OWASP Zap is a free and open-source web application security scanner.
| Product | Mindshare (%) |
|---|---|
| OWASP Zap | 2.9% |
| SonarQube | 14.5% |
| Checkmarx One | 9.2% |
| Other | 73.4% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Static Application Security Testing (SAST) | Jun 22, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jun 22, 2026 | Download |
| Comparison | OWASP Zap vs SonarQube | Jun 22, 2026 | Download |
| Comparison | OWASP Zap vs Checkmarx One | Jun 22, 2026 | Download |
| Comparison | OWASP Zap vs Veracode | Jun 22, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| SonarQube | 4.0 | 14.5% | 84% | 135 interviewsAdd to research |
| Snyk | 4.1 | 5.8% | 100% | 51 interviewsAdd to research |
Users reported significant improvements in security measures, enhanced vulnerability detection, and increased overall protection.
The tool was praised for its user-friendly interface, extensive features, and effectiveness in identifying potential threats.
Users also highlighted the cost-effectiveness of OWASP Zap, as it provided robust security solutions without requiring substantial financial investments.
| Company Size | Count |
|---|---|
| Small Business | 10 |
| Midsize Enterprise | 10 |
| Large Enterprise | 19 |
| Company Size | Count |
|---|---|
| Small Business | 291 |
| Midsize Enterprise | 169 |
| Large Enterprise | 569 |
The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues.
With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.
1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS
| Author info | Rating | Review Summary |
|---|---|---|
| Project Manager at Al Hassan LLC | 4.0 | We primarily use OWASP Zap for web application security testing due to its simplicity and effective scanning features. However, it needs better alignment with CVSS scores. We also use Burp Suite and Nessus for comprehensive vulnerability analysis. |
| Technical Analyst at Hexaware Technologies Limited | 4.0 | I've worked with OWASP Zap for years, finding it effective overall, though it has limitations compared to Burp Suite, particularly in scan engines, authentication, and reporting. Its open-source nature allows for integrations but needs improvements, especially for APIs. |
| Delivery Head - DevOps at Datamato Technologies | 3.5 | I find OWASP Zap effective for scanning code vulnerabilities, whether manually or via CI/CD. However, it should improve false positive reduction and expand coverage. GitLab Ultimate and other tools are viable alternatives, offering comprehensive scanning features. |
| Head Of Information Security at Aura | 4.5 | I use OWASP Zap for DevSecOps in pipelines, employing its add-ons for tasks like brute forcing. The reporting feature is beneficial, although improvements like noise cancellation and a cloud version could enhance its utility, especially for larger tests. |
| Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS | 4.0 | I use OWASP Zap for vulnerability scanning because it offers valuable features for free, like the Zap HUD for manual exploration. However, it needs improved algorithms to reduce false positives and better integration options with tools like Burp Suite. |
| Cloud Solutions Architect at TANGENT SOLUTIONS | 4.5 | I use OWASP Zap within our DevOps process to securely develop apps by integrating security testing into our pipeline. Its automated scans and code crawler are valuable, despite occasional false positives. The active community and constant improvements make it indispensable. |
| Elite Global CISO at Scybers | 4.0 | We use OWASP Zap for scanning pipelines and find it beneficial, as it helps in identifying and fixing vulnerabilities. Our clients provide positive feedback, though the technical support team could improve by offering proactive guidance on feature usage. |
| Application Security Consultant at a tech services company with 10,001+ employees | 4.0 | I use OWASP Zap for security testing, valuing its open-source nature. It improved our security, but I desire more updates, better learning, and a more user-friendly UI, prompting our transition to Burp Suite. |
| Head Of Development at VALOORES | 4.0 | I use OWASP Zap to test our AML product's source code for vulnerabilities. The clear reports, useful plugins, and solutions are highlights, though customizable reports and optimized execution times would improve its utility. |
| Cyber Security Engineer at a transportation company with 10,001+ employees | 3.5 | I use OWASP Zap primarily for analysis, enjoying its integration with Portswigger Burp and leveraging its extensions. It’s stable, easy to set up, and scalable. However, support has declined over time, and more extensions would be appreciated. |
We use OWASP Zap primarily for discovering vulnerabilities in our web application security testing. We use one standalone deployment of this solution.
