OWASP Zap Reviews

Name: OWASP Zap
Brand: OWASP
Rating: 3.8 (40 reviews)

Vendor: OWASP

3.8 out of 5

40 reviews
88% willing to recommend

807 followers

Start review

What is OWASP Zap?

OWASP Zap is a free and open-source web application security scanner.

Get the OWASP Zap Buyer's Guide and find out what your peers are saying about OWASP Zap, SonarQube Server (formerly SonarQube), GitLab and more!

OWASP Zap is the #11 ranked solution in AST tools. PeerSpot users give OWASP Zap an average rating of 7.6 out of 10. OWASP Zap is most commonly compared to SonarQube Server (formerly SonarQube): OWASP Zap vs SonarQube Server (formerly SonarQube). OWASP Zap is popular among the large enterprise segment, accounting for 60% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.

Helped 849,686 peers since 2012

Featured OWASP Zap reviews

Amit Beniwal

Project Manager at Al Hassan LLC

There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.

Read full review

Prasant Pokarnaa

Delivery Head - DevOps at Datamato Technologies

OWASP is only meant for two or three different types of scans. It is a tool which will scan the code for security for vulnerabilities We were able to convince the customers to really remove those rules when GitLab was able to show the results. Customers should be aware that GitLab is not just a…

Read full review

JoelGeorge

Associate at Tata Consultancy

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more. It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.

Read full review

OWASP Zap mindshare

As of May 2025, the mindshare of OWASP Zap in the Static Application Security Testing (SAST) category stands at 4.7%, down from 5.0% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

PeerResearch reports based on OWASP Zap reviews

Type	Title	Date
Category	Static Application Security Testing (SAST)	Apr 30, 2025	Download
Product	Reviews, tips, and advice from real users	Apr 30, 2025	Download
Comparison	OWASP Zap vs SonarQube Server (formerly SonarQube)	Apr 30, 2025	Download
Comparison	OWASP Zap vs Veracode	Apr 30, 2025	Download
Comparison	OWASP Zap vs Checkmarx One	Apr 30, 2025	Download

Title	Rating	Mindshare	Recommending
SonarQube Server (formerly SonarQube)	4.0	25.0%	81%	114 interviews Add to research
GitLab	4.3	2.7%	97%	82 interviews Add to research

Valuable Features

OWASP Zap offers valuable features including automated scanning, intercepting proxy, API support for security tests, detailed reporting, spidering, and Heads Up Display. It supports multiple platforms, provides language translation, and has a user-friendly interface. As open-source, it suits both novices and experienced users. Community backing enhances usability while add-on capabilities expand functionalities. Users benefit from automated DevOps integration. Reports offer precise remediation suggestions reducing noise. The cost-effectiveness benefits smaller companies significantly.

"OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."
"OWASP is quite matured in identifying the vulnerabilities."
"OWASP Zap is a good tool, one of my favorites for a long time, and I would recommend it."

Room for Improvement

OWASP Zap needs improvements in documentation, reporting, and user interface. Users find the reports lack customization and are cluttered. Integration with cloud-based pipelines and mobile application testing could be enhanced. Enhancements are needed to reduce false positives and increase automation capabilities. Improvement in technical support and increased integration options with other tools are desirable. Expanded vulnerability coverage, better resource management, and updates with new features are also sought by users.

"OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."
"OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."
"For scalability, I would rate OWASP Zap between four to five out of ten."

ROI

Users reported significant improvements in security measures, enhanced vulnerability detection, and increased overall protection.

The tool was praised for its user-friendly interface, extensive features, and effectiveness in identifying potential threats.

Users also highlighted the cost-effectiveness of OWASP Zap, as it provided robust security solutions without requiring substantial financial investments.

Pricing

OWASP Zap is widely regarded by users as a free and open-source solution offered under the Apache 2 license. Organizations appreciate its cost-effectiveness, especially for those uncertain about the extent of use, as it provides features comparable to commercial solutions without upfront costs. Although the tool is free, some mention indirect costs related to resources needed for setup. Enterprises often explore potential donations but find the free version valuable and recommend trying it.

"It is open source, and we can scan freely."
"The tool is open source."
"The tool is open-source."

Popular Use Cases

OWASP Zap is primarily employed for web application security testing, vulnerability assessment, and penetration testing. Users employ it for spidering, automated security checks, and vulnerability scanning of Java-based applications or websites. Organizations utilize the tool in their QA cycle, scanning for vulnerabilities and generating reports for management reviews. It's also integrated into DevOps pipelines for secure application development, ensuring applications are tested for security before deployment.

Service and Support

OWASP Zap's customer service and support primarily rely on strong community forums and thorough documentation. While some rate technical support highly, many have not used it, instead finding answers through online resources and community interaction. The maintainers are noted for their exceptional involvement in complex cases, although traditional support is absent. Many users appreciate the responsive community and helpful resources, though some prefer alternatives like PortSwigger for more structured technical support.

Deployment

Many users found OWASP Zap's initial setup to be simple and straightforward, particularly when used with Kali Linux. However, installing and configuring the API initially posed challenges for some. It was generally easy on both Windows and Linux, with good documentation simplifying the process. Some users required a bit more expertise for a seamless setup, but most installations were quick, often completed within an hour, requiring minimal technical resources.

Scalability

OWASP Zap exhibits varying degrees of scalability. Some find it flexible and capable of handling multiple targets simultaneously. Others note challenges with scaling, indicating it performs well with available computing resources but struggles when pushed to limits. It is appreciated for its extensibility through add-ons and documentation. Usage in small applications shows quick performance. Certain users express a need for improvements in scaling capabilities, while others actively plan to increase their utilization of its features.

Stability

OWASP Zap demonstrates considerable stability for many users, with reports of being reliable and without crashes. Some instances indicate the need for additional configurations or enhanced resources, particularly when handling large data loads. Occasionally, issues arise with performance lag or architectural errors, but generally, it's noted as stable. Users operating within different environments, such as Windows or Linux, experience varying performance, but satisfaction with stability remains high.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our OWASP Zap Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

18%

Financial Services Firm

11%

Manufacturing Company

Government

University

Retailer

Educational Organization

Healthcare Company

Comms Service Provider

Insurance Company

Real Estate/Law Firm

Construction Company

Media Company

Non Profit

Outsourcing Company

Wholesaler/Distributor

Energy/Utilities Company

Logistics Company

Transportation Company

Hospitality Company

Legal Firm

Consumer Goods Company

Recreational Facilities/Services Company

Performing Arts

Pharma/Biotech Company

Compare OWASP Zap with alternative products

Learn more about OWASP Zap

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP Zap customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS