Try our new research platform with insights from 80,000+ expert users
OWASP Zap Logo

OWASP Zap Reviews

Vendor: OWASP
3.8 out of 5
808 followers
Start review

What is OWASP Zap?

OWASP Zap is a free and open-source web application security scanner. 

Get the OWASP Zap Buyer's Guide and find out what your peers are saying about OWASP Zap, SonarQube Server (formerly SonarQube), GitLab and more!
OWASP Zap is the #11 ranked solution in AST tools. PeerSpot users give OWASP Zap an average rating of 7.6 out of 10. OWASP Zap is most commonly compared to SonarQube Server (formerly SonarQube): OWASP Zap vs SonarQube Server (formerly SonarQube). OWASP Zap is popular among the large enterprise segment, accounting for 60% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.
Buyer's Guide
OWASP Zap
April 2025
Get the report
Helped 849,475 peers since 2012

Featured OWASP Zap reviews

Read more reviews

OWASP Zap mindshare

As of April 2025, the mindshare of OWASP Zap in the Static Application Security Testing (SAST) category stands at 5.1%, down from 5.8% compared to the previous year, according to calculations based on PeerSpot user engagement data.
Static Application Security Testing (SAST)

PeerResearch reports based on OWASP Zap reviews

TypeTitleDate
CategoryStatic Application Security Testing (SAST)Apr 29, 2025Download
ProductReviews, tips, and advice from real usersApr 29, 2025Download
ComparisonOWASP Zap vs SonarQube Server (formerly SonarQube)Apr 29, 2025Download
ComparisonOWASP Zap vs VeracodeApr 29, 2025Download
ComparisonOWASP Zap vs Checkmarx OneApr 29, 2025Download
Suggested products
TitleRatingMindshareRecommending
SonarQube Server (formerly SonarQube)4.026.7%81%114 interviewsAdd to research
GitLab4.32.7%97%82 interviewsAdd to research
 
 
Key learnings from peers

Valuable Features

OWASP Zap offers valuable features including automated scanning, intercepting proxy, API support for security tests, detailed reporting, spidering, and Heads Up Display. It supports multiple platforms, provides language translation, and has a user-friendly interface. As open-source, it suits both novices and experienced users. Community backing enhances usability while add-on capabilities expand functionalities. Users benefit from automated DevOps integration. Reports offer precise remediation suggestions reducing noise. The cost-effectiveness benefits smaller companies significantly.
  • "OWASP Zap is straightforward to use. If someone doesn't have the budget for tools like Burp Suite, OWASP Zap is an excellent alternative."
  • "OWASP is quite matured in identifying the vulnerabilities."
  • "OWASP Zap is a good tool, one of my favorites for a long time, and I would recommend it."

Room for Improvement

OWASP Zap needs improvements in documentation, reporting, and user interface. Users find the reports lack customization and are cluttered. Integration with cloud-based pipelines and mobile application testing could be enhanced. Enhancements are needed to reduce false positives and increase automation capabilities. Improvement in technical support and increased integration options with other tools are desirable. Expanded vulnerability coverage, better resource management, and updates with new features are also sought by users.
  • "OWASP Zap could benefit from a noise cancellation feature like that of Burp Suite Professional, where AI helps reduce certain non-critical findings."
  • "OWASP should work on reducing false positives by using AI and ML algorithms. They should expand their capabilities for broader coverage of business logic flaws and complex issues."
  • "For scalability, I would rate OWASP Zap between four to five out of ten."

ROI

Users reported significant improvements in security measures, enhanced vulnerability detection, and increased overall protection. 

The tool was praised for its user-friendly interface, extensive features, and effectiveness in identifying potential threats. 

Users also highlighted the cost-effectiveness of OWASP Zap, as it provided robust security solutions without requiring substantial financial investments.

Pricing

OWASP Zap is widely regarded by users as a free and open-source solution offered under the Apache 2 license. Organizations appreciate its cost-effectiveness, especially for those uncertain about the extent of use, as it provides features comparable to commercial solutions without upfront costs. Although the tool is free, some mention indirect costs related to resources needed for setup. Enterprises often explore potential donations but find the free version valuable and recommend trying it.
  • "It is open source, and we can scan freely."
  • "The tool is open source."
  • "The tool is open-source."

Popular Use Cases

OWASP Zap is primarily employed for web application security testing, vulnerability assessment, and penetration testing. Users employ it for spidering, automated security checks, and vulnerability scanning of Java-based applications or websites. Organizations utilize the tool in their QA cycle, scanning for vulnerabilities and generating reports for management reviews. It's also integrated into DevOps pipelines for secure application development, ensuring applications are tested for security before deployment.

Service and Support

OWASP Zap's customer service and support primarily rely on strong community forums and thorough documentation. While some rate technical support highly, many have not used it, instead finding answers through online resources and community interaction. The maintainers are noted for their exceptional involvement in complex cases, although traditional support is absent. Many users appreciate the responsive community and helpful resources, though some prefer alternatives like PortSwigger for more structured technical support.