OWASP Zap has been good for reducing security incidents in our organization, doing very well with that.
One valuable feature of OWASP Zap is that it is simple to use. It is not complex, making it easy for us and our team to operate. We utilize both active and passive scanning functionalities, with no issues noted in those areas.
There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. Sometimes, a vulnerability initially categorized as high severity may be reduced to medium or low over time after security patches are applied. This alignment with the present severity score and CVSS score could be improved.
We have been using OWASP Zap since the 2014.
OWASP Zap is stable, and I would rate its stability between eight to nine out of ten.
For scalability, I would rate OWASP Zap between four to five out of ten. We are using it in an independent deployment.
The customer service and technical support are high quality. I rate it eight out of ten.
Positive
We are also using Burp Suite and Nessus along with OWASP Zap. Each tool has its own pros and cons, providing varying confidences of vulnerabilities and sometimes false positives.
The initial setup of OWASP Zap is easy. It's straightforward and does not pose any difficulty.
Our implementation was done in-house by our team. We rely entirely on our internal resources for deployment and do not use third-party integrators.
Alongside OWASP Zap, we use Burp Suite and Nessus. Each security tool we use has its own set of vulnerabilities that it effectively identifies.
OWASP Zap is a good tool, one of my favorites for a long time, and I would recommend it.
I'd rate the solution eight out of ten.
I have been working with OWASP Zap for a few years now, and it is similar to Burp Suite, being open source, but it has limitations, especially with the minimal scan engines that it offers compared to Burp Suite.
The powerful side of OWASP Zap includes features such as fuzzing activities, which allow us to perform fuzzing with manual payloads where we can inject and observe the outputs.
I consider OWASP Zap to be the most effective solution overall; being open source allows integration with other systems via OWASP Zap APIs.
The improvement that has to be done for APIs focuses on manual activities where the feature exists, but it is not at the same level as what Burp Suite does with intercepting and tools such as Postman, so it needs improvement.
There are limitations with authentication levels, particularly with form-based and cookie-based authentication. However, overall, we are satisfied with OWASP Zap as there are no major issues, and improving the scan engine could be beneficial.
When comparing OWASP Zap and Burp Suite, the main difference besides pricing is that OWASP Zap has limitations with reporting levels and UI, which affects its reporting capabilities, whereas Burp Suite is already advancing with new AI features and scanning capabilities that OWASP Zap seems to be lacking.
I have been working with OWASP Zap for a few years now.
For the initial setup, OWASP Zap does not present any hurdles during installation, and we can set it up with the required executable without any issues.
For the initial setup, OWASP Zap does not present any hurdles during installation, and we can set it up with the required executable without any issues.
I would recommend OWASP Zap to someone for initial testing, especially if they don't want to spend the money on the 449 price point. I would rate OWASP Zap an eight out of ten.
OWASP is only meant for two or three different types of scans. It is a tool which will scan the code for security for vulnerabilities.
We were able to convince the customers to really remove those rules when GitLab was able to show the results. Customers should be aware that GitLab is not just a source controller or version control tool; it is more than that.
OWASP is quite matured in identifying the vulnerabilities. Whether you run the scan manually or as an integrated part of your CI/CD pipeline, OWASP scanners are quite effective.
OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues. There should also be regular, planned release calendars instead of ad hoc releases.
I last used it one and a half years back and have around eight or nine years of experience with similar tools.
We have not faced any issues with stability.
OWASP can be rated at seven or eight for scalability. However, my experience is from one and a half, two years ago.
We never had to go to anyone for support because OWASP is an old technology tool, and the community is quite large. If something is put on the community, you get a response.
