Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs OWASP Zap comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
3rd
Average Rating
7.6
Reviews Sentiment
6.9
Number of Reviews
70
Ranking in other categories
Application Security Tools (3rd), Vulnerability Management (24th), Static Code Analysis (2nd), API Security (4th), DevSecOps (2nd), Risk-Based Vulnerability Management (10th)
OWASP Zap
Ranking in Static Application Security Testing (SAST)
8th
Average Rating
7.6
Reviews Sentiment
7.3
Number of Reviews
40
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of May 2025, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.8%, down from 12.9% compared to the previous year. The mindshare of OWASP Zap is 4.7%, down from 5.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
 

Featured Reviews

Rohit Kesharwani - PeerSpot reviewer
Provides good security analysis and security identification within the source code
We integrate Checkmarx into our software development cycle using GitLab's CI/CD pipeline. Checkmark has been the most helpful for us in the development stage. The solution's incremental scanning feature has impacted our development speed. The solution's vulnerability detection is around 80% to 90% accurate. I would recommend Checkmarx to other users because it is one of the good tools for doing security analysis and security identification within the source code. Overall, I rate Checkmarx a nine out of ten.
Amit Beniwal - PeerSpot reviewer
Simplifies vulnerability discovery and has high quality support
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"The UI is very intuitive and simple to use."
"The setup is fairly easy. We didn't struggle with the process at all."
"The most valuable feature for me is the Jenkins Plugin."
"Scan reviews can occur during the development lifecycle."
"The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."
"They offer free access to some other tools."
"It's great that we can use it with Portswigger Burp."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"The scalability of this product is very good."
"You can run it against multiple targets."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"It scans while you navigate, then you can save the requests performed and work with them later."
 

Cons

"Updating and debugging of queries is not very convenient."
"The reports are good, but they still need to be improved considering what the UI offers."
"I would like to see the tool’s pricing improved."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"The integration could improve by including, for example, DevSecOps."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"The Dynamic Application Security Testing (DAST) feature should be better."
"There isn't too much information about it online."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word ​list, or manually created."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"Too many false positives; test reports could be improved."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Reporting format has no output, is cluttered and very long."
"It would be nice to have a solid SQL injection engine built into Zap."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
 

Pricing and Cost Advice

"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products."
"For around 250 users or committers, the cost is approximately $500,000."
"The interface used to create custom rules comes at an additional cost."
"The number of users and coverage for languages will have an impact on the cost of the license."
"The solution is costly."
"It is an expensive solution."
"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"This solution is open source and free."
"The tool is open-source."
"We have used the freeware version. I believe Zap only has freeware."
"The solution’s pricing is high."
"OWASP Zap is free to use."
"It is open source, and we can scan freely."
"This is an open-source solution and can be used free of charge."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
850,671 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
14%
Manufacturing Company
10%
Government
5%
Computer Software Company
18%
Financial Services Firm
11%
Manufacturing Company
8%
Government
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with ...
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, i...
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Find out what your peers are saying about Checkmarx One vs. OWASP Zap and other solutions. Updated: April 2025.
850,671 professionals have used our research since 2012.