We performed a comparison between OWASP Zap and Acunetix based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Acunetix. Although both products have valuable features and have straightforward deployments, our reviewers found that Acunetix has high pricing, which is considered expensive by some users, especially for small organizations.
"The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
"It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
"Their technical support has been very active. If I have an issue, I can reach out to them and get an answer pretty quick."
"For us, the most valuable aspect of the solution is the log-sequence feature."
"The tool's most valuable feature is performance."
"Our developers can run the attacks directly from their environments, desktops."
"The most valuable feature of the solution is the speed at which it can scan multiple domains in just a few hours."
"There is a lot of documentation on their website which makes setting it up and using it quite simple."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"It has improved my organization with faster security tests."
"The scalability of this product is very good."
"The solution has tightened our security."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The solution is scalable."
"It updates repositories and libraries quickly."
"Acunetix needs to be dynamic with JavaScript code, unlike Netsparker which can scan complex agents."
"We want to see how much bandwidth usage it consumes. When we monitor traffic we have issues with the consumption and throttling of the traffic."
"Acunetix needs to include agent analysis."
"Currently only supports web scanning."
"The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."
"The pricing is a bit on the higher side."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"The vulnerability identification speed should be improved."
"Lacks resources where users can internally access a learning module from the tool."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"There are too many false positives."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"The forced browse has been incorporated into the program and it is resource-intensive."
"It would be nice to have a solid SQL injection engine built into Zap."
Acunetix is ranked 13th in Static Application Security Testing (SAST) with 26 reviews while OWASP Zap is ranked 7th in Static Application Security Testing (SAST) with 37 reviews. Acunetix is rated 7.6, while OWASP Zap is rated 7.6. The top reviewer of Acunetix writes "Fantastic reporting features hindered by slow scanning ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Acunetix is most compared with Tenable.io Web Application Scanning, PortSwigger Burp Suite Professional, HCL AppScan, Fortify WebInspect and Veracode, whereas OWASP Zap is most compared with SonarQube, Qualys Web Application Scanning, PortSwigger Burp Suite Professional, Veracode and Checkmarx One. See our Acunetix vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.