Positive
With the introduction of GitLab Ultimate, we're able to recommend it to all customers as it includes comprehensive scanning.
Setting up is a problem with OWASP. It is not straightforward and that is the reason I rated it at six.
We are not partners of OWASP. We talk as users or technology partners.
OWASP might be cost-effective, however, people prefer to use the free edition available as open source.
Different code scanning tools include Check Point, Qualys, SonarQube, Black Duck, Fortify, HCL AppScan, and enterprise security APIs.
OWASP is reasonable and cheap for customers who only need to perform specific scans. However, if looking for a full pipeline scanning solution, OWASP alone is not sufficient.
I'd rate the solution seven out of ten.
I primarily use OWASP Zap for DevSecOps within the pipeline. It's mainly integrated via a YAML file into GitHub actions. In addition to that, I use it for external tests like web crawling and web application penetration tests.
OWASP Zap's add-on feature to customize wordlists is very useful for tasks like brute forcing credentials and other test cases. Additionally, the reporting feature is effective as it provides remediation suggestions and allows for flagging false positives, which helps in reducing noise in the reports.
OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings. Additionally, a cloud version of the tool could enhance scalability and resource management, especially for larger tests that consume more local resources.
I have been working with OWASP Zap for four or five years.
I have not faced any stability issues with OWASP Zap. The stability is largely dependent on the available computing resources.
OWASP Zap's scalability is impressive, but it depends on the available computing resources. With sufficient resources, it operates efficiently.
OWASP Zap has community support available, but I have never used it because I've never needed it.
Positive
The initial setup of OWASP Zap is quite easy and not challenging at all. I would rate it ten out of ten in terms of ease.
OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative. I rate it nine out of ten.
I use it for vulnerability scanning. It has automatic methods. It's great.
We integrate OWASP Zap into our other software development lifecycle processes for security.
I use OWASP Zap for vulnerability scanning. After that, I used OWASP Zap to try fuzzing. To fuzz some inputs that might have medium or high severity problems discovered during the vulnerability scanning.
OWASP Zap's spidering capabilities have improved our security testing. I would rate this capability an eight out of ten. The feature is very useful, but maybe the algorithm for discovery must be improved. It can generate many false positives. But the overall feature is good.
The best part for me is that OWASP Zap provides several features, and it's absolutely free because it's open source. Unlike commercial web scanners that have strict feature limits in their free versions, OWASP Zap is open source, and we can scan freely. We can fuzz and do the scanning indefinitely.
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult.
The automatic scan will get blocked, or the IP will be blocked. But with the Zap HUD, we can manually explore the website without being blocked by the web application firewall.
There is the point that there may be false positives if we're doing vulnerability scanning.
The automated scanning feature is good. But if the website has a web application firewall, it's very difficult to use automated scanning. Because the automated scan sends many requests at the same time, and the WAF will block it as suspicious activity. The results of an automated scan may not be very successful for websites with WAFs because many requests will be blocked.
Therefore, improving the algorithm accuracy for finding leaks in OWASP ZAP is important to decrease false positives.
The algorithm used for finding leaks needs improvement. During scanning, if we execute exploits to find vulnerabilities, there are many false positives.
Additionally, it would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results.
In the next improvement for OWASP Zap is to add the ability to integrate with tools like Burp Suite Professional.
Also, improving the algorithms to identify leaks is important to decrease false positive discovery. It has a large wordlist. If we could integrate with that feature, it would be helpful.
However, if we use OWASP ZAP standalone, we would need to create or find wordlists ourselves, which takes significant time.
I have been using it for three months.
I would rate the stability an eight out of ten.
It is a stable product for me.
I use it personally.
The documentation is well-written. And the community support for OWASP Zap is good. It's quite helpful.
For me, OWASP Zap is quite a good application. The good thing about OWASP Zap is that many features are free, and we can use them.
I set up OWASP Zap on my laptop. It is very easy and simple for me.
