Try our new research platform with insights from 80,000+ expert users

OWASP Zap pros and cons

Vendor: OWASP

3.8 out of 5

41 reviews
88% willing to recommend

700 followers

Pros & Cons summary

OWASP Zap offers ease of learning and powerful API functionality, supporting security with automatic scanning and pull request analysis. Its scalability suits internal audits. Cost-effective, it integrates with SonarQube and Portswigger Burp. Effective for smaller companies, its HUD improves on-site testing, though online documentation needs updates. Enhancements are required in reporting, cloud integration, and noise cancellation. Mobile testing support and proactive resources would bolster its features and reliability.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

OWASP Zap is recognized for its simplicity and ease of use, making it accessible for users of varying expertise.

Its API capabilities are exceptional, providing flexibility and integration options in different systems.

OWASP Zap offers effective vulnerability scanning and has matured in identifying security threats quickly and accurately.

The open-source nature of OWASP Zap allows for seamless integration with other tools and systems, which is advantageous for continuous integration environments.

It is highly valued for improving organizational security practices and enabling frequent and safer deployments of web applications.

CONS

Online documentation for OWASP Zap can be improved with updates to support all features and automation methods.

False positives and limited scope make its reporting and vulnerability assessments unreliable and cluttered.

A more robust SQL injection engine and integration with cloud-based CICD pipelines are lacking.

Lack of scalability, limited coverage of security flaws, and no alignment with CVSS scores impact performance.

The support team requires improvement in proactivity and technical assistance.

OWASP Zap Pros review quotes

VN

Vijayanathan Naganathan

Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

Jun 21, 2019

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool.

Read full review

BS

Balaji Senthiappan

Assistant Vice President at Hexaware Technologies Limited

Nov 12, 2020

The solution is good at reporting the vulnerabilities of the application.

Read full review

PN

Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS

Mar 11, 2024

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult.

Read full review

Free Report: OWASP Zap Reviews and More

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.

851,604 professionals have used our research since 2012.

Works at a retailer with 1,001-5,000 employees

Aug 16, 2017

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

Read full review

AG

CEO at Virtual Security International

Aug 13, 2021

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

Read full review

VF

Consultant at Harald A. Møller AS

Feb 8, 2019

This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer.

Read full review

YK

Yudhistiro Kusumonegoro

Security Officer at UnDisclosed

May 4, 2023

Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high.

Read full review

PS

Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees

Apr 6, 2021

Automatic scanning is a valuable feature and very easy to use.

Read full review

Associate at Tata Consultancy

Apr 25, 2022

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

Read full review

Program Manager at a manufacturing company with 1,001-5,000 employees

Apr 22, 2018

It scans while you navigate, then you can save the requests performed and work with them later.

Read full review

Show 10 more reviews (out of 40)

OWASP Zap Cons review quotes

VN

Vijayanathan Naganathan

Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

Jun 21, 2019

There's very little documentation that comes with OWASP Zap.

Read full review

BS

Balaji Senthiappan

Assistant Vice President at Hexaware Technologies Limited

Nov 12, 2020

It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.

Read full review

PN

Researcher in Cyber Security at Sekolah Tinggi Ilmu Statistik BPS

Mar 11, 2024

It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results.

Read full review

Free Report: OWASP Zap Reviews and More

Learn what your peers think about OWASP Zap. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.

851,604 professionals have used our research since 2012.

Works at a retailer with 1,001-5,000 employees

Aug 16, 2017

It doesn't run on absolutely every operating system.

Read full review

AG

CEO at Virtual Security International

Aug 13, 2021

The forced browse has been incorporated into the program and it is resource-intensive.

Read full review

VF

Consultant at Harald A. Møller AS

Feb 8, 2019

If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning.

Read full review

YK

Yudhistiro Kusumonegoro

Security Officer at UnDisclosed

May 4, 2023

The solution is somewhat unreliable because after we get the finding, we have to manually verify each of its findings to see whether it's a false positive or a true finding, and it takes time.

Read full review

PS

Technical Specialist(DevOps) at a tech services company with 1,001-5,000 employees

Apr 6, 2021

Reporting format has no output, is cluttered and very long.

Read full review

Associate at Tata Consultancy

Apr 25, 2022

The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more.

Read full review

Program Manager at a manufacturing company with 1,001-5,000 employees

Apr 22, 2018

I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created.

Read full review

Show 10 more reviews (out of 41)

Product Categories

Product Categories

Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons

SonarQube Server (formerly SonarQube) vs OWASP Zap

GitLab vs OWASP Zap

Snyk vs OWASP Zap

Checkmarx One vs OWASP Zap

Veracode vs OWASP Zap

Coverity vs OWASP Zap

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Fortify on Demand vs OWASP Zap

Acunetix vs OWASP Zap

HCL AppScan vs OWASP Zap

PortSwigger Burp Suite Professional vs OWASP Zap

Qualys Web Application Scanning vs OWASP Zap

Invicti vs OWASP Zap

Semgrep vs OWASP Zap

Kiuwan vs OWASP Zap

See all alternatives

Product Categories

Product Categories

Static Application Security Testing (SAST)

Popular Comparisons

Popular Comparisons

SonarQube Server (formerly SonarQube) vs OWASP Zap

GitLab vs OWASP Zap

Snyk vs OWASP Zap

Checkmarx One vs OWASP Zap

Veracode vs OWASP Zap

Coverity vs OWASP Zap

SonarQube Cloud (formerly SonarCloud) vs OWASP Zap

Fortify on Demand vs OWASP Zap

Acunetix vs OWASP Zap

HCL AppScan vs OWASP Zap

PortSwigger Burp Suite Professional vs OWASP Zap

Qualys Web Application Scanning vs OWASP Zap

Invicti vs OWASP Zap

Semgrep vs OWASP Zap

Kiuwan vs OWASP Zap

See all alternatives

Related questions

1,150

Is OWASP Zap better than PortSwigger Burp Suite Pro?

20

What is the biggest difference between OWASP Zap and PortSwigger Burp?

24

What is the biggest difference between OWASP Zap and Qualys?

14

What Application Security Solution Do You Use That Is DevOps Friendly?

57

Which is the most comprehensive open source Web Security Testing tool?

116

What is the best Application Security Testing platform?

8

When evaluating Application Security Testing, what aspect do you think is the most important to look for?

48

SAST vs. DAST: Which is better for application security testing?

65

What tools do you rely on for building a DevSecOps pipeline?

39

What does the Log4j/Log4Shell vulnerability mean for your company?