I use this solution for penetration tests.
CEO at Virtual Security International
Open-source, easy to install, feature-rich, with good heads-up display and community resources
Pros and Cons
- "It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
- "OWASP is the best."
- "The forced browse has been incorporated into the program and it is resource-intensive."
What is our primary use case?
What is most valuable?
It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).
It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.
It's a Java program installed on your computer.
What needs improvement?
The forced browse has been incorporated into the program and it is resource-intensive.
It was a copied program named DIR Buster Doorbuster. It needs to be improved, it's too resource-hungry.
I found another program that is written in the Go language and it does the same thing, but it is much faster and more efficient. It will crash those proxy programs within Zap if you do more than one, it will take forever.
It needs to be rewritten, maybe not in Java.
For how long have I used the solution?
I have used OWASP quite a bit. I have dealt with this solution for quite a few years. My usage has not been constant, but it has been quite a while.
We are dealing with the most recent version.
Buyer's Guide
OWASP Zap
June 2026
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,118 professionals have used our research since 2012.
What do I think about the stability of the solution?
It creates a database of all the URLs and it can get a little overwhelming.
With a large website, you have a lot of URLs, it gets a bit sluggish when loading and saving it, but it really works quite well. It goes in and out of it and goes too slow. It takes a little while to save all of that data.
What do I think about the scalability of the solution?
It's a scalable product but its' slow.
How are customer service and support?
I have not contacted technical support.
It has a very good forum on the website. The users help each other. It's helpful and resourceful.
Which solution did I use previously and why did I switch?
I have used several solutions, such as Nessus, WebInspect, and Retina. The retina is a network scanner but OWASP is the best.
How was the initial setup?
It's quick to set up. You can install it in different ways. I run it on Linux, Debian and I have run it on Windows as well.
What's my experience with pricing, setup cost, and licensing?
OWASP Zap is free.
Which other solutions did I evaluate?
I was making a comparison between OWASP and Acunetix to see what the differences were.
What other advice do I have?
I used to work with Homeland security back 10, 15 years ago, in the national cybersecurity division starting up right after 9/11.
I was on that national cybersecurity team. One of the things they looked into was funding using government money to fund some of these security operations or projects. They decided, and I helped decide, that it would be right for the government to support open-source systems or products because they're not making money out of that market.
One of the people in the government got involved and helped to get it started. I don't know if they still have a list on their website of donors or contributors, but you can look on that list pretty easily and see if Homeland security is still supporting them.
I assume it is because it's really well run. It's constantly evolving new versions coming out with new features. It's very well managed and the lead person on it is very sharp. You can go on YouTube and search for a proxy and you will see some deep-dive tutorials. He did a really good job.
There is a lot to this solution. You can use it superficially, but you need to spend a lot of time learning it. It has a lot of options and a lot of angles.
I would rate OWASP Zap a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Engineer at Eon Health
Has a good application scanning feature but reporting needs improvement
Pros and Cons
- "The application scanning feature is the most valuable feature."
- "The reporting feature could be more descriptive."
What is our primary use case?
We use it for our security scanning for our applications.
What is most valuable?
The application scanning feature is the most valuable feature.
What needs improvement?
The reporting feature could be more descriptive.
For how long have I used the solution?
I have been using OWASP Zap for four years.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
Presently seven people use this solution. It is scalable.
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
It's open source.
What other advice do I have?
Overall, i would rate the solution a seven out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
OWASP Zap
June 2026
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,118 professionals have used our research since 2012.
Software Quality Assurance Engineer at Netow Solutions Ltd
An open-source solution that helps with application testing
Pros and Cons
- "We use the solution for security testing."
- "OWASP Zap needs to extend to mobile application testing."
What is our primary use case?
We use the solution for security testing.
What needs improvement?
OWASP Zap needs to extend to mobile application testing.
What do I think about the stability of the solution?
OWASP Zap is stable.
What's my experience with pricing, setup cost, and licensing?
The tool is open-source.
What other advice do I have?
I rate the solution an eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Head Of Development at VALOORES
An easy-to-install product that discovers more vulnerabilities than any other tool in the market
Pros and Cons
- "The product discovers more vulnerabilities compared to other tools."
- "The product should allow users to customize the report based on their needs."
What is our primary use case?
We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.
What is most valuable?
The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.
What needs improvement?
The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability.
If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.
For how long have I used the solution?
I have been using the solution for two to three months.
What do I think about the stability of the solution?
The solution is very stable. I rate the solution’s stability a nine out of ten.
What do I think about the scalability of the solution?
Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.
How was the initial setup?
I rate the ease of setup an eight out of ten.
What about the implementation team?
The installation is quick. It can be done in a couple of hours.
What's my experience with pricing, setup cost, and licensing?
The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.
What other advice do I have?
We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment.
The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer.
Manager, Quality Assurance at Managed Markets Insight & Technology, LLC
It's easy to use and the automated scan is powerful, but the cloud integration could be improved
Pros and Cons
- "ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
- "ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
What is our primary use case?
We use ZAP for penetration testing.
What is most valuable?
ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.
What needs improvement?
ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline.
For how long have I used the solution?
We have used ZAP for more than six months.
What do I think about the stability of the solution?
ZAP is stable.
How are customer service and support?
I rate ZAP support seven out of 10. It's good.
How would you rate customer service and support?
Neutral
How was the initial setup?
Deploying ZAP is straightforward. It took me and one other person three or four days to install and configure ZAP.
What's my experience with pricing, setup cost, and licensing?
We use the community version.
Which other solutions did I evaluate?
We did a POC for a tool by NetSuite, but that was a paid tool.
What other advice do I have?
I rate OWASP ZAP seven out of 10. It's an excellent penetration testing tool for developers. That scanning part is solid, but the integration with AWS and Azure pipelines could be better.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Officer at UnDisclosed
Stable dynamic testing solution with unreliable manual processes
Pros and Cons
- "Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
- "The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time."
What is our primary use case?
OWASP Zap is used for dynamic testing. So when any kind of application, like, a web application, needs to be tested for its security and vulnerabilities. It is also used to crawl the site and then to enumerate all the input or the possible exploitation points, and then we try to exploit any blockings within OWASP Zap.
How has it helped my organization?
It improved our company's functioning because it integrates and can automate most of our workflow, so it helps. Based on its automation abilities, I rate it a seven out of ten. But there are many things that I have to do manually for safety and better clarification.
What is most valuable?
I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.
What needs improvement?
Since it is a community-based tool, I am unsure if OWASP Zap is quite up to date with recent weaknesses currently exploitable in work. So, sometimes we have to add to do it manually. How to differentiate between the false positive and the true findings need improvement. In general, the shortcomings in the accuracy of the findings need to be improved.
The automation process can help us perform website attacks using the latest exploit techniques and procedures, often used in reverse scenarios. Although other commercial solutions have this feature, I hope OWASP Zap can catch up and offer similar capabilities.
For how long have I used the solution?
I have been using the solution for four or five years. We got the information from the community that it is open-source software, so we are using it as part of the community. We are using the open-source version. It is not difficult to upgrade to the latest version.
What do I think about the stability of the solution?
Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high. I never found the applications crashing.
What do I think about the scalability of the solution?
Scalability-wise, I rate the solution a five out of ten.
The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time. Five users who are IT security engineers in my company use the tool. I plan to increase the usage of the tool in the future.
How are customer service and support?
Since it's a community-based tool, I rate the solution's technical support as less than five. It's community support. We do not have technical support, so we have to manually read the documentation and check the community forums.
How would you rate customer service and support?
Neutral
How was the initial setup?
I rate the initial setup a ten out of ten since it is easy. The server is easily deployed because it's an open-source and free solution. I think it's very easy to install on every computer authorized to use it.
Which other solutions did I evaluate?
I am still currently using Burp Suite, which is free.
What other advice do I have?
I can recommend others to use the solution for a quick and easy introduction to dynamic testing. But for the more advanced solution and for users like myself who understand the application suite itself for others and any organization to use the commercial solution as a proxy. I rate the overall solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Information Security Professional at AEDC
Fast and easy to set up but uses a lot of memory
Pros and Cons
- "You can run it against multiple targets."
- "There isn't too much information about it online."
What is our primary use case?
It's running on my system. I use it to scan URLs and can check things if I find something.
What is most valuable?
There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets.
It is easy to set up.
The solution is stable.
What needs improvement?
I don't have any notes for improvements.
It should have more visibility. Everybody defaults to Burp. However, this is a free version that deserves more visibility.
There isn't too much information about it online. You need to self-teach in order to really learn how to use it. There isn't a lot of documentation available.
It takes up a lot of memory and RAM.
For how long have I used the solution?
I've been using the solution for roughly six months. I've used it on and off. However, I really started using it constantly over the last six months.
What do I think about the stability of the solution?
The solution is mostly stable. However, it requires a lot of RAM and memory. There are no bugs or glitches.
What do I think about the scalability of the solution?
It is not very scalable.
I'm the only security engineer. Only I use it in my company.
How are customer service and support?
I've never used technical support. I'm not sure how helpful or responsive they are.
Which solution did I use previously and why did I switch?
I used to use Portswigger Burp. This solution is free and has a lot of the paid versions Burp offers. I haven't used Burp Professional. I used the community version. I chose this solution as it is faster, at least compared to the community version. My understanding it the paid version of Burp is very fast.
How was the initial setup?
The initial setup was very simple and straightforward. I didn't find any difficulty installing it on my system.
It takes about ten to 15 minutes to deploy. It depends on the machine you have.
What's my experience with pricing, setup cost, and licensing?
The solution is free to use. I don't pay any licensing fees.
What other advice do I have?
I'm an end-user.
I'm not sure which version of the solution I'm using.
I would rate the solution seven out of ten. While it is free to use, it does take up a lot of memory. I also find Burp easier to use than this product.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Consultant at a consultancy with 10,001+ employees
Provides good information and is sophisticated; updates repositories and libraries quickly
Pros and Cons
- "It updates repositories and libraries quickly."
- "Zap is an open-source and sophisticated product that not only saves us money but also provides us with a good amount of information."
- "The solution is unable to customize reports."
- "The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format."
What is our primary use case?
