Try our new research platform with insights from 80,000+ expert users
OWASP Zap Logo

OWASP Zap pros and cons

Vendor: OWASP
3.8 out of 5
Leave a review

Pros & Cons summary

OWASP Zap offers ease of learning and powerful API functionality, supporting security with automatic scanning and pull request analysis. Its scalability suits internal audits. Cost-effective, it integrates with SonarQube and Portswigger Burp. Effective for smaller companies, its HUD improves on-site testing, though online documentation needs updates. Enhancements are required in reporting, cloud integration, and noise cancellation. Mobile testing support and proactive resources would bolster its features and reliability.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

OWASP Zap is recognized for its simplicity and ease of use, making it accessible for users of varying expertise.
Its API capabilities are exceptional, providing flexibility and integration options in different systems.
OWASP Zap offers effective vulnerability scanning and has matured in identifying security threats quickly and accurately.
The open-source nature of OWASP Zap allows for seamless integration with other tools and systems, which is advantageous for continuous integration environments.
It is highly valued for improving organizational security practices and enabling frequent and safer deployments of web applications.

CONS

Online documentation for OWASP Zap can be improved with updates to support all features and automation methods.
False positives and limited scope make its reporting and vulnerability assessments unreliable and cluttered.
A more robust SQL injection engine and integration with cloud-based CICD pipelines are lacking.
Lack of scalability, limited coverage of security flaws, and no alignment with CVSS scores impact performance.
The support team requires improvement in proactivity and technical assistance.
 

OWASP Zap Pros review quotes

SB
Saraswathi B
Test Automation Project Lead at a tech services company with 1,001-5,000 employees
Jul 22, 2016
Simple and easy to learn and master.
Read full review
it_user707190 - PeerSpot reviewer
it_user707190
Technologist at a tech services company
Jul 21, 2017
The API is exceptional.
Read full review
it_user719781 - PeerSpot reviewer
it_user719781
Works at a retailer with 1,001-5,000 employees
Aug 16, 2017
The vulnerabilities that it finds, because the primary goal is to secure applications and websites.
Read full review
Buyer's Guide
OWASP Zap
January 2026
Free Report: OWASP Zap Reviews and More
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: January 2026.
DOWNLOAD NOW
881,082 professionals have used our research since 2012.
KP
Krystian Przybyl
Works at a computer software company with 1,001-5,000 employees
Apr 11, 2018
​It has improved my organization with faster security tests.​
Read full review
it_user860865 - PeerSpot reviewer
it_user860865
Program Manager at a manufacturing company with 1,001-5,000 employees
Apr 22, 2018
It scans while you navigate, then you can save the requests performed and work with them later.
Read full review
AM
Anish Mishra
Team Lead at a tech services company with 51-200 employees
Apr 25, 2018
Fuzzer and Java APIs help a lot with our custom needs.
Read full review
RR
Associa299191
Security Testing Engineer at a tech services company with 1,001-5,000 employees
Jul 9, 2018
The community edition updates services regularly. They add new vulnerabilities into the scanning list.
Read full review
DA
Dittin A
Staff Scientist/Senior Tech. Officer at a tech vendor with 501-1,000 employees
Sep 9, 2018
It can be used effectively for internal auditing.
Read full review
VF
Vidar Folden
Consultant at Harald A. Møller AS
Feb 8, 2019
This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer.
Read full review
VN
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Jun 21, 2019
The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool.
Read full review
Show 10 more reviews (out of 40)
 

