The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.
Senior Manager at a marketing services firm with 10,001+ employees
Reporting gives you a clear indication of what kind of vulnerability you have that you can drill down on but the reporting should assist with base-lining
Pros and Cons
- "The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
- "I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
What is most valuable?
What needs improvement?
I'm still in the process of exploring.
I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help.
For how long have I used the solution?
I haven't been using this solution for very long yet.
What other advice do I have?
I would rate this solution as 7 out of 10, as I am still in the process of exploring. So far I think it's fine, but I think I still need to explore it a bit further and try to do a more comparative analysis.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Team Lead at a tech services company with 51-200 employees
Fuzzer and Java APIs help customize the solution for our security testing requirements
Pros and Cons
- "Fuzzer and Java APIs help a lot with our custom needs."
- "It would be nice to have a solid SQL injection engine built into Zap."
What is our primary use case?
Security/penetration testing of a Java-based Web application which is served over a SaaS platform.
Zap has been integrated as one of the important tools in our QA cycle. All beta releases of our software go through Zap scanning. Custom reports are generated - they are pretty decent and standardized - and are submitted to upper management for auditing by a third-party.
How has it helped my organization?
We save a significant amount of money on third-party security auditing time.
We are also able to minimize most of the security threats for our software prior to releases, thus saving a lot of time on security fixes and post-release path builds.
What is most valuable?
Fuzzer and Java APIs help a lot with our custom needs.
What needs improvement?
It would be nice to have a solid SQL injection engine built into Zap.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No stability issues for us, so far.
What do I think about the scalability of the solution?
No major problems in terms of the scalability of the software.
How is customer service and technical support?
Community support and documentation are good.
How was the initial setup?
Setup of Zap is relative easy and straightforward for any technical person, with good documentation to configure it according to your needs.
What's my experience with pricing, setup cost, and licensing?
As Zap is free and open-source, with tons of features similar to those of commercial solutions, I would definitely recommend trying it out.
Which other solutions did I evaluate?
We evaluated several other packages prior to OWASP Zap, such as Burp Suite and Acunetix. We finally moved to Zap as it is open-source and provides almost all the features and the customization that we need.
What other advice do I have?
I would rate it an eight out of 10, based on the usability and variety of features provided. It is highly customizable in terms of usability and reporting, and all of this is available in a free solution.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
OWASP Zap
March 2025

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,690 professionals have used our research since 2012.
Good user interface and easy to use; test reports could be improved
Pros and Cons
- "Simple to use, good user interface."
- "Too many false positives; test reports could be improved."
What is our primary use case?
I'm a business analyst and we're a customer of OWASP Zap.
What is most valuable?
The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.
What needs improvement?
I'd like to be able to explore more and improvements could be made in that area because for now I'm only able to explore the manual testing feature. I'd also like to see an improvement in test reports because we get too many false positives.
For how long have I used the solution?
I've been using this solution for the past few months.
What do I think about the stability of the solution?
The stability is okay although we get many false positives when pulling out test reports.
What do I think about the scalability of the solution?
The scalability is very good.
How are customer service and technical support?
I haven't needed technical support to date and I haven't yet started using the community support.
How was the initial setup?
The initial setup wasn't very complex. You're supposed to install a JDK, Java file. I think implementation took about an hour. There are seven people in the company using the solution and maybe in the coming days there will be more.
What other advice do I have?
I would definitely recommend this product provided the company can provide more clarity on the false positives that we get.
I would rate this solution a seven out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
It can be used effectively for internal auditing. We use it to detect f/p (false positives).
Pros and Cons
- "It can be used effectively for internal auditing."
- "It needs more robust reporting tools."
What is our primary use case?
It is a security tool. We use it for application testing.
How has it helped my organization?
It can be used effectively for internal auditing. We use it to detect f/p (false positives).
What needs improvement?
It needs more robust reporting tools that can be in an editable form.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
This is a good, stable product.
How is customer service and technical support?
We have not used technical support.
Which other solutions did I evaluate?
We looked at Arachni and Acunetix.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Consultant
Provides good information and is sophisticated; updates repositories and libraries quickly
Pros and Cons
- "It updates repositories and libraries quickly."
- "The solution is unable to customize reports."
What is our primary use case?
Zap collects all the AJAX and Ambelo GS links. It pages in everything from a target. I'm a security consultant and we are customers of Zap.
What is most valuable?
Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly.
What needs improvement?
The disadvantage of Zap is that we're unable to customize reports as it only has a single standard format. The default PDF template has no proper customizations, dashboards, or any sort of widgets that we can maintain. There's a single dashboard and only one type of report that it provides.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
We haven't had any scalability challenges.
How was the initial setup?
The installation was relatively easy as is maintenance.
What other advice do I have?
Whether this is a good solution depends on the use case. If an organization is looking for a professional license without putting down any money, this is one of the best solutions.
I would rate this solution more highly if we were able to customize reports. For now, I rate this solution eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Test Automation Project Lead at a tech services company with 1,001-5,000 employees
A useful tool for security testing and penetrations testers.
