Checkmarx One vs OWASP Zap vs PortSwigger Burp Suite Professional comparison

Checkmarx and OWASP are both solutions in the Static Application Security Testing (SAST) category. Checkmarx is ranked #3 with an average rating of 8.3, while OWASP is ranked #11 with an average rating of 8.0. Checkmarx holds a 10.0% mindshare in SAST, compared to OWASP’s 4.7% mindshare. Additionally, 87% of Checkmarx users are willing to recommend the solution, compared to 88% of OWASP users who would recommend it.

Checkmarx One

Read 71 Checkmarx One reviews

20,870 Views
17,740 Comparison Views

87% willing to recommend

OWASP Zap

Read 41 OWASP Zap reviews

8,982 Views
8,174 Comparison Views

88% willing to recommend

PortSwigger Burp Suite Prof...

Read 64 PortSwigger Burp Suite Professional reviews

4,607 Views
2,948 Comparison Views

98% willing to recommend

Checkmarx One

OWASP Zap

PortSwigger Burp Suite Prof...

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Checkmarx One, OWASP Zap, and PortSwigger Burp Suite Professional based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: July 2025).

Buyer's Guide

Static Application Security Testing (SAST)

July 2025

Download the complete report

Helped 864,650 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of August 2025, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 10.0%, down from 12.5% compared to the previous year. The mindshare of OWASP Zap is 4.7%, up from 4.7% compared to the previous year. The mindshare of PortSwigger Burp Suite Professional is 2.0%, up from 1.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

Amit Beniwal

Project Manager at Al Hassan LLC

Simplifies vulnerability discovery and has high quality support

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Anuradha.Kapoor Kapoor

Head - Quality Control at Net Solutions

Offers efficient scanning of entire websites but presence of false positive bugs, leading to time-consuming efforts in distinguishing real bugs from false alarms

We have found that so many times, false positive bugs are there, and then we spend a lot of time basically separating them from real bugs. So that's the reason we are looking for some other tool. So we were in discussion with Acunetix. Therefore, the false positive rate is, like, something that we would like to improve. What we are looking for is if this false positive rate goes down because we were OWASP Zap tool users, which was free anyway. But there were a lot of false positives there, and we used to spend a lot of time, like, for security reasons, reproducing those bugs for the development team to fix it. So then we thought, okay, why not we go with the tool? Even if it is not very expensive. But still, every year, we have to renew the license. And we got this tool. Again, we found that in this tool also, even if it is less, there are still a lot of false positive bugs out there. So we again have to spend so much time. So we hired a security tester, who was basically using Acunetix in his previous company for almost three years, and then you said that in that scanning is very slow. The scanning is also slow. Like, sometimes the site scan takes eight hours, six to eight hours. Yeah. And whereas in Acunetix, it took three to four hours. And plus, there are no false positives. I'm not saying none but there's very little. But here, the rate sometimes is very high. These are the two features I think we would like to improve further.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."

"The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."

"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."

"The value you can get out of the speedy production may be worth the price tag."

"The user interface is modern and nice to use."

"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."

"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

"Apart from software scanning, software composition scanning is valuable."

More Checkmarx One pros

"It can be used effectively for internal auditing."

"The API is exceptional."

"It updates repositories and libraries quickly."

"The product discovers more vulnerabilities compared to other tools."

"The community edition updates services regularly. They add new vulnerabilities into the scanning list."

"It scans while you navigate, then you can save the requests performed and work with them later."

"Automatic scanning is a valuable feature and very easy to use."

"The solution is scalable."

More OWASP Zap pros

"The Spider is the most useful feature. It helps to analyze the entire web application, and it finds all the passes and offers an automated identification of security issues."

"The extension that it provides with the community version for the skills mapping is excellent."

"Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them."

"This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps."

"I have found the best features to be the performance and there are a lot of additional plugins available."

"You can download different plugins if you don't have them in the standard edition."

"The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."

"The tool provides complimentary services. It allows you to add a lot of extensions, and you can get extensions quite often. It is quite a flexible application."

More PortSwigger Burp Suite Professional pros

Cons

"Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."

"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."

"We have received some feedback from our customers who are receiving a large number of false positives."

"The plugins for the development environment have room for improvements such as for Android Studio and X code."

"The solution's user interface could be improved because it seems outdated."

"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."

"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"

"The Dynamic Application Security Testing (DAST) feature should be better."

More Checkmarx One cons

"The solution is unable to customize reports."

"OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."

"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."

"Sometimes, we get some false positives."

"It doesn't run on absolutely every operating system."

"Reporting format has no output, is cluttered and very long."

"The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."

"As security evolves, we would like DevOps built into it. As of now, Zap does not provide this."