OWASP Zap Cons review quotes

SB
Saraswathi B
Test Automation Project Lead at a tech services company with 1,001-5,000 employees
Jul 22, 2016
Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation.
Read full review
it_user707190 - PeerSpot reviewer
it_user707190
Technologist at a tech services company
Jul 21, 2017
The documentation is lacking and out-of-date, it really needs more love.
Read full review
it_user719781 - PeerSpot reviewer
it_user719781
Works at a retailer with 1,001-5,000 employees
Aug 16, 2017
It doesn't run on absolutely every operating system.
Read full review
Buyer's Guide
OWASP Zap
January 2026
Free Report: OWASP Zap Reviews and More
Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: January 2026.
DOWNLOAD NOW
881,082 professionals have used our research since 2012.
KP
Krystian Przybyl
Works at a computer software company with 1,001-5,000 employees
Apr 11, 2018
The port scanner is a little too slow.​
Read full review
it_user860865 - PeerSpot reviewer
it_user860865
Program Manager at a manufacturing company with 1,001-5,000 employees
Apr 22, 2018
I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word ​list, or manually created.
Read full review
AM
Anish Mishra
Team Lead at a tech services company with 51-200 employees
Apr 25, 2018
It would be nice to have a solid SQL injection engine built into Zap.
Read full review
RR
Associa299191
Security Testing Engineer at a tech services company with 1,001-5,000 employees
Jul 9, 2018
As security evolves, we would like DevOps built into it. As of now, Zap does not provide this.
Read full review
DA
Dittin A
Staff Scientist/Senior Tech. Officer at a tech vendor with 501-1,000 employees
Sep 9, 2018
It needs more robust reporting tools.
Read full review
VF
Vidar Folden
Consultant at Harald A. Møller AS
Feb 8, 2019
If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning.
Read full review
VN
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Jun 21, 2019
There's very little documentation that comes with OWASP Zap.
Read full review
Show 10 more reviews (out of 40)

Product Categories

Product Categories
Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons
SonarQube vs OWASP Zap Logo
SonarQube vs OWASP Zap
Snyk vs OWASP Zap Logo
Snyk vs OWASP Zap
GitLab vs OWASP Zap Logo
GitLab vs OWASP Zap
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Coverity Static vs OWASP Zap Logo
Coverity Static vs OWASP Zap
OpenText Core Application Security vs OWASP Zap Logo
OpenText Core Application Security vs OWASP Zap
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
GitGuardian Platform vs OWASP Zap Logo
GitGuardian Platform vs OWASP Zap
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Semgrep vs OWASP Zap Logo
Semgrep vs OWASP Zap
Invicti vs OWASP Zap Logo
Invicti vs OWASP Zap
Aikido Security vs OWASP Zap Logo
Aikido Security vs OWASP Zap
See all alternatives

Product Categories

Product Categories
Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons
SonarQube vs OWASP Zap Logo
SonarQube vs OWASP Zap
Snyk vs OWASP Zap Logo
Snyk vs OWASP Zap
GitLab vs OWASP Zap Logo
GitLab vs OWASP Zap
Checkmarx One vs OWASP Zap Logo
Checkmarx One vs OWASP Zap
Veracode vs OWASP Zap Logo
Veracode vs OWASP Zap
Coverity Static vs OWASP Zap Logo
Coverity Static vs OWASP Zap
OpenText Core Application Security vs OWASP Zap Logo
OpenText Core Application Security vs OWASP Zap
Acunetix vs OWASP Zap Logo
Acunetix vs OWASP Zap
PortSwigger Burp Suite Professional vs OWASP Zap Logo
PortSwigger Burp Suite Professional vs OWASP Zap
HCL AppScan vs OWASP Zap Logo
HCL AppScan vs OWASP Zap
GitGuardian Platform vs OWASP Zap Logo
GitGuardian Platform vs OWASP Zap
Qualys Web Application Scanning vs OWASP Zap Logo
Qualys Web Application Scanning vs OWASP Zap
Semgrep vs OWASP Zap Logo
Semgrep vs OWASP Zap
Invicti vs OWASP Zap Logo
Invicti vs OWASP Zap
Aikido Security vs OWASP Zap Logo
Aikido Security vs OWASP Zap
See all alternatives
Related questions
  • 234
Is OWASP Zap better than PortSwigger Burp Suite Pro?
  • 30
What is the biggest difference between OWASP Zap and PortSwigger Burp?
  • 18
What is the biggest difference between OWASP Zap and Qualys?
  • 130
What Application Security Solution Do You Use That Is DevOps Friendly?
  • 14
Which is the most comprehensive open source Web Security Testing tool?
  • 39
What is the best Application Security Testing platform?
  • 16
When evaluating Application Security Testing, what aspect do you think is the most important to look for?
  • 38
SAST vs. DAST: Which is better for application security testing?
  • 30
What tools do you rely on for building a DevSecOps pipeline?
  • 56
What does the Log4j/Log4Shell vulnerability mean for your company?