We use this product for vulnerability scanning and for testing. I'm an automation engineer.
Great HUD feature that provides on-site testing and saves a lot of time
Pros and Cons
- "The HUD, Heads Up Display, is a good feature; it provides on-site testing and saves a lot of time."
- "There are too many false positives."
- "We get too many false positives and that should definitely be improved."
What is our primary use case?
What is most valuable?
The HUD, Heads Up Display, is a good feature. It provides on-site testing and saves a lot of time.
What needs improvement?
We get too many false positives and that should definitely be improved. I'd like to see site scanning included in the solution because it can get into your hidden files and reports.
For how long have I used the solution?
I've been using this solution for one year.
Buyer's Guide
OWASP Zap
June 2026
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,147 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is not scalable.
How was the initial setup?
The initial setup is straightforward and was carried out in-house without assistance from a third party.
What other advice do I have?
It's worth exploring and learning the tool. It helps a lot to understand the vulnerabilities in the applications. I rate the solution eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Software Engineer at a computer software company with 201-500 employees
Easy to install, free to use, but missing features
Pros and Cons
- "They offer free access to some other tools."
- "We use OWASP Zap for web application security scanning."
- "Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
What is our primary use case?
We use OWASP Zap for web application security scanning.
What is most valuable?
They offer free access to some other tools.
What needs improvement?
Zap could improve by providing better reports for security and recommendations for the vulnerabilities. Additionally, they should allow more testing other than web applications, such as on the cloud and VMs.
For how long have I used the solution?
I have been using OWASP Zap for approximately three months.
Which solution did I use previously and why did I switch?
I have used other solutions, such as AngularJS.
How was the initial setup?
The installation is straightforward.
What's my experience with pricing, setup cost, and licensing?
This solution is open source and free.
Which other solutions did I evaluate?
I have been evaluating Armor for my teammates who are using ZAP. I have found that Armor is better than ZAP and we are looking to switch solutions.
What other advice do I have?
I rate OWASP Zap a six out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
OWASP Zap
June 2026
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,147 professionals have used our research since 2012.
President & Owner at Aydayev's Investment Business Group
Provides visibility of queries, but security and the ability to search the internet for other use cases could be better
Pros and Cons
- "The solution is scalable."
- "The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined, so a person can have a list of the types of queries and can trace them."
- "The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
- "The computers perform somewhat slowly when loading a large number of queries into memory."
What is our primary use case?
The solution has certain models. It allows the creation of a pipeline in respect of the interface or of certain content. It enables one to check that the security is as it should be.
What is most valuable?
The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them.
What needs improvement?
The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed.
For how long have I used the solution?
We have been using OWASP Zap for more than four years.
What do I think about the stability of the solution?
The computers perform somewhat slowly when loading a large number of queries into memory. As such, I don't know if it will be possible to use cache on the disk, which would greatly increase performance.
What do I think about the scalability of the solution?
The solution is scalable. It can be run simultaneously for different targets.
How are customer service and technical support?
I have not had experience with using technical support. I make use of a public community on the public website.
How was the initial setup?
The initial setup is a bit complex, not straightforward. It could be made easy if, lets say, a project can be defined for a certain task through the project's creation. This may simplify its use.
Which other solutions did I evaluate?
Zap is a very good startup. There is an alternate solution that is a bit more expensive and requires more technical knowledge than OWASP Zap, although both have a model based configuration. The interface allows one to run predefined templates, something OWASP Zap has in common with the other solution. The automation capabilities are similar, as well.
What other advice do I have?
I used the source code design for the deployment.
I have not had experience with the code crawler, OSWAP Zap code analysis. The solution I was using is run by a search engine. My clients utilize OWASP Zap AST. They do not make use of the code crawler.
I rate OWASP Zap as a six out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees
Provides good automatic scanning and privacy; reporting could be improved
Pros and Cons
- "The automatic scanning is a valuable feature and very easy, and the major advantage to this solution is the privacy it offers."
- "Reporting format has no output, is cluttered and very long."
- "Without any support, we are in a black hole sometimes."
What is our primary use case?
We are using this product at a very basic level to scan reports and then share them with the Dev team for any vulnerabilities. We use the open source version and we are end users.
How has it helped my organization?
The solution has improved company functioning to a certain extent, but it takes a lot of time coordinating with the Dev team because we are using the open source version and not the enterprise version. It's not an awesome solution but we do get the reports we need and there is a good amount of documentation and support.
What is most valuable?
The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.
What needs improvement?
The reporting format could be improved. There is no output, it's cluttered and it's a very, very long report. It would be better if it were in PDF format with a short description, some findings, color coding, and easy to read. What we do now is analyze the HTML report and then rewrite our own shorter reports. I work for a Japanese company and they want the important information to show up. The reports do not really give us recommendations or the points where the vulnerability is coming from so I'd really like to see an improvement in the condition of reports. We should be able to call an API from somewhere and scan applications.
For how long have I used the solution?
I've been using this solution for about one year.
What do I think about the stability of the solution?
The product is not that stable and sometimes I have to re-install it and contact the internal IT team. I don't have the admin rights on the laptop. Some features can break down, for example, the browser on the scanning might not open. Slowly our team will be moving towards more critical projects coming from the U.S., Japan and India, so we are definitely planning to upscale. In the next financial year, we're planning to upscale and make it more rigorous.
How are customer service and technical support?
We are using the open source version so we have no technical support for now.
How was the initial setup?
The installation is very simple. It's just an executable file because for now, we are not using it as a part of CACD or anything else. We have just installed the open source version on the laptop which has simplified things; our toolbox opens up and we just give the URL and it does an automatic scan. So information wise and operational wise, it is easy now. Our team carried out the deployment by first reading, watching videos and taking various courses. We had help from the company security team.
Which other solutions did I evaluate?
I carried out an evaluation between Checkmarx and OWASP Zap.
What other advice do I have?
If you are working in a very big gaming company and you have the budget, then I'd suggest switching to the enterprise version because the open source version takes time to resolve the regulations and there are sometimes false positives. It takes a lot of effort to figure out how to resolve the vulnerability and then search the same thing in the code. If you're not from the development team, then a lot of coordination is required. Without any support, we are in a black hole sometimes. Some attacks can be very dangerous for the company and for the application. They create delays and I've had to learn how to deal with that.
I rate this solution a six out of 10.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Subdirector de Seguridad Informática e Infraestructura at a financial services firm with 201-500 employees
Open-source and easy to use with a straightforward setup
Pros and Cons
- "The stability of the solution is very good."
- "The solution is very easy to use, the initial setup is straightforward, it is free due to the fact that it is open-source, the stability is very good, and the product has a strong community surrounding it to help with issues and troubleshooting."
- "It would be a great improvement if they could include a marketplace to add extra features to the tool."
- "While the solution can scale to a certain extent, it cannot scale a lot."
What is our primary use case?
Currently, we deploy these tools to serve in a few of our services in the organization.
What is most valuable?
The solution is very easy to use.
The initial setup is straightforward.
The solution is free due to the fact that it is open-source.
The stability of the solution is very good.
The product has a strong community surrounding it to help with issues and troubleshooting.
What needs improvement?
The technical support could be improved. It doesn't offer traditional technical support at all.
It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.
For how long have I used the solution?
I've been using the solution for a while. I've used it at least over the last 12 months.
What do I think about the stability of the solution?
The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.
We only have one user that is engaged with the solution currently.
How are customer service and technical support?
OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.
Which solution did I use previously and why did I switch?
We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.
How was the initial setup?
We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.
The deployment only took half an hour. It wasn't more than that. The process is pretty fast.
YOu do not need a big team to handle the deployment process. We only used two.
What about the implementation team?
We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.
What's my experience with pricing, setup cost, and licensing?
The solution is open-source. It doesn't cost anything to use it.
What other advice do I have?
We are a customer and end-user of the product.
There's lots of information online for users who are curious to learn more about the product.
In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Information Security Professional at AEDC
Easy-to-use interface, but the documentation needs to be improved
Pros and Cons
- "The interface is easy to use."
- "This solution is providing us with value and as long as it continues to do so, we'll continue to use it."
- "The documentation needs to be improved because I had to learn everything from watching YouTube videos."
What is our primary use case?
We primarily use this product for web application scanning.
What is most valuable?
The interface is easy to use.
What needs improvement?
The documentation needs to be improved because I had to learn everything from watching YouTube videos.
For how long have I used the solution?
I have been working with OWASP Zap for about three months.
What do I think about the stability of the solution?
I have not experienced any trouble in terms of stability.
What do I think about the scalability of the solution?
Scalability has not been an issue, so far. There are four of us in the company that can log in to use it.
How are customer service and technical support?
I have not been in contact with technical support.
How was the initial setup?
The initial setup was straightforward. For me, I just had to press "Next" several times. Between the installation, downloading videos, and investigating how to deploy it, I would say that the process took roughly a day.
What about the implementation team?
I did not require third-party assistance for the deployment.