Zap collects all the AJAX and Ambelo GS links. It pages in everything from a target. I'm a security consultant and we are customers of Zap.
What is most valuable?
Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly.
What needs improvement?
The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
We haven't had any scalability challenges.
How was the initial setup?
The installation was relatively easy as is maintenance.
What other advice do I have?
Whether this is a good solution depends on the use case. If an organization is looking for a professional license without putting down any money, this is one of the best solutions.
I would rate this solution more highly if we were able to customize reports. For now, I rate this solution eight out of 10.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Associate at Tata Consultancy
Scans quickly and works very well, but has a limited scope and needs more comprehensive reporting
Pros and Cons
- "Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
- "The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
What is most valuable?
Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.
What needs improvement?
The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.
It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.
For how long have I used the solution?
I have been using this solution for roughly 12 months. I am using the latest freeware version that is available on the website.
What do I think about the stability of the solution?
Its stability is good.
What do I think about the scalability of the solution?
It lacks scalability. It is only good up to a limit.
How are customer service and support?
Based on my interactions, they have been very good. They take around 24 hours to get back to you because they're a very large organization that is totally into this. They are quite good. They aren't the best, but they are quite good.
How was the initial setup?
Its initial setup was straightforward. It was pretty much immediate. There was no deployment issue. It was done quickly.
What about the implementation team?
It was implemented in-house. In terms of maintenance, it doesn't require much maintenance. You need just one person to follow the updates. That's about it.
What's my experience with pricing, setup cost, and licensing?
We have used the freeware version. I believe Zap only has freeware.
What other advice do I have?
My advice would be to not look at Zap as a one-stop-shop for all your results because Zap cannot do that. Zap is very good for a certain number of basic vulnerabilities or medium to high-level issues, but it can't go beyond that. You can use Zap along with another tool. If you're doing two or three levels of security testing, you can use Zap along with other tools.
It is more of a learner tool. So, if you're using Zap, it would be best if you use it as a beginner in the field. Once you get into projects or work for people on their applications, you'll definitely end up needing something stronger.
I would rate it a five out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Assistant Vice President at Hexaware Technologies Limited
Great at reporting vulnerabilities, helps with security, and reveals development threats well
Pros and Cons
- "The solution is good at reporting the vulnerabilities of the application."
- "OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company."
- "It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
- "Right now, I can't give it off to a team and expect them to give me a report that I'm happy with."
What is our primary use case?
Currently, we build our products for the banking industry and use this solution in that process.
From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code.
What is most valuable?
The solution is good at reporting the vulnerabilities of the application.
It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.
What needs improvement?
I can't recall any features that are lacking. In my role as a service provider, I only go up to standards defined by somebody else. So far, this solution has met their standards.
So far I've not come across a scenario where we had to do anything that's a major rework due to the fact that we didn't catch something soon enough in the queries that we are using.
It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.
Right now, I can't give it off to a team and expect them to give me a report that I'm happy with. I will give it to a team and they will have to have another person sit with them to make sure they have configured it right. Some kind of pre-designed templates, pre-designed guidelines, or patterns to compliment the tool would go a long way in helping us use the solution.
For how long have I used the solution?
I've been using the solution for five or six years at this point.
What do I think about the stability of the solution?
From the perspective of the development cycle that we use, we find it stable enough. I don't use it in production or I don't have to update sites running all the time. Once a week when I will build a VM pack, I push into another environment, and that's probably the time I would make it. For me, I find it to be stable enough.
How are customer service and technical support?
I haven't really used technical support. Therefore, I can't really speak to their level of responsiveness or knowledgeability.
Which solution did I use previously and why did I switch?
I'm not a security specialist, however, to be clear, we provide services. On a development project, we frequently run into various solutions. It's not just OWASP. It could be Veracode, for example, or multiple other tools.
How was the initial setup?
The initial setup is not necessarily straightforward. Most are complex. You need a senior person to specialize, understand the set up in which they are running, and understand the tools they are going to use. You need to ask: do they know what to look for and support? I wouldn't say it's complex to use. That said, normally the resources are costly.
What's my experience with pricing, setup cost, and licensing?
In security, you'd expect the product is priced at a premium, so people don't check the pricing for the most part. In my case, I don't buy the product myself. I have the customers buy it for me. I'm not very worried about the price as a consultant.
What other advice do I have?
We are an IT service provider, which means that we use a variety of tools based on what our customer preferences are.
There's all, at most, I would say, about 20 companies that we would have the funds to use the solution with. OWASP is definitely in the top three as a tool that we would probably recommend to our team, as a frequent users' tool, however, I don't believe we have any kind of a formal relationship with the company.
Multiple teams use it. I have not heard of anybody complaining about anything to do with this particular solution. I would say it's pretty good. I would give it a rating of eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube
Checkmarx One
GitLab
Veracode
PortSwigger Burp Suite Professional
Acunetix
Coverity Static
OpenText Core Application Security
HCL AppScan
Invicti
Semgrep
Qualys Web Application Scanning
Aikido Security
Contrast Security Assess
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- What is the biggest difference between OWASP Zap and Qualys?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?





















