OWASP Zap Reviews

Name: OWASP Zap
Brand: OWASP
Rating: 3.8 (41 reviews)

Vendor: OWASP

3.8 out of 5

41 reviews
88% willing to recommend

649 followers

Start review

What is OWASP Zap?

OWASP Zap is a free and open-source web application security scanner.

Get the OWASP Zap Buyer's Guide and find out what your peers are saying about OWASP Zap, SonarQube Server (formerly SonarQube), GitLab and more!

OWASP Zap is the #11 ranked solution in AST tools. PeerSpot users give OWASP Zap an average rating of 7.6 out of 10. OWASP Zap is most commonly compared to SonarQube Server (formerly SonarQube): OWASP Zap vs SonarQube Server (formerly SonarQube). OWASP Zap is popular among the large enterprise segment, accounting for 60% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.

Helped 856,873 peers since 2012

Featured OWASP Zap reviews

Amit Beniwal

Project Manager at Al Hassan LLC

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Prasant Pokarnaa

Delivery Head - DevOps at Datamato Technologies

OWASP is only meant for two or three different types of scans. It is a tool which will scan the code for security for vulnerabilities We were able to convince the customers to really remove those rules when GitLab was able to show the results. Customers should be aware that GitLab is not just a…

Read full review

NathanNV

Elite Global CISO at Scybers

The technical support is very good. We had some issues during installation. We reached out to the support team and got it clarified immediately. We have reached out to the support team only once. If we continue getting good support from the team, I might rate support a nine or ten out of ten in the future. For now, I rate it an eight out of ten.

Read full review

OWASP Zap mindshare

As of June 2025, the mindshare of OWASP Zap in the Static Application Security Testing (SAST) category stands at 4.7%, down from 4.9% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

PeerResearch reports based on OWASP Zap reviews

Type	Title	Date
Category	Static Application Security Testing (SAST)	Jun 15, 2025	Download
Product	Reviews, tips, and advice from real users	Jun 15, 2025	Download
Comparison	OWASP Zap vs SonarQube Server (formerly SonarQube)	Jun 15, 2025	Download
Comparison	OWASP Zap vs Veracode	Jun 15, 2025	Download
Comparison	OWASP Zap vs Checkmarx One	Jun 15, 2025	Download

Title	Rating	Mindshare	Recommending
SonarQube Server (formerly SonarQube)	4.0	23.9%	81%	116 interviews Add to research
GitLab	4.3	2.6%	97%	84 interviews Add to research

Valuable Features

OWASP Zap's valuable features include automated scanning, ease of use, open-source access, powerful API support for customization, effective reporting, and multilingual capability. Users appreciate the intercepting proxy, spidering, HUD, and ability to integrate with DevOps pipelines. The tool efficiently identifies vulnerabilities like XSS and SQL injections. It provides flexibility with manual and automatic scanning options, supported across various platforms, making it ideal for diverse security testing needs.

"I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs."
"OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."
"OWASP is quite matured in identifying the vulnerabilities."

Room for Improvement

OWASP Zap needs more comprehensive documentation and regular updates. Users desire advanced reporting features with better customization and PDF options. False positives are a concern, and improvements in automation and scan coverage are necessary. Enhanced integration with DevOps and support for additional feeds and vulnerabilities are suggested. Community feedback also highlights the need for a user-friendly interface and seamless cloud integration.

"When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking."
"OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."
"OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."

ROI

Users reported significant improvements in security measures, enhanced vulnerability detection, and increased overall protection.

The tool was praised for its user-friendly interface, extensive features, and effectiveness in identifying potential threats.

Users also highlighted the cost-effectiveness of OWASP Zap, as it provided robust security solutions without requiring substantial financial investments.

Pricing

OWASP Zap is an open-source, free-to-use tool under the Apache 2 license, often recommended for its ease of use and comprehensive features. Enterprises appreciate its zero-cost setup as it helps in initial evaluations without licensing concerns. Many companies opt for OWASP Zap for its no-cost capabilities comparable to commercial alternatives, like Burp Suite, which has known licensing fees. Some users note indirect costs related to deployment resources, yet benefit essential from community edition and ongoing flexibility.

"It is open source, and we can scan freely."
"The tool is open source."
"The tool is open-source."

Popular Use Cases

OWASP Zap is frequently used for scanning and evaluating web applications, APIs, and infrastructure to identify vulnerabilities. It's commonly integrated into DevSecOps pipelines for continuous security checks. Users leverage its capabilities for penetration testing, ensuring code security before releases, and analyzing HTTP methods for sensitive information exposure. It's also utilized to automate tests, generate reports, and spider websites, making it an essential tool in security testing for diverse applications and industries.

Service and Support

OWASP Zap users report a strong community but limited traditional technical support. Many prefer using forums and documentation, finding them comprehensive and resourceful. While a few had direct positive experiences with support, others rely solely on community interactions. Users rate technical interaction between 7 and 8 out of 10 when used. Some say maintainers have provided exceptional help. Most don't feel the need for direct contact due to the robust online resources.

Deployment

Installation and configuration of OWASP Zap are frequently described as straightforward and easy for individuals with technical knowledge. Some users find it challenging when dealing with the API, requiring additional effort. Most appreciate the clear documentation and tutorials while setting up on Windows and Linux platforms is common. A few mention the need for experienced personnel for complex environments, but generally, it takes a short duration to complete the process.

Scalability

OWASP Zap offers scalability, performing efficiently with sufficient computing resources. While some challenges initially arose, resources like online documentation helped. It supports extensions, add-ons, and runs simultaneously for different targets. Some found it limited, others noted potential with a SaaS model. Varied uses indicate differing scalability experiences, with rates ranging from four to eight out of ten. Users mentioned quick responses for small applications, with plans to expand usage, especially for API support.

Stability

Most users report that OWASP Zap demonstrates consistent stability without crashing. However, a few note that running it on virtual machines or handling large datasets may cause lag or require additional configurations. Some groups have encountered false positives or found it necessary to re-install on occasion. Despite these, many rate its stability highly, ranging from eight to nine out of ten, citing reliability and rare disruptions.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our OWASP Zap Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

18%

Financial Services Firm

12%

Manufacturing Company

Government

University

Educational Organization

Retailer

Healthcare Company

Comms Service Provider

Real Estate/Law Firm

Construction Company

Insurance Company

Media Company

Non Profit

Outsourcing Company

Wholesaler/Distributor

Energy/Utilities Company

Hospitality Company

Transportation Company

Consumer Goods Company

Performing Arts

Logistics Company

Legal Firm

Recreational Facilities/Services Company

Pharma/Biotech Company

Marketing Services Firm

Compare OWASP Zap with alternative products

Learn more about OWASP Zap

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP Zap customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS