Try our new research platform with insights from 80,000+ expert users

OWASP Zap pros and cons

Vendor: OWASP

3.8 out of 5

39 reviews
87% willing to recommend

844 followers

Pros & Cons summary

OWASP Zap offers exceptional API support with its Fuzzer and Java APIs, enabling faster security tests. Frequent updates ensure new vulnerabilities are quickly integrated. Automated scanning, scalability, and integration capabilities with tools like SonarQube enhance its utility. However, limited documentation, insufficient scanning depth, false positives, poor report customization, and suboptimal cloud CICD integration can impact usability. The HUD feature aids on-site testing, but manual verification remains necessary.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

OWASP Zap is simple to learn and master, making it accessible for users.

The API of OWASP Zap is exceptional and supports custom needs with features like the Fuzzer and Java APIs.

Its community edition provides regular updates, enhancing the tool's capabilities by adding new vulnerabilities to its scanning list.

The scalability of OWASP Zap is advantageous, allowing it to be used effectively for various auditing purposes and security testing.

OWASP Zap integrates well with tools like SonarQube and Portswigger Burp, offering automated scanning and valuable features like the Zap HUD for efficient testing.

CONS

Online documentation is lacking and out-of-date, requiring improvements to enhance feature utilization and automation.

OWASP Zap struggles with false positives, necessitating manual verification of reported vulnerabilities.

The ability to customize reports based on user needs is limited, affecting usability.

Integration with cloud-based CICD pipelines and mobile application testing is currently inadequate.

There is a need to extend algorithm capabilities for better summaries and broader coverage of complex security issues.

OWASP Zap Pros review quotes

VN

Vijayanathan Naganathan

Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

Jun 21, 2019

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool.

Read full review

BS

Balaji Senthiappan

Assistant Vice President at Hexaware Technologies Limited

Nov 12, 2020

The solution is good at reporting the vulnerabilities of the application.

Read full review

PN

Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS

Mar 11, 2024

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult.

Read full review

Free Report: OWASP Zap Reviews and More

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.

838,640 professionals have used our research since 2012.

Works at a retailer with 1,001-5,000 employees

Aug 16, 2017

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

Read full review

AG

CEO at Virtual Security International

Aug 13, 2021

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

Read full review

VF

Consultant at Harald A. Møller AS

Feb 8, 2019

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer.

Read full review

YK

Yudhistiro Kusumonegoro

Security Officer at UnDisclosed

May 4, 2023

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high.

Read full review

PS

Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees

Apr 6, 2021

Automatic scanning is a valuable feature and very easy to use.

Read full review

Associate at Tata Consultancy

Apr 25, 2022

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

Read full review

Program Manager at a manufacturing company with 1,001-5,000 employees

Apr 22, 2018

It scans while you navigate, then you can save the requests performed and work with them later.

Read full review

Show 10 more reviews (out of 38)

OWASP Zap Cons review quotes

VN

Vijayanathan Naganathan

Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

Jun 21, 2019

There's very little documentation that comes with OWASP Zap.

Read full review

BS

Balaji Senthiappan

Assistant Vice President at Hexaware Technologies Limited

Nov 12, 2020

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Read full review

PN

Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS

Mar 11, 2024

It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results.

Read full review

Free Report: OWASP Zap Reviews and More

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: February 2025.

838,640 professionals have used our research since 2012.

Works at a retailer with 1,001-5,000 employees

Aug 16, 2017

It doesn't run on absolutely every operating system.

Read full review

AG

CEO at Virtual Security International

Aug 13, 2021

The forced browse has been incorporated into the program and it is resource-intensive.

Read full review

VF

Consultant at Harald A. Møller AS

Feb 8, 2019

If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning.

Read full review

YK

Yudhistiro Kusumonegoro

Security Officer at UnDisclosed

May 4, 2023

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time.

Read full review

PS

Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees

Apr 6, 2021

Reporting format has no output, is cluttered and very long.

Read full review

Associate at Tata Consultancy

Apr 25, 2022

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.

Read full review

Program Manager at a manufacturing company with 1,001-5,000 employees

Apr 22, 2018

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

Read full review

Show 10 more reviews (out of 39)

Product Categories

Product Categories

Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons

SonarQube Server (formerly SonarQube) vs OWASP Zap

GitLab vs OWASP Zap

Checkmarx One vs OWASP Zap

Veracode vs OWASP Zap

Coverity vs OWASP Zap

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Fortify on Demand vs OWASP Zap

Acunetix vs OWASP Zap

PortSwigger Burp Suite Professional vs OWASP Zap

HCL AppScan vs OWASP Zap

Qualys Web Application Scanning vs OWASP Zap

Invicti vs OWASP Zap

Kiuwan vs OWASP Zap

Rapid7 AppSpider vs OWASP Zap

Contrast Security Assess vs OWASP Zap

See all alternatives

Product Categories

Product Categories

Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons

SonarQube Server (formerly SonarQube) vs OWASP Zap

GitLab vs OWASP Zap

Checkmarx One vs OWASP Zap

Veracode vs OWASP Zap

Coverity vs OWASP Zap

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Fortify on Demand vs OWASP Zap

Acunetix vs OWASP Zap

PortSwigger Burp Suite Professional vs OWASP Zap

HCL AppScan vs OWASP Zap

Qualys Web Application Scanning vs OWASP Zap

Invicti vs OWASP Zap

Kiuwan vs OWASP Zap

Rapid7 AppSpider vs OWASP Zap

Contrast Security Assess vs OWASP Zap

See all alternatives

Related questions

2,143

Is OWASP Zap better than PortSwigger Burp Suite Pro?

26

What is the biggest difference between OWASP Zap and PortSwigger Burp?

29

What is the biggest difference between OWASP Zap and Qualys?

17

What Application Security Solution Do You Use That Is DevOps Friendly?

90

Which is the most comprehensive open source Web Security Testing tool?

210

What is the best Application Security Testing platform?

6

When evaluating Application Security Testing, what aspect do you think is the most important to look for?

85

SAST vs. DAST: Which is better for application security testing?

93

What tools do you rely on for building a DevSecOps pipeline?

33

What does the Log4j/Log4Shell vulnerability mean for your company?