What was our ROI?
This solution is providing us with value and as long as it continues to do so, we'll continue to use it.
What's my experience with pricing, setup cost, and licensing?
This is an open-source solution and can be used free of charge.
What other advice do I have?
This is a good product where most of the functionality is free, which is why I recommend that others use it.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Good user interface and easy to use; test reports could be improved
Pros and Cons
- "Simple to use, good user interface."
- "The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily."
- "Too many false positives; test reports could be improved."
- "I'd also like to see an improvement in test reports because we get too many false positives."
What is our primary use case?
I'm a business analyst and we're a customer of OWASP Zap.
What is most valuable?
The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.
What needs improvement?
I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives.
For how long have I used the solution?
I've been using this solution for the past few months.
What do I think about the stability of the solution?
The stability is okay although we get many false positives when pulling out test reports.
What do I think about the scalability of the solution?
The scalability is very good.
How are customer service and technical support?
I haven't needed technical support to date and I haven't yet started using the community support.
How was the initial setup?
The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more.
What other advice do I have?
I would definitely recommend this product provided the company can provide more clarity on the false positives that we get.
I would rate this solution a seven out of 10.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Embedded Software Engineer at Y Soft
Automatic updates of our database are valuable; deployment is complicated
Pros and Cons
- "Automatic updates and pull request analysis."
- "The pull request analysis is also very good."
- "Deployment is somewhat complicated."
- "I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance."
What is our primary use case?
Our primary use case is for scanning. We have Bamboo, Nexus and Artifactory and we are able to make snapshots. When we get a pull request we're able to make another snapshot and we compare the two snapshots together and can see what is new in the pull request. We can see which libraries are there and that enables us to see the vulnerabilities. I'm an embedded software engineer.
What is most valuable?
I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.
What needs improvement?
The product is somewhat complicated and could be improved by simplifying it because you don't want to have to allocate one person to maintain the solution full time. We'd like to be able to deploy it and have it work. Ideally we'd like to be able to get a pull request analysis and the analysis of repositories.
I think they could definitely work on a more simplified deployment. That would improve the product. The issues are not necessarily related to the solution but possibly connected to how it was initially set up.
For how long have I used the solution?
We've been using this solution for three or four years.
What do I think about the stability of the solution?
Regarding stability, we have some issues in our product and we need to work on it. Something is wrong in the architecture, perhaps it's a bug.
How was the initial setup?
The initial setup was done before I came to the company. There are five people on our security team who discuss maintenance issues and try to solve problems.
What other advice do I have?
I would recommend this product to people although I think it is very difficult to deploy and we also have issues with maintenance.
I would rate this solution a six out of 10 in our environment. I don't think deployment was done very well in our company and that has affected the quality of the product. Perhaps if things had been done differently I would rate it an eight out of 10.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Engineer at a aerospace/defense firm with 10,001+ employees
Good overall business scanning but there is room for improvement
Pros and Cons
- "The scalability of this product is very good."
- "I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
What is our primary use case?
We only tried out the demo to see what the solution offers and how it performs overall business scanning. They also offer open-source projects.
What needs improvement?
There is definitely room for improvement. I prefer Burp Suite to OWASP Zap because of the extensive coverage it offers. I also think it should have an open-source tool. I would also love to see an improvement in visibility.
For how long have I used the solution?
I used OWASP Sap three to four months ago for less than a week.
What do I think about the stability of the solution?
The OWASP Zap solution was very stable during the few days we used it.
What do I think about the scalability of the solution?
The scalability of this product is very good.
What other advice do I have?
I will rate this product a seven out of ten, because I think the visibility needs to be improved, and the support person needs to do a better job. What's more, additional features, like domain support or different authentication support also needs to be improved.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Manager at a marketing services firm with 10,001+ employees
Reporting gives you a clear indication of what kind of vulnerability you have that you can drill down on but the reporting should assist with base-lining
Pros and Cons
- "The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
- "I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
What is most valuable?
The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.
What needs improvement?
I'm still in the process of exploring.
I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.
For how long have I used the solution?
I haven't been using this solution for very long yet.
What other advice do I have?
I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller.
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube
Checkmarx One
GitLab
Veracode
PortSwigger Burp Suite Professional
Acunetix
Coverity Static
OpenText Core Application Security
HCL AppScan
Invicti
Semgrep
Qualys Web Application Scanning
Aikido Security
Contrast Security Assess
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- What is the biggest difference between OWASP Zap and Qualys?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?
















