Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs OWASP Zap vs PortSwigger Burp Suite Professional comparison

Checkmarx and OWASP are both solutions in the Static Application Security Testing (SAST) category. Checkmarx is ranked #3 with an average rating of 8.1, while OWASP is ranked #11 with an average rating of 8.0. Checkmarx holds a 9.5% mindshare in SAST, compared to OWASP’s 4.7% mindshare. Additionally, 87% of Checkmarx users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.
Checkmarx One
Read 71 Checkmarx One reviews
  • 19,424 Views
  • 1,774 Comparison Views
87% willing to recommend
OWASP Zap
Read 41 OWASP Zap reviews
  • 9,575 Views
  • 514 Comparison Views
88% willing to recommend
PortSwigger Burp Suite Prof...
Read 63 PortSwigger Burp Suite Professional reviews
  • 3,355 Views
  • 681 Comparison Views
98% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between Checkmarx One, OWASP Zap, and PortSwigger Burp Suite Professional based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).
Buyer's Guide
Static Application Security Testing (SAST)
June 2025
Download the complete report
Helped 856,278 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.5%, down from 12.8% compared to the previous year. The mindshare of OWASP Zap is 4.7%, down from 4.9% compared to the previous year. The mindshare of PortSwigger Burp Suite Professional is 2.0%, down from 2.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Syed Hasan - PeerSpot reviewer
Partner experiences excellent technical support and seamless initial setup
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
Read full review
Amit Beniwal - PeerSpot reviewer
Simplifies vulnerability discovery and has high quality support
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
Read full review
Anuradha.Kapoor Kapoor - PeerSpot reviewer
Offers efficient scanning of entire websites but presence of false positive bugs, leading to time-consuming efforts in distinguishing real bugs from false alarms
We have found that so many times, false positive bugs are there, and then we spend a lot of time basically separating them from real bugs. So that's the reason we are looking for some other tool. So we were in discussion with Acunetix. Therefore, the false positive rate is, like, something that we would like to improve. What we are looking for is if this false positive rate goes down because we were OWASP Zap tool users, which was free anyway. But there were a lot of false positives there, and we used to spend a lot of time, like, for security reasons, reproducing those bugs for the development team to fix it. So then we thought, okay, why not we go with the tool? Even if it is not very expensive. But still, every year, we have to renew the license. And we got this tool. Again, we found that in this tool also, even if it is less, there are still a lot of false positive bugs out there. So we again have to spend so much time. So we hired a security tester, who was basically using Acunetix in his previous company for almost three years, and then you said that in that scanning is very slow. The scanning is also slow. Like, sometimes the site scan takes eight hours, six to eight hours. Yeah. And whereas in Acunetix, it took three to four hours. And plus, there are no false positives. I'm not saying none but there's very little. But here, the rate sometimes is very high. These are the two features I think we would like to improve further.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"Vulnerability details is valuable."
"It has all the features we need."
"Less false positive errors as compared to any other solution."
"The value you can get out of the speedy production may be worth the price tag."
"It shows in-depth code of where actual vulnerabilities are."
"Helps us check vulnerabilities in our SAP Fiori application."
"The UI is user-friendly."
More Checkmarx One pros
"OWASP is quite matured in identifying the vulnerabilities."
"The most valuable feature is scanning the URL to drill down all the different sites."
"Fuzzer and Java APIs help a lot with our custom needs."
"It scans while you navigate, then you can save the requests performed and work with them later."
"Simple and easy to learn and master."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs."
"You can run it against multiple targets."
More OWASP Zap pros
"I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is the Burp scanner that is THE most powerful, valuable, and an awesome feature."
"Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them."
"BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding."
"There is no other tool like it. I like the intuitiveness and the plugins that are available."
"The most valuable feature is Burp Collaborator."
"The solution is quite helpful for session management and configuration."
"The intercepting feature is the most valuable."
""The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.""
More PortSwigger Burp Suite Professional pros
 

Cons

"We have received some feedback from our customers who are receiving a large number of false positives."
"Checkmarx could be improved with more integration with third-party software."
"If it is a very large code base then we have a problem where we cannot scan it."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"The solution sometimes reports a false auditable code or false positive."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
More Checkmarx One cons
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"It needs more robust reporting tools."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"Reporting format has no output, is cluttered and very long."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The port scanner is a little too slow.​"
"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
More OWASP Zap cons
"The solution is not easy to set it up. You need a lot of knowledge."
"You can have many false positives in Burp Suite. It depends on the scale of the penetration testing."
"The number of false positives need to be reduced on the solution."
"I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. The crawling techniques used in the current version are not as efficient as those used in earlier versions."
"The use of system memory is an area that can be improved because it uses a lot."
"It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."
"The Auto Scanning features should be updated more frequently and should include the latest attack vectors."
"BurpSuite has some issues regarding authentication with OAT tokens that need to be improved."
More PortSwigger Burp Suite Professional cons
 