Pros and Cons
- "Simple and easy to learn and master."
- "Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
What is most valuable?
- Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
- Simple and easy to learn and master.
- Good online product documentation.
- Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
- Detailed reporting mechanism.
- The tool has been translated in 25 different languages.
- Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
- Very good API support for automating security tests.
- Supports multiple platforms like Mac, Linux and Windows.
- It's easy to create add-ons and extensions to scale up the features of the tool.
How has it helped my organization?
We have leveraged our existing functional tests for security testing by integrating web driver scripts with the OWASP ZAP tool.
What needs improvement?
Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.
For how long have I used the solution?
6 months
What was my experience with deployment of the solution?
Did not encounter any issues. It's easy to install and configure.
What do I think about the stability of the solution?
So far I am very comfortable and did not find any stability related issues.
What do I think about the scalability of the solution?
It is scalable, by creating new extensions and add-ons for the tool. But we faced a couple of challenges initially which were solved with the help of online documentation
How are customer service and technical support?
Customer Service:
4/10
Technical Support:4/10
Which solution did I use previously and why did I switch?
No
How was the initial setup?
It is very simple to install and configure.
What about the implementation team?
We have implemented this with the in-house team support.
What was our ROI?
Instead of creating a new framework for security tests, it helped us to leverage (reuse) existing functional test automation framework for security tests. This reduces lot of rework.
What's my experience with pricing, setup cost, and licensing?
It is highly recommended as it is an open source tool.
Which other solutions did I evaluate?
No, we are happy with the features provided with this tool, but if you want to go with static code analysis for security tests, we need to find a different option here.
What other advice do I have?
Very good and useful tool for security testing and penetrations testers.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Subdirector de Seguridad Informática e Infraestructura at a financial services firm with 201-500 employees
Open-source and easy to use with a straightforward setup
Pros and Cons
- "The stability of the solution is very good."
- "It would be a great improvement if they could include a marketplace to add extra features to the tool."
What is our primary use case?
Currently, we deploy these tools to serve in a few of our services in the organization.
What is most valuable?
The solution is very easy to use.
The initial setup is straightforward.
The solution is free due to the fact that it is open-source.
The stability of the solution is very good.
The product has a strong community surrounding it to help with issues and troubleshooting.
What needs improvement?
The technical support could be improved. It doesn't offer traditional technical support at all.
It would be a great improvement if they could include a marketplace to add extra features to the tool. It would make it more customizable and allow users to add more features as they like.
For how long have I used the solution?
I've been using the solution for a while. I've used it at least over the last 12 months.
What do I think about the stability of the solution?
The stability of the solution s very good. We've never had any issues. It's been reliable. There are no bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
While the solution can scale to a certain extent, it cannot scale a lot. This is not one of the strengths of the product.
We only have one user that is engaged with the solution currently.
How are customer service and technical support?
OWASP is an open-source solution. There's a big community surrounding it, however, it does not have traditional technical support. The main support comes from the community itself. If you have questions, you can find them there, or ask the community for feedback.
Which solution did I use previously and why did I switch?
We previously used the PortSwigger Burp Suite. It's a commercial version with support. We had to pay for the solution on a yearly basis, whereas OWASP is open-source and free.
How was the initial setup?
We found the initial setup to be very straightforward. It's easy. It's not complex. A company shouldn't have any issues with the implementation process.
The deployment only took half an hour. It wasn't more than that. The process is pretty fast.
YOu do not need a big team to handle the deployment process. We only used two.
What about the implementation team?
We deployed the solution ourselves using an in-house team. We didn't need the assistance of consultants or integrators from outside firms.
What's my experience with pricing, setup cost, and licensing?
The solution is open-source. It doesn't cost anything to use it.
What other advice do I have?
We are a customer and end-user of the product.
There's lots of information online for users who are curious to learn more about the product.
In general, I would rate this solution at an eight out of ten. We've been largely satisfied with the product overall.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Works at a computer software company with 1,001-5,000 employees
It makes work easier and creates faster security testing
Pros and Cons
- "It has improved my organization with faster security tests."
- "The port scanner is a little too slow."
What is our primary use case?
I tested this application for a bank and public projects. Now, I am testing products.
How has it helped my organization?
It has improved my organization with faster security tests.
What is most valuable?
- Automatic scanner: It makes work easier.
- I like the new solution, ZAP Browser Launch.
- Automation script
What needs improvement?
The port scanner and Zap could not send a request several times, but this has been corrected.
What other advice do I have?
It is a very good product. Though, the port scanner is a little too slow.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube Server (formerly SonarQube)
GitLab
Checkmarx One
Veracode
Coverity
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Invicti
Semgrep
Kiuwan
Rapid7 AppSpider
Buyer's Guide
Download our free OWASP Zap Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- What is the biggest difference between OWASP Zap and Qualys?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?
Note that this tool will not cover 100% of (comprehensive) security testing, But will be beneficial for basic level of security tests along with functional tests.