Deployment

Many users found OWASP Zap's initial setup to be simple and straightforward, particularly when used with Kali Linux. However, installing and configuring the API initially posed challenges for some. It was generally easy on both Windows and Linux, with good documentation simplifying the process. Some users required a bit more expertise for a seamless setup, but most installations were quick, often completed within an hour, requiring minimal technical resources.

Scalability

OWASP Zap exhibits varying degrees of scalability. Some find it flexible and capable of handling multiple targets simultaneously. Others note challenges with scaling, indicating it performs well with available computing resources but struggles when pushed to limits. It is appreciated for its extensibility through add-ons and documentation. Usage in small applications shows quick performance. Certain users express a need for improvements in scaling capabilities, while others actively plan to increase their utilization of its features.

Stability

OWASP Zap demonstrates considerable stability for many users, with reports of being reliable and without crashes. Some instances indicate the need for additional configurations or enhanced resources, particularly when handling large data loads. Occasionally, issues arise with performance lag or architectural errors, but generally, it's noted as stable. Users operating within different environments, such as Windows or Linux, experience varying performance, but satisfaction with stability remains high.
These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.
Download our OWASP Zap Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
By visitors reading reviews

Top industries

By visitors reading reviews
Computer Software Company
18%
Financial Services Firm
11%
Manufacturing Company
8%
Government
7%
University
7%
Retailer
5%
Educational Organization
5%
Healthcare Company
4%
Comms Service Provider
4%
Insurance Company
3%
Real Estate/Law Firm
3%
Construction Company
3%
Media Company
3%
Non Profit
3%
Outsourcing Company
2%
Wholesaler/Distributor
2%
Energy/Utilities Company
1%
Logistics Company
1%
Transportation Company
1%
Hospitality Company
1%
Legal Firm
1%
Consumer Goods Company
1%
Recreational Facilities/Services Company
1%
Performing Arts
1%
Pharma/Biotech Company
1%

Compare OWASP Zap with alternative products

Go!

Learn more about OWASP Zap

The solution helps developers identify vulnerabilities in their web applications by actively scanning for common security issues. 

With its user-friendly interface and powerful features, Zap is a popular choice among developers for ensuring the security of their web applications.

OWASP Zap customers

1. Google 2. Microsoft 3. IBM 4. Amazon 5. Facebook 6. Twitter 7. LinkedIn 8. Netflix 9. Adobe 10. PayPal 11. Salesforce 12. Cisco 13. Oracle 14. Intel 15. HP 16. Dell 17. VMware 18. Symantec 19. McAfee 20. Citrix 21. Red Hat 22. Juniper Networks 23. SAP 24. Accenture 25. Deloitte 26. Ernst & Young 27. PwC 28. KPMG 29. Capgemini 30. Infosys 31. Wipro 32. TCS

Related questions

  • 1,365
Is OWASP Zap better than PortSwigger Burp Suite Pro?
  • 21
What is the biggest difference between OWASP Zap and PortSwigger Burp?
  • 26
What is the biggest difference between OWASP Zap and Qualys?
  • 13
What Application Security Solution Do You Use That Is DevOps Friendly?
  • 65
Which is the most comprehensive open source Web Security Testing tool?
  • 131
What is the best Application Security Testing platform?
  • 7
When evaluating Application Security Testing, what aspect do you think is the most important to look for?
  • 55
SAST vs. DAST: Which is better for application security testing?
  • 67
What tools do you rely on for building a DevSecOps pipeline?
  • 38
What does the Log4j/Log4Shell vulnerability mean for your company?

Product Categories

Product Categories
Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs OWASP Zap Logo
SonarQube Server (formerly SonarQube) vs OWASP Zap
GitLab vs OWASP Zap Logo
GitLab vs OWASP Zap
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Coverity vs OWASP Zap Logo
Coverity vs OWASP Zap
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap Logo
SonarQube Cloud (formerly SonarCloud) vs OWASP Zap
Fortify on Demand vs OWASP Zap Logo
Fortify on Demand vs OWASP Zap
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Invicti vs OWASP Zap Logo
Invicti vs OWASP Zap
Semgrep vs OWASP Zap Logo
Semgrep vs OWASP Zap
Kiuwan vs OWASP Zap Logo
Kiuwan vs OWASP Zap
Rapid7 AppSpider vs OWASP Zap Logo
Rapid7 AppSpider vs OWASP Zap
See all alternatives
 

OWASP Zap reviews

Sort by:
Amit Beniwal - PeerSpot user
Project Manager at Al Hassan LLC
Verified user of OWASP Zap
Nov 26, 2024
Simplifies vulnerability discovery and has high quality support

Pros

"One valuable feature of OWASP Zap is that it is simple to use. "

Cons

"There are areas for improvement with OWASP Zap, particularly in the alignment of vulnerabilities concerning CVSS scores. "

What is our primary use case?

We use OWASP Zap primarily for discovering vulnerabilities in our web application security testing. We use one standalone deployment of this solution.

How has it helped my organization?