Pricing and Cost Advice

"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"It is an expensive solution."
"The solution is costly."
"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
"I believe pricing is better compared to other commercial tools."
"The interface used to create custom rules comes at an additional cost."
"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
"For around 250 users or committers, the cost is approximately $500,000."
More Checkmarx One pricing and cost advice
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."
"It is highly recommended as it is an open source tool."
"This solution is open source and free."
"This app is completely free and open source. So there is no question about any pricing."
"We have used the freeware version. I believe Zap only has freeware."
"The tool is open source."
"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."
More OWASP Zap pricing and cost advice
"The price for the solution is expensive and could be cheaper. We pay an annual license and our team has several of them."
"It is a cheap solution, but it may not be cheaper than other solutions."
"There is no setup cost and the cost of licensing is affordable."
"They should reduce the license cost a little bit. It is $400 per user, and it would be better if they could reduce the licensing fee."
"We pay a yearly licensing fee for the solution, which is neither cheap nor expensive."
"PortSwigger is a bit expensive."
"PortSwigger Burp Suite Professional is an expensive solution."
"The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses."
More PortSwigger Burp Suite Professional pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
See recommendations
856,278 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
14%
Manufacturing Company
10%
Government
5%
Computer Software Company
18%
Financial Services Firm
12%
Manufacturing Company
7%
University
7%
Computer Software Company
16%
Financial Services Firm
13%
Government
11%
Manufacturing Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...
See all answers
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
See all answers
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
See all answers
Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...
See all answers
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...
See all answers
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
See all answers
What do you like most about PortSwigger Burp Suite Professional?
The solution helped us discover vulnerabilities in our applications.
See all answers
What is your experience regarding pricing and costs for PortSwigger Burp Suite Professional?
I find the price of PortSwigger Burp Suite Professional to be very cost-efficient.
See all answers
What needs improvement with PortSwigger Burp Suite Professional?
The dashboard of PortSwigger Burp Suite Professional could be made more user-friendly.
See all answers
 

Comparisons

SonarQube Server (formerly SonarQube) vs Checkmarx One Logo
SonarQube Server (formerly SonarQube) vs Checkmarx One
Compared 36% of the time
Veracode vs Checkmarx One Logo
Veracode vs Checkmarx One
Compared 12% of the time
Checkmarx SAST vs Checkmarx One Logo
Checkmarx SAST vs Checkmarx One
Compared 6% of the time
Fortify on Demand vs Checkmarx One Logo
Fortify on Demand vs Checkmarx One
Compared 6% of the time
GitHub Advanced Security vs Checkmarx One Logo
GitHub Advanced Security vs Checkmarx One
Compared 4% of the time
More Checkmarx One Competitors
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
Compared 20% of the time
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
Compared 16% of the time
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Compared 9% of the time
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Compared 9% of the time
Fortify WebInspect vs OWASP Zap Logo
Fortify WebInspect vs OWASP Zap
Compared 5% of the time
More OWASP Zap Competitors
Acunetix vs PortSwigger Burp Suite Professional Logo
Acunetix vs PortSwigger Burp Suite Professional
Compared 18% of the time
Fortify WebInspect vs PortSwigger Burp Suite Professional Logo
Fortify WebInspect vs PortSwigger Burp Suite Professional
Compared 14% of the time
SonarQube Server (formerly SonarQube) vs PortSwigger Burp Suite Professional Logo
SonarQube Server (formerly SonarQube) vs PortSwigger Burp Suite Professional
Compared 8% of the time
HCL AppScan vs PortSwigger Burp Suite Professional Logo
HCL AppScan vs PortSwigger Burp Suite Professional
Compared 6% of the time
Invicti vs PortSwigger Burp Suite Professional Logo
Invicti vs PortSwigger Burp Suite Professional
Compared 2% of the time
More PortSwigger Burp Suite Professional Competitors
 

Product Reports

Buyer's Guide
Checkmarx One
June 2025
Checkmarx One reportDownload Checkmarx One product report
Buyer's Guide
OWASP Zap
May 2025
OWASP Zap reportDownload OWASP Zap product report
Buyer's Guide
PortSwigger Burp Suite Professional
May 2025
PortSwigger Burp Suite Professional reportDownload PortSwigger Burp Suite Professional product report
 

Also Known As

No data available
No data available
Burp
 

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • API security
  • Dynamic Application Security Testing (DAST)
  • Container security
  • IaC security
  • Correlation, prioritization, and risk management
  • Codebashing secure code training
  • AI security
  • Tech partnerships extending AppSec into runtime analysis
  • Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

OWASP Zap is a free and open-source web application security scanner. 

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger
 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Google, Amazon, NASA, FedEx, P&G, Salesforce
Buyer's Guide
Static Application Security Testing (SAST)
June 2025
Download Free Report
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: June 2025.
DOWNLOAD NOW
856,278 professionals have used our research since 2012.