability

OWASP Zap offers scalability, performing efficiently with sufficient computing resources. While some challenges initially arose, resources like online documentation helped. It supports extensions, add-ons, and runs simultaneously for different targets. Some found it limited, others noted potential with a SaaS model. Varied uses indicate differing scalability experiences, with rates ranging from four to eight out of ten. Users mentioned quick responses for small applications, with plans to expand usage, especially for API support.

Stability

Most users report that OWASP Zap demonstrates consistent stability without crashing. However, a few note that running it on virtual machines or handling large datasets may cause lag or require additional configurations. Some groups have encountered false positives or found it necessary to re-install on occasion. Despite these, many rate its stability highly, ranging from eight to nine out of ten, citing reliability and rare disruptions.
These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.
Download our OWASP Zap Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
By visitors reading reviews

Top industries

By visitors reading reviews
Computer Software Company
17%
Financial Services Firm
11%
Manufacturing Company
8%
University
7%
Government
7%
Educational Organization
5%
Retailer
5%
Comms Service Provider
5%
Healthcare Company
5%
Construction Company
3%
Insurance Company
3%
Real Estate/Law Firm
3%
Media Company
3%
Non Profit
2%
Outsourcing Company
2%
Hospitality Company
2%
Performing Arts
2%
Consumer Goods Company
1%
Transportation Company
1%
Logistics Company
1%
Wholesaler/Distributor
1%
Energy/Utilities Company
1%
Legal Firm
1%
Recreational Facilities/Services Company
1%
Marketing Services Firm
1%
Pharma/Biotech Company
1%

Compare OWASP Zap with alternative products

Go!

Learn more about OWASP Zap

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP Zap customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Related questions

  • 599
Is OWASP Zap better than PortSwigger Burp Suite Pro?
  • 14
What is the biggest difference between OWASP Zap and PortSwigger Burp?
  • 23
What is the biggest difference between OWASP Zap and Qualys?
  • 10
What Application Security Solution Do You Use That Is DevOps Friendly?
  • 32
Which is the most comprehensive open source Web Security Testing tool?
  • 81
What is the best Application Security Testing platform?
  • 8
When evaluating Application Security Testing, what aspect do you think is the most important to look for?
  • 24
SAST vs. DAST: Which is better for application security testing?
  • 40
What tools do you rely on for building a DevSecOps pipeline?
  • 38
What does the Log4j/Log4Shell vulnerability mean for your company?

Product Categories

Product Categories
Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
GitLab vs OWASP Zap Logo
GitLab vs OWASP Zap
Snyk vs OWASP Zap Logo
Snyk vs OWASP Zap
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Coverity vs OWASP Zap Logo
Coverity vs OWASP Zap
OpenText Core Application Security vs OWASP Zap Logo
OpenText Core Application Security vs OWASP Zap
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap Logo
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Invicti vs OWASP Zap Logo
Invicti vs OWASP Zap
Semgrep vs OWASP Zap Logo
Semgrep vs OWASP Zap
Kiuwan vs OWASP Zap Logo
Kiuwan vs OWASP Zap
See all alternatives
 

OWASP Zap reviews

Sort by:
Amit Beniwal - PeerSpot user
Project Manager at Al Hassan LLC
Verified user of OWASP Zap
Nov 26, 2024
Simplifies vulnerability discovery and has high quality support

Pros

"One valuable feature of OWASP Zap is that it is simple to use. "

Cons

"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. "

What is our primary use case?

We use OWASP Zap primarily for discovering vulnerabilities in our web application security testing. We use one standalone deployment of this solution.

How has it helped my organization?

OWASP Zap has been good for reducing security incidents in our organization, doing very well with that.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (436 words)
Prasant Pokarnaa - PeerSpot user
Delivery Head - DevOps at Datamato Technologies
Verified user of OWASP Zap
Feb 10, 2025
Effective vulnerability identification enhances security scans but AI-driven enhancements are needed

Pros

"OWASP is quite matured in identifying the vulnerabilities. "

Cons

"OWASP should work on reducing false positives by using AI and ML algorithms."

What is our primary use case?

OWASP is only meant for two or three different types of scans. It is a tool which will scan the code for security for vulnerabilities.