OWASP Zap has been good for reducing security incidents in our organization, doing very well with that.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (436 words)
Prasant Pokarnaa - PeerSpot user
Delivery Head - DevOps at Datamato Technologies
Verified user of OWASP Zap
Feb 10, 2025
Effective vulnerability identification enhances security scans but AI-driven enhancements are needed

Pros

"OWASP is quite matured in identifying the vulnerabilities. "

Cons

"OWASP should work on reducing false positives by using AI and ML algorithms."

What is our primary use case?

OWASP is only meant for two or three different types of scans. It is a tool which will scan the code for security for vulnerabilities.

How has it helped my organization?

We were able to convince the customers to really remove those rules when GitLab was able to show the results. Customers should be aware that GitLab is not just a source controller or version control tool; it is more than that.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (474 words)
Buyer's Guide
OWASP Zap
Download free report
Find out what your peers are saying about OWASP Zap. Updated April 2025
849,475 professionals have used our research since 2012.
JoelGeorge - PeerSpot user
Associate at Tata Consultancy
Verified user of OWASP Zap
Apr 26, 2022
Scans quickly and works very well, but has a limited scope and needs more comprehensive reporting

Pros

"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."

Cons

"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."

What is most valuable?

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

What needs improvement?

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.

It should have more reporting options because the reporting options are currently only in HTML, XLS, and so on, but there is nothing in PDF or Word, which makes it a bit less user-friendly. It needs more comprehensive reporting. It already has a reporting system, but it is just not user-friendly.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (618 words)
AnkithKumar - PeerSpot user
Application Security Consultant at a tech services company with 10,001+ employees
Verified user of OWASP Zap
Jul 11, 2022
Great for automating and testing and has tightened our security

Pros

"The solution has tightened our security."

Cons

"Lacks resources where users can internally access a learning module from the tool. "

What is our primary use case?

I use this solution to test applications; web applications, web APIs, and infrastructure. For the web APIs and applications, I use OWASP Zap for interpreting requests and responses, and to see how the application behaves to resist payloads. This is one of the basic applications for us to automate and test. We are customers of OWASP Zap and I'm an application security consultant.

How has it helped my organization?

The solution has tightened our security and that of our clients who depend on it. If you identify a weakness or a limitation in an application, and the tool identifies it, we can highlight it to the developer, who secures it and gives it back to us and we can test it back through the tool. 

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (468 words)
AG
CEO at Virtual Security International
Verified user of OWASP Zap
Aug 14, 2021
Open-source, easy to install, feature-rich, with good heads-up display and community resources

Pros

"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."

Cons

"The forced browse has been incorporated into the program and it is resource-intensive."

What is our primary use case?

I use this solution for penetration tests.

What is most valuable?

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (720 words)
PN
Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS
Verified user of OWASP Zap
Apr 11, 2024
Offers automated scanning feature and spidering capabilities have improved our security testing

Pros

"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult. "

Cons

"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."

What is our primary use case?

I use it for vulnerability scanning. It has automatic methods. It's great.

How has it helped my organization?

We integrate OWASP Zap into our other software development lifecycle processes for security.

I use OWASP Zap for vulnerability scanning. After that, I used OWASP Zap to try fuzzing. To fuzz some inputs that might have medium or high severity problems discovered during the vulnerability scanning.

OWASP Zap's spidering capabilities have improved our security testing. I would rate this capability an eight out of ten. The feature is very useful, but maybe the algorithm for discovery must be improved. It can generate many false positives. But the overall feature is good.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (729 words)
BS
Assistant Vice President at Hexaware Technologies Limited
Verified user of OWASP Zap
Nov 12, 2020
Great at reporting vulnerabilities, helps with security, and reveals development threats well

Pros

"The solution is good at reporting the vulnerabilities of the application. "

Cons

"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."

What is our primary use case?

Currently, we build our products for the banking industry and use this solution in that process.

From a development cycle, we update the SQL injections that basically shows what a developer may have to address. Then, if there is still a problem, we're concerned at the architect level. That's at least initially reported by the customers when they do another round of review after we deliver our code. 

What is most valuable?

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (762 words)
DD
Cloud Solutions Architect at TANGENT SOLUTIONS
Verified user of OWASP Zap
Mar 23, 2024
Enables to perform general health checks and ensure the sites are secure

Pros

"The ZAP scan and code crawler are valuable features."

Cons

"Sometimes, we get some false positives."

What is our primary use case?

I use the solution to follow the framework and help my developers develop apps securely from the ground up with the right practices in mind. As part of the DevOps process, we use the tool to scan and see if the web apps are vulnerable. We integrated the tool into our development life cycle for security testing in our DevOps pipeline. We use the tool to spider and test the website.

How has it helped my organization?

The solution helped identify attacks like Cross-site Scripting and SQL Injection. We can perform general health checks to see if the site is secure. If there are problems, they get fixed by the developers before they get to production.

*Disclosure: I am a real user, and this review is based on my own experience and opinions.
Read full review (513 words)