Try our new research platform with insights from 80,000+ expert users

OWASP Zap vs Veracode comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Nov 2, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

OWASP Zap
Ranking in Static Application Security Testing (SAST)
11th
Average Rating
7.6
Reviews Sentiment
7.3
Number of Reviews
41
Ranking in other categories
No ranking in other categories
Veracode
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
8.2
Reviews Sentiment
6.9
Number of Reviews
204
Ranking in other categories
Application Security Tools (2nd), Container Security (8th), Software Composition Analysis (SCA) (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of November 2025, in the Static Application Security Testing (SAST) category, the mindshare of OWASP Zap is 4.3%, up from 4.4% compared to the previous year. The mindshare of Veracode is 6.2%, down from 9.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Market Share Distribution
ProductMarket Share (%)
Veracode6.2%
OWASP Zap4.3%
Other89.5%
Static Application Security Testing (SAST)
 

Featured Reviews

Amit Beniwal - PeerSpot reviewer
Simplifies vulnerability discovery and has high quality support
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
Kv Rao - PeerSpot reviewer
Integrates pipelines smoothly and fortifies code against vulnerabilities
I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"Simple and easy to learn and master."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"Fuzzer and Java APIs help a lot with our custom needs."
"It can be used effectively for internal auditing."
"Automatic updates and pull request analysis."
"The ZAP scan and code crawler are valuable features."
"You can run it against multiple targets."
"It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed."
"The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws."
"The analysis of the vulnerabilities and the results are the most valuable features."
"It does software composition analysis, discovering open source software weaknesses."
"I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities."
"It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
"I like the sandbox, the ability to upload compiled code, and how easy it is."
"The integration capabilities with our existing development tools are very good."
 

Cons

"OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."
"The technical support team must be proactive."
"OWASP Zap needs to extend to mobile application testing."
"The forced browse has been incorporated into the program and it is resource-intensive."
"For scalability, I would rate OWASP Zap between four to five out of ten."
"OWASP should work on reducing false positives by using AI and ML algorithms."
"Deployment is somewhat complicated."
"Reporting format has no output, is cluttered and very long."
"I have contacted the technical support and customer support. With Veracode's technical support, for some issues, it has been really difficult for them to understand the problem, and they ask us to do some tests we've already told them we completed in the first ticket."
"Veracode can be improved in terms of software composition analysis and related vulnerabilities."
"Veracode does not support scans for .NET Blazor server applications."
"The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives."
"Mitigation review isn't always super easy."
"I would like to see expanded coverage for supporting more platforms, frameworks, and languages."
"If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
"If you schedule two parallel scans under the same project, one of them will be a failure."
 

Pricing and Cost Advice

"The tool is open source."
"It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy."
"It's free. It's good for us because we don't know what the extent of our use will be yet. It's good to start with something free and easy to use."
"As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out."
"This is an open-source solution and can be used free of charge."
"It is open source, and we can scan freely."
"This solution is open source and free."
"OWASP ZAP is a free tool provided by OWASP’s engineers and experts. There is an option to donate."
"The pricing is fair."
"The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."
"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"
"It is expensive. It depends on the use case, but it is very hard to find a pricing page on their website. Instead, they need to analyze your use case, but without knowing the entire project and how you're going to be using Veracode, how many scans you're going to do, if yours is a small business, it is very expensive and it affects ROI."
"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."
"I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform."
"I have not examined Veracode's pricing in detail, but from an industry perspective, I see that there is a tendency toward Veracode, which suggests competitive pricing."
"I found Veracode very expensive, though I'm not the person paying for it. I was surprised to find out how much the subscription costs and that the executive board approved it, but it was a no-brainer because now my company has better security scans."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
872,846 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
15%
Financial Services Firm
10%
University
8%
Manufacturing Company
8%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
9%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business10
Midsize Enterprise11
Large Enterprise21
By reviewers
Company SizeCount
Small Business69
Midsize Enterprise43
Large Enterprise112
 

Questions from the Community

Is OWASP Zap better than PortSwigger Burp Suite Pro?
OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with ...
What do you like most about OWASP Zap?
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, i...
What is your experience regarding pricing and costs for OWASP Zap?
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode Static Analysis?
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities.
What is your experience regarding pricing and costs for Veracode Static Analysis?
When considering pricing, Veracode stands out due to its lower cost per service and more scalable options. It offers nearly five security testing features within its own service, making it a compet...
 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about OWASP Zap vs. Veracode and other solutions. Updated: November 2025.
872,846 professionals have used our research since 2012.