How has it helped my organization?

We were able to convince the customers to really remove those rules when GitLab was able to show the results. Customers should be aware that GitLab is not just a source controller or version control tool; it is more than that.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (474 words)
Buyer's Guide
Download free report
Find out what your peers are saying about OWASP Zap. Updated July 2025
863,651 professionals have used our research since 2012.
NK
Technical Analyst at Hexaware Technologies Limited
Verified user of OWASP Zap
May 15, 2025
Open source testing tool empowers manual activities and has room to improve integration and reporting features

Pros

"I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs."

Cons

"When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking."

What is our primary use case?

I have been working with OWASP Zap for a few years now, and it is similar to Burp Suite, being open source, but it has limitations, especially with the minimal scan engines that it offers compared to Burp Suite.

What is most valuable?

The powerful side of OWASP Zap includes features such as fuzzing activities, which allow us to perform fuzzing with manual payloads where we can inject and observe the outputs.

I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (382 words)
AM
Data Protection Officer at Aura
Verified user of OWASP Zap
Apr 10, 2025
Customization and reporting streamline security testing in pipelines

Pros

"OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."

Cons

"OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."

What is our primary use case?

I primarily use OWASP Zap for DevSecOps within the pipeline. It's mainly integrated via a YAML file into GitHub actions. In addition to that, I use it for external tests like web crawling and web application penetration tests.

What is most valuable?

OWASP Zap's add-on feature to customize wordlists is very useful for tasks like brute forcing credentials and other test cases. Additionally, the reporting feature is effective as it provides remediation suggestions and allows for flagging false positives, which helps in reducing noise in the reports.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (344 words)
PN
Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS
Verified user of OWASP Zap
Apr 11, 2024
Offers automated scanning feature and spidering capabilities have improved our security testing

Pros

"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult. "

Cons

"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."

What is our primary use case?

I use it for vulnerability scanning. It has automatic methods. It's great.

How has it helped my organization?

We integrate OWASP Zap into our other software development lifecycle processes for security.

I use OWASP Zap for vulnerability scanning. After that, I used OWASP Zap to try fuzzing. To fuzz some inputs that might have medium or high severity problems discovered during the vulnerability scanning.

OWASP Zap's spidering capabilities have improved our security testing. I would rate this capability an eight out of ten. The feature is very useful, but maybe the algorithm for discovery must be improved. It can generate many false positives. But the overall feature is good.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (729 words)
NathanNV - PeerSpot user
Elite Global CISO at Scybers
Verified user of OWASP Zap
Oct 20, 2023
A stable and available solution that helps users scan and fix vulnerabilities in the pipeline

Pros

"The product helps users to scan and fix vulnerabilities in the pipeline."

Cons

"The technical support team must be proactive."

What is our primary use case?

We use the solution for scanning pipelines.

What is most valuable?

It is a good solution. We get good feedback about the product from our clients. The product helps users to scan and fix vulnerabilities in the pipeline.

*Disclosure: My company has a business relationship with this vendor other than being a customer. Consultant
Read full review (343 words)
DD
Cloud Solutions Architect at TANGENT SOLUTIONS
Verified user of OWASP Zap
Mar 23, 2024
Enables to perform general health checks and ensure the sites are secure

Pros

"The ZAP scan and code crawler are valuable features."

Cons

"Sometimes, we get some false positives."

What is our primary use case?

I use the solution to follow the framework and help my developers develop apps securely from the ground up with the right practices in mind. As part of the DevOps process, we use the tool to scan and see if the web apps are vulnerable. We integrated the tool into our development life cycle for security testing in our DevOps pipeline. We use the tool to spider and test the website.

How has it helped my organization?

The solution helped identify attacks like Cross-site Scripting and SQL Injection. We can perform general health checks to see if the site is secure. If there are problems, they get fixed by the developers before they get to production.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (513 words)
YK
Security Officer at UnDisclosed
Verified user of OWASP Zap
May 4, 2023
Stable dynamic testing solution with unreliable manual processes

Pros

"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."

Cons

"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."

What is our primary use case?

OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.

How has it helped my organization?

It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.

*Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Read full review (663 words)