I would rate my experience with the initial setup a nine out of ten, with ten being easy to set up.
It took me less than an hour to setup.
I did it myself.
Overall, I would rate the solution an eight out of ten.
My advice for OWASP Zap users is that you must be connected to vulnerability discovery work. As security testers, we must find vulnerabilities in our project. There are many false positives [with OWASP Zap], so we have to try new ways of exploiting and restarting. Maybe that's my advice.
I use the solution to follow the framework and help my developers develop apps securely from the ground up with the right practices in mind. As part of the DevOps process, we use the tool to scan and see if the web apps are vulnerable. We integrated the tool into our development life cycle for security testing in our DevOps pipeline. We use the tool to spider and test the website.
The solution helped identify attacks like Cross-site Scripting and SQL Injection. We can perform general health checks to see if the site is secure. If there are problems, they get fixed by the developers before they get to production.
The ZAP scan and code crawler are valuable features. It is automated in the DevOps pipeline. The scans are run automatically if a new project is set up and merged into the development branch. It makes our detection process easier. There are long-term benefits because we are not fixing it after we've developed. We are fixing it while we develop.
Sometimes, we get some false positives. The developers understand the context and usually tell me if it's a false positive and why. The reporting was bad in the past, but it has improved. It would be nice if we could have the report output in PDF. The product could automate the reports to email.
I have been using the solution for a couple of years.
We have never had issues or downtime.
The tool’s scalability is fine for the way we use it. It would be helpful if the tool had a scalable package to deploy and scale out when we had more websites to scan. The vendor must provide a SaaS solution. It could be like a private and externally hosted firewall that we could just subscribe to and run scans.
The product is deployed on the cloud. The on-premise system is easy. We can use the container system. The DevOps pipeline is the easiest. The deployment took about eight hours.
The tool is open source.
I've always used other solutions, which always contain the OWASP open-source tool behind the scenes. We can't compare OWASP Zap with anything else. The solution has an active community. The vendor keeps improving the OWASP framework often. There's no reason for me to deviate from it. OWASP is used widely in web application firewalls as the rule engine.
I will recommend the product to others. Everyone must use the tool. Overall, I rate the solution a nine out of ten.
We use the solution for scanning pipelines.
It is a good solution. We get good feedback about the product from our clients. The product helps users to scan and fix vulnerabilities in the pipeline.
The technical support team must be proactive. The team must advise users about the available features, how to find them, and how to use them better.
We have been using the solution for a customer for six to eight months.
We have not experienced any challenges in the tool's maintenance, availability, and stability.
The scalability could be better. I rate the tool’s scalability a seven out of ten. Our customers are medium-sized businesses.
The technical support is very good. We had some issues during installation. We reached out to the support team and got it clarified immediately. We have reached out to the support team only once. If we continue getting good support from the team, I might rate support a nine or ten out of ten in the future. For now, I rate it an eight out of ten.
Positive
The installation and integration are easy. It's not challenging. The implementation was done in different phases. Our customers took a few days to install the solution. They needed two engineers to install it. We do not have any problem in maintaining the tool. It is deployed on the cloud.
I would recommend the solution to my clients since it is a proven product. We have no issues with stability, scalability, and technical support. Overall, I rate the product an eight out of ten.
I use this solution to test applications; web applications, web APIs, and infrastructure. For the web APIs and applications, I use OWASP Zap for interpreting requests and responses, and to see how the application behaves to resist payloads. This is one of the basic applications for us to automate and test. We are customers of OWASP Zap and I'm an application security consultant.
The solution has tightened our security and that of our clients who depend on it. If you identify a weakness or a limitation in an application, and the tool identifies it, we can highlight it to the developer, who secures it and gives it back to us and we can test it back through the tool.
The most beneficial thing is that the solution is open-source, so there is no cost involved. It's useful for beginners who are looking to learn about penetration testing.
