"The solution is scalable."
"The interface is easy to use."
"The stability of the solution is very good."
"They offer free access to some other tools."
"Automatic updates and pull request analysis."
"The solution is good at reporting the vulnerabilities of the application."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"Automatic scanning is a valuable feature and very easy to use."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
"With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp."
"You can scan any number of applications and it updates its database."
"The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
"The most valuable feature is the application security. It also has a reasonable price."
"The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."
"The active scanner, which does an automated search of any web vulnerabilities."
"The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately."
"Too many false positives; test reports could be improved."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"Reporting format has no output, is cluttered and very long."
"Deployment is somewhat complicated."
"As with most automated security tools, too many false positives."
"The use of system memory is an area that can be improved because it uses a lot."
"There is not much automation in the tool."
"There should be a heads up display like the one available in OWASP Zap."
"The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative."
"A lot of our interns find it difficult to get used to PortSwigger Burp's environment."
"We wish that the Spider feature would appear in the same shape that it does in previous versions."
"Currently, the scanning is only available in the full version of Burp, and not in the Community version."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 19 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.4. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix by Invicti, Qualys Web Application Scanning, Fortify WebInspect and Netsparker by Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix by Invicti, Tenable.io Web Application Scanning, HCL AppScan and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro will give you more options, its one of the best tool to have for pentesters so defo worth it.
First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with quality security vulnerabilities. Both are very comparable in terms of intercepting features, fuzzing capabilities, and encoder and decoders. Both OWASP Zap and PortSwigger Burp Suite Pro have a spider feature, and provide updates.
One big difference between the two, though, is price. OWASP Zap is free, but Burp Suite Pro requires a paid subscription (currently $399 per year). OWASP Zap is maintained by volunteers whereas Burp Suite Pro is a commercial product maintained and sold by PortSwigger, which makes me feel more confident in it. In addition, OWASP Zap provides little documentation, which may be why some people prefer Burp Suite Pro (which offers extensive documentation). Moreover, Burp Suite Pro includes more coverage than OWASP Zap. But it is also worth noting that OWASP Zap has more false positives than Burp Suite Pro.
I like Burp Suite Pro’s interface a lot more than OWASP Zap’s. Another big plus for me with Burp is its Comparer tab,which allows for easier change detection. OWASP Zap does not include this feature without extensions and a ZAP plugin is required. Another thing about OWASP Zap I dislike is that the ability to search for text in the request or server response is difficult, while Burp Suite Pro makes it easier and more accessible.
Conclusion:
In my opinion, Burp Suite Pro is better than OWASP Zap because of its features, which I feel make it a better choice for security professionals. Both OWASP Zap and Burp Suite Pro have good sets of capabilities. However, Burp Suite Pro excels in the specific capabilities I need in more ways that OWASP Zap does.