We changed our name from IT Central Station: Here's why

OWASP Zap vs PortSwigger Burp Suite Professional comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
564,143 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The solution is scalable.""The interface is easy to use.""The stability of the solution is very good.""They offer free access to some other tools.""Automatic updates and pull request analysis.""The solution is good at reporting the vulnerabilities of the application.""It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""Automatic scanning is a valuable feature and very easy to use."

More OWASP Zap Pros →

"In my area of expertise, I feel like it has almost everything I could possibly require at this moment.""With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp.""You can scan any number of applications and it updates its database.""The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.""The most valuable feature is the application security. It also has a reasonable price.""The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs.""The active scanner, which does an automated search of any web vulnerabilities.""The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately."

More PortSwigger Burp Suite Professional Pros →

Cons
"Too many false positives; test reports could be improved.""It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""The forced browse has been incorporated into the program and it is resource-intensive.""The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.""The documentation needs to be improved because I had to learn everything from watching YouTube videos.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""Reporting format has no output, is cluttered and very long.""Deployment is somewhat complicated."

More OWASP Zap Cons →

"As with most automated security tools, too many false positives.""The use of system memory is an area that can be improved because it uses a lot.""There is not much automation in the tool.""There should be a heads up display like the one available in OWASP Zap.""The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative.""A lot of our interns find it difficult to get used to PortSwigger Burp's environment.""We wish that the Spider feature would appear in the same shape that it does in previous versions.""Currently, the scanning is only available in the full version of Burp, and not in the Community version."

More PortSwigger Burp Suite Professional Cons →

Pricing and Cost Advice
  • "This is an open-source solution and can be used free of charge."
  • "This solution is open source and free."
  • More OWASP Zap Pricing and Cost Advice →

  • "There are different licenses available that include a free version."
  • "At $400 or $500 per license paid annually, it is a very cheap tool."
  • "PortSwigger is reasonably-priced. It's fair."
  • "It has a yearly license. I am satisfied with its price."
  • "We are using the community version, which is free."
  • "It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep."
  • "The price for the solution is expensive and could be cheaper. We pay an annual license and our team has several of them."
  • "It's a lower priced tool that we can rely on with good standard mechanisms."
  • More PortSwigger Burp Suite Professional Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    564,143 professionals have used our research since 2012.
    Answers from the Community
    Anonymous User
    author avatarVishalDhamke
    Real User

    Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro  will give you more options, its one of the best tool to have for pentesters so defo worth it.

    author avatarAvinash-Kumar
    Real User

    First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.

    Questions from the Community
    Top Answer: 
    OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer: 
    It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).
    Top Answer: 
    We use the solution for vulnerability assessment in respect of the application and the sites.
    Top Answer: 
    We wish that the Spider feature would appear in the same shape that it does in previous versions. I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted… more »
    Ranking
    Views
    31,876
    Comparisons
    21,072
    Reviews
    9
    Average Words per Review
    471
    Rating
    7.0
    Views
    21,981
    Comparisons
    18,295
    Reviews
    21
    Average Words per Review
    559
    Rating
    8.4
    Comparisons
    Also Known As
    Burp
    Learn More
    Overview

    Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

    Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

    PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

    Offer
    Learn more about OWASP Zap
    Learn more about PortSwigger Burp Suite Professional
    Sample Customers
    Information Not Available
    Google, Amazon, NASA, FedEx, P&G, Salesforce
    Top Industries
    REVIEWERS
    Computer Software Company27%
    Financial Services Firm18%
    Retailer9%
    Manufacturing Company9%
    VISITORS READING REVIEWS
    Computer Software Company30%
    Comms Service Provider25%
    Government6%
    Financial Services Firm5%
    REVIEWERS
    Manufacturing Company40%
    Financial Services Firm33%
    Insurance Company7%
    University7%
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider26%
    Government7%
    Media Company5%
    Company Size
    REVIEWERS
    Small Business18%
    Midsize Enterprise32%
    Large Enterprise50%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise16%
    Large Enterprise71%
    REVIEWERS
    Small Business21%
    Midsize Enterprise21%
    Large Enterprise58%
    Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
    564,143 professionals have used our research since 2012.

    OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 19 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.4. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix by Invicti, Qualys Web Application Scanning, Fortify WebInspect and Netsparker by Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix by Invicti, Tenable.io Web Application Scanning, HCL AppScan and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.