I'd like to see more regular updates with new features and I'd like to see resources where users can internally access a learning module from the tool. It would be helpful for any user interested in developing their skills. They have all the built-ins but it's not user-friendly in the sense that the UI is not as easy as you'd find in a solution such as the Burp Suite.
I've been using this solution for nearly three years.
Stability is pretty reliable. Sometimes when we're testing a broader application, it can get stuck. We have more than 30 users which include managers and testers.
We haven't needed to reach out for any technical support but I've heard they are quite responsive.
We're currently moving away from OWASP to PortSwigger Burp Suite Professional. It's more user-friendly with a better interface. It also comes with professional licensing. I've reached out to the support team, and the quantity of content and resources is significantly greater than Zap offers.
The initial setup is very simple, you just need to have a Java file. Deployment takes a maximum of 10 minutes and is carried out in-house. There's no real maintenance involved.
If you're a smaller organization, this tool is a great first choice as a starting point. It's quite usable.
I rate this solution eight out of 10.
We use the product to ensure that our source code is safe enough and has no vulnerabilities before delivering a new release for our AML product. We also used the product for dynamic testing to test applications as a black box.
The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.
The product should allow users to customize the report based on their needs. For example, suppose the user needs to test only the vulnerability of SQL injection and not any other category or vulnerabilities. In that case, it's better to provide end users with a way to choose the subject they want to audit and the severity of the vulnerability.
If I need to figure out only the critical or the high severity, I shouldn’t have to figure out the low severity vulnerabilities or the smell codes. These services could be helpful for the end user and save time whenever we need to generate a new report. The execution time is a little bit exaggerated. This process can optimize the report’s performance.
I have been using the solution for two to three months.
The solution is very stable. I rate the solution’s stability a nine out of ten.
Two resources from our security team work on generating and implementing reports. However, many other developers use the product to fix vulnerabilities and penetrate or audit the whole source code for products. The owner of the product and the developers are involved in the correction and the long-term plan to cover or close the vulnerability.
I rate the ease of setup an eight out of ten.
The installation is quick. It can be done in a couple of hours.
The solution’s pricing is high. I rate the pricing a nine or ten out of ten. There is an indirect cost on the resources and specs needed to deploy or implement the product. When we run the report, it consumes a lot of du from the servers.
We use SonarQube for penetration testing. We are most likely to have hybrid solutions. However, the deployment model depends on our clients, the data, and the type of product we will deploy. I didn't use automatic scalability for our deliveries and deployment.
The solution is worth using. We've used many tools and discovered that OWASP detects multiple high vulnerabilities, which the other tools do not detect. Overall, I rate the product an eight out of ten.
I primarily use the solution for different use cases. It's good for analysis. It also offers additional extensions you can take advantage of. There are different scan extensions you can leverage.
It helps that we can use it hand in hand with Portswigger Burp. Since each have scanning capabilities, we can use them together and leverage whichever has the better scanning extension, depending on what we need.
We like the functionality.
It's great that we can use it with Portswigger Burp.
There is a good community surrounding the solution.
The initial setup is easy.
It's stable and reliable.
The solution can scale.
We'd like the solution to continue to add more extensions.
They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better. It's not as good as it was.
I've used the solution since 2013. I've used it for quite some time.
It is pretty stable. There are no bugs or glitches. It doesn't crash or freeze. It is reliable.
The solution is pretty scalable. It's easy to extend as needed.
Technical support used to be very good. Then they stopped. Now, they are coming back. However, they are behind in support services.
I've also used Portswigger Burp. I can use both at the same time and use extensions to leverage them together.
The setup is simple and straightforward, depending on your level of knowledge. Portswigger Burp may be a bit easier. However, both are straightforward. This is not complex to implement. It also doesn't take long to deploy.
If you can download it in five minutes, you can have it set up in seven minutes.
This solution is open-source and free to use.
I am using the latest version. I usually download the latest version and then use it.
Users need to read the documentation before starting. Users need to educate themselves before they start.
I'd rate the solution seven out of ten.