More OWASP Zap cons

"There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment."

"The solution lacks sufficient stability."

"We'd like to have more integration potential across all versions of the product."

"One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."

"The biggest improvement that I would like to see from PortSwigger that today many people see as an issue in their testing. There might be a feature which might be desired."

"One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome."

"The use of system memory is an area that can be improved because it uses a lot."

"The number of false positives need to be reduced on the solution."

More PortSwigger Burp Suite Professional cons

Pricing and Cost Advice

"This solution is expensive. The customized package allows you to buy additional users at any time."

"It is a good product but a little overpriced."

"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."

"I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone."

"I believe pricing is better compared to other commercial tools."

"Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."

"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."

"It is an expensive solution."

More Checkmarx One pricing and cost advice

"This solution is open source and free."

"The tool is open source."

"We have used the freeware version. I believe Zap only has freeware."

"It is open source, and we can scan freely."

"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."

"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."

"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."

"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."

More OWASP Zap pricing and cost advice

"It is a cheap solution, but it may not be cheaper than other solutions."

"The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses."

"At $400 or $500 per license paid annually, it is a very cheap tool."

"There is no setup cost and the cost of licensing is affordable."

"Pricing is not very high. It was around $200."

"The yearly cost is about $300."

"The pricing of the solution is reasonable. We only need to pay for the annual subscription. I rate the pricing five out of ten."

"PortSwigger is reasonably-priced. It's fair."

More PortSwigger Burp Suite Professional pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

864,650 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

20%

Computer Software Company

14%

Manufacturing Company

10%

Government

Computer Software Company

17%

Financial Services Firm

11%

Manufacturing Company

University

Computer Software Company

14%

Financial Services Firm

12%

Government

11%

Manufacturing Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

See all answers

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

See all answers

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

See all answers

Is OWASP Zap better than PortSwigger Burp Suite Pro?

OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available...

See all answers

What do you like most about OWASP Zap?

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan web...

See all answers

What is your experience regarding pricing and costs for OWASP Zap?

OWASP might be cost-effective, however, people prefer to use the free edition available as open source.

See all answers

What do you like most about PortSwigger Burp Suite Professional?

The solution helped us discover vulnerabilities in our applications.

See all answers

What is your experience regarding pricing and costs for PortSwigger Burp Suite Professional?

The cost of PortSwigger Burp Suite Professional is reasonable at approximately $500 per year per user.

See all answers

What needs improvement with PortSwigger Burp Suite Professional?

The only potential improvement would be adding Postman integration specifically for APIs.

See all answers

Comparisons

SonarQube Server (formerly SonarQube) vs Checkmarx One

Compared 39% of the time

Veracode vs Checkmarx One

Compared 9% of the time

Checkmarx SAST vs Checkmarx One

Compared 7% of the time

OpenText Core Application Security vs Checkmarx One

Compared 5% of the time

GitHub Advanced Security vs Checkmarx One

Compared 4% of the time

More Checkmarx One Competitors

SonarQube Server (formerly SonarQube) vs OWASP Zap

Compared 19% of the time

Acunetix vs OWASP Zap

Compared 14% of the time

Qualys Web Application Scanning vs OWASP Zap

Compared 9% of the time

Veracode vs OWASP Zap

Compared 8% of the time

OpenText Dynamic Application Security Testing vs OWASP Zap

Compared 4% of the time

More OWASP Zap Competitors

Acunetix vs PortSwigger Burp Suite Professional

Compared 17% of the time

OpenText Dynamic Application Security Testing vs PortSwigger Burp Suite Professional

Compared 13% of the time

SonarQube Server (formerly SonarQube) vs PortSwigger Burp Suite Professional

Compared 7% of the time

HCL AppScan vs PortSwigger Burp Suite Professional

Compared 7% of the time

OpenText Core Application Security vs PortSwigger Burp Suite Professional

Compared 3% of the time

More PortSwigger Burp Suite Professional Competitors

Product Reports

Buyer's Guide

Checkmarx One

August 2025

Download Checkmarx One product report

Buyer's Guide

OWASP Zap

July 2025

Download OWASP Zap product report

Buyer's Guide

PortSwigger Burp Suite Professional

July 2025

PortSwigger Burp Suite Professional report

Download PortSwigger Burp Suite Professional product report

Also Known As

No data available

Burp

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

OWASP Zap is a free and open-source web application security scanner.

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Google, Amazon, NASA, FedEx, P&G, Salesforce

Buyer's Guide

Static Application Security Testing (SAST)

July 2025

Download Free Report

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: July 2025.

DOWNLOAD NOW

864,650 professionals have used our research since 2012.