Try our new research platform with insights from 80,000+ expert users
OWASP Zap Logo

OWASP Zap pros and cons

Vendor: OWASP
3.8 out of 5
844 followers
Start review

Pros & Cons summary

OWASP Zap provides robust vulnerability scanning and is easy to learn, making it ideal for boosting web security. Its adaptable API is exceptional for custom needs, although it lacks support for mobile testing and CICD integrations. Valuable features like HUD enhance testing, but outdated documentation and excessive false positives hinder its use. Lacking a feature marketplace, it falls short of mainstream tool standards, despite enhancing organizational security with frequent deployments.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

OWASP Zap is noted for its simplicity and ease of learning, making it accessible even for those without a large budget for security tools.
The automated scanning feature of OWASP Zap is highly appreciated, allowing for efficient vulnerability detection and quick security testing.
The frequent updates and enhancements, such as the addition of the HUD (Heads Up Display), reflect ongoing adaptation and improvement, ensuring OWASP Zap remains a relevant tool for security audits.
OWASP Zap's API and customizable features, such as the fuzzer and Java APIs, are valuable for addressing specific custom needs in security testing.
OWASP Zap's ability to scan quickly and effectively within a limited scope, offering detailed vulnerability reporting and repository updates, is considered a significant advantage.

CONS

Online documentation for OWASP Zap is lacking and outdated, making it difficult for users to utilize all features and API methods effectively.
OWASP Zap experiences a high rate of false positives, necessitating manual verification of findings.
Reporting capabilities in OWASP Zap need enhancement for better customization, clarity, and understanding of results.
OWASP Zap's vulnerability assessment lacks diversification and could benefit from AI and ML algorithms to improve accuracy and reduce false positives.
There is limited support for OWASP Zap in terms of integration with cloud-based CICD pipelines and expansion into mobile application testing could improve functionality.
 

OWASP Zap Pros review quotes

VN
Jun 21, 2019
The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool.
Read full review
BS
Nov 12, 2020
The solution is good at reporting the vulnerabilities of the application.
Read full review
PN
Mar 11, 2024
The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult.
Read full review
Buyer's Guide
OWASP Zap
March 2025
Free Report: OWASP Zap Reviews and More
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
DOWNLOAD NOW
847,862 professionals have used our research since 2012.
it_user719781 - PeerSpot reviewer
Aug 16, 2017
The vulnerabilities that it finds, because the primary goal is to secure applications and websites.
Read full review
AG
Aug 13, 2021
It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).
Read full review
VF
Feb 8, 2019
This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer.
Read full review
YK
May 4, 2023
Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high.
Read full review
PS
Apr 6, 2021
Automatic scanning is a valuable feature and very easy to use.
Read full review
JoelGeorge - PeerSpot reviewer
Apr 25, 2022
Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.
Read full review
it_user860865 - PeerSpot reviewer
Apr 22, 2018
It scans while you navigate, then you can save the requests performed and work with them later.
Read full review
Show 10 more reviews (out of 39)
 

OWASP Zap Cons review quotes

VN
Jun 21, 2019
There's very little documentation that comes with OWASP Zap.
Read full review
BS
Nov 12, 2020
It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.
Read full review
PN
Mar 11, 2024
It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results.
Read full review
Buyer's Guide
OWASP Zap
March 2025
Free Report: OWASP Zap Reviews and More
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
DOWNLOAD NOW
847,862 professionals have used our research since 2012.
it_user719781 - PeerSpot reviewer
Aug 16, 2017
It doesn't run on absolutely every operating system.
Read full review
AG
Aug 13, 2021
The forced browse has been incorporated into the program and it is resource-intensive.
Read full review
VF
Feb 8, 2019
If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning.
Read full review
YK
May 4, 2023
The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time.
Read full review
PS
Apr 6, 2021
Reporting format has no output, is cluttered and very long.
Read full review
JoelGeorge - PeerSpot reviewer
Apr 25, 2022
The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.
Read full review
it_user860865 - PeerSpot reviewer
Apr 22, 2018
I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word ​list, or manually created.
Read full review
Show 10 more reviews (out of 40)

Product Categories

Product Categories
Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
GitLab vs OWASP Zap Logo
GitLab vs OWASP Zap
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Coverity vs OWASP Zap Logo
Coverity vs OWASP Zap
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap Logo
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap
Fortify on Demand vs OWASP Zap Logo
Fortify on Demand vs OWASP Zap
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Invicti vs OWASP Zap Logo
Invicti vs OWASP Zap
Semgrep vs OWASP Zap Logo
Semgrep vs OWASP Zap
Kiuwan vs OWASP Zap Logo
Kiuwan vs OWASP Zap
Rapid7 AppSpider vs OWASP Zap Logo
Rapid7 AppSpider vs OWASP Zap
See all alternatives

Product Categories

Product Categories
Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
GitLab vs OWASP Zap Logo
GitLab vs OWASP Zap
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Coverity vs OWASP Zap Logo
Coverity vs OWASP Zap
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap Logo
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap
Fortify on Demand vs OWASP Zap Logo
Fortify on Demand vs OWASP Zap
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Invicti vs OWASP Zap Logo
Invicti vs OWASP Zap
Semgrep vs OWASP Zap Logo
Semgrep vs OWASP Zap
Kiuwan vs OWASP Zap Logo
Kiuwan vs OWASP Zap
Rapid7 AppSpider vs OWASP Zap Logo
Rapid7 AppSpider vs OWASP Zap
See all alternatives
Related questions
  • 1,529
Is OWASP Zap better than PortSwigger Burp Suite Pro?
  • 20
What is the biggest difference between OWASP Zap and PortSwigger Burp?
  • 26
What is the biggest difference between OWASP Zap and Qualys?
  • 13
What Application Security Solution Do You Use That Is DevOps Friendly?
  • 71
Which is the most comprehensive open source Web Security Testing tool?
  • 143
What is the best Application Security Testing platform?
  • 7
When evaluating Application Security Testing, what aspect do you think is the most important to look for?
  • 59
SAST vs. DAST: Which is better for application security testing?
  • 69
What tools do you rely on for building a DevSecOps pipeline?
  • 37
What does the Log4j/Log4Shell vulnerability mean for your company?