TL;DR, What Is ZAP?
ZAP (formerly OWASP ZAP) is a free and open-source web application security scanner that has become a staple for security teams everywhere.
For developers and DevSecOps teams, ZAP is an essential tool for bringing security into the earliest stages of development—a true "shift-left" approach. By integrating it into your CI/CD pipeline, you can automatically find and remediate vulnerabilities during development, long before your code reaches production. This proactive strategy helps you reduce the cost and complexity of fixes without slowing down your release cycle, allowing your team to maintain agility while building robust, secure applications.
ZAP is an independent open‑source project, now branded “ZAP by Checkmarx.” The core team is employed by Checkmarx, and ZAP continues to be actively maintained with frequent stable and weekly (pre‑release) builds.
Get the Application Security Best Practices [Cheat Sheet]
This 6-page guide goes beyond basics — it’s a deep dive into advanced, practical AppSec strategies for developers, security engineers, and DevOps teams.
Common use cases
1. Automated Scanning in CI/CD Pipelines: You can integrate ZAP directly into your CI/CD pipelines to run automated security scans on every code change. This gives developers immediate feedback, helping you catch vulnerabilities early and enforce security gates before deployment—a cornerstone of a mature DevSecOps practice.
2. Manual Penetration Testing: Security professionals use ZAP as a powerful intercepting proxy and manual testing tool. Its features for manipulating requests, spidering, and active scanning provide the deep, hands-on control you need for comprehensive vulnerability assessments of complex applications.
3. Developer-Led Security Checks: You can empower your developers to run ZAP on their local machines to scan their code before they even commit it. This proactive approach allows them to find and fix basic security flaws themselves, improving overall code quality and reducing the workload on dedicated security teams.
4. API Vulnerability Assessment: Teams use ZAP to specifically target and test the security of RESTful and SOAP APIs. By importing API definitions, you can automate scans for common API vulnerabilities like broken authentication, injection flaws, and excessive data exposure.
5. Security Regression Testing: You can configure ZAP with scripts and context files to perform security regression tests. This ensures that previously fixed vulnerabilities don’t reappear in new releases and that your application's security posture remains strong over time.
Watch 5-minute demo
Watch the demo to learn how Wiz Code scans infrastructure as code, container images, and CI/CD pipelines to catch risks early—before they reach the cloud.
Watch now
How does ZAP work?
ZAP operates as a “man-in-the-middle” proxy, placing itself between your browser and the web application you’re testing. This position gives it the power to intercept, inspect, and even modify all HTTP/HTTPS traffic in real time.
Let's break down its process: ZAP starts by mapping your application's structure with automated crawling, then moves through distinct scanning phases to identify a wide range of security vulnerabilities before compiling everything into a detailed report.
Spidering and Crawling: First, ZAP uses its spider to automatically navigate your application, following every link to discover pages and resources. This process builds a comprehensive site tree that serves as the map for all further analysis.
Passive Scanning: As traffic flows through the proxy, ZAP non-intrusively inspects requests and responses. It looks for potential security weaknesses like missing security headers or information leakage, all without sending any active or malicious payloads.
Active Scanning: In this more aggressive phase, ZAP actively attacks the application. It sends a variety of malicious requests designed to probe for critical vulnerabilities such as SQL injection, cross-site scripting (XSS), and broken authentication, helping you find weaknesses before attackers do.
Core Capabilities
1. Active and Passive Scanning: ZAP gives you the best of both worlds with its dual scanning modes. Passive scanning non-intrusively monitors traffic to safely identify surface-level issues, while active scanning aggressively probes your application with known attack vectors to uncover deeper vulnerabilities. This combined approach delivers comprehensive coverage, making it a powerful scanner for any phase of testing.
2. Advanced Spidering for Modern Web Apps: To give you a complete map of your application's attack surface, ZAP includes a traditional spider for static HTML; an advanced AJAX Spider built for modern, JavaScript-heavy applications; and the newer Client Spider for modern client‑rendered apps. This ensures that even complex single-page applications are fully explored, leaving no component un-tested.
3. Integrated Fuzzing Engine: ZAP’s built-in fuzzer helps you discover vulnerabilities tied to poor input validation by automatically sending huge volumes of unexpected and malformed data to your application's inputs. It comes with pre-configured payloads for common attacks like SQL injection and XSS, and you can also define custom payloads to run tailored tests against specific application logic.
4. Comprehensive API Security Testing: We know how critical APIs are to modern applications, and ZAP provides specialized features to secure them. It can import API definitions from formats like OpenAPI and GraphQL (via add‑on) to automatically discover and test RESTful and SOAP endpoints for common vulnerabilities, including authentication flaws, injection, and improper data exposure. This helps secure the backend services that power your web and mobile apps.
5. Powerful Automation and CI/CD Integration: One of ZAP's standout features is its incredible support for automation. Its comprehensive API allows you to script and integrate security testing directly into your CI/CD workflows, enabling your team to run automated penetration tests with every build. This is what a true "shift-left" security practice looks like – scalable, efficient, and embedded in your development lifecycle.
Limitations
1. Steep Learning Curve for Advanced Features: While you can get basic scans up and running quickly, mastering ZAP’s more advanced capabilities – like scripting, context configuration, and authentication handling – requires a significant time investment. New users should be prepared to dive into tutorials to unlock the tool’s full potential for complex scenarios.
2. Potential for High False Positives: Like many automated scanners, ZAP can generate a high volume of false positives, especially when using its default policies. Your team will need to perform careful manual verification to distinguish actual vulnerabilities from benign findings, which can slow down remediation efforts if you don't have the expertise to triage alerts effectively.
3. Performance Intensive for Large Applications: A full active scan on a large, complex web application can be extremely resource-intensive. The process can consume considerable CPU and memory and may take a long time to complete, posing a challenge when you’re trying to integrate it into tight CI/CD pipeline schedules.
4. Complex Authentication and Session Management: Configuring ZAP to handle modern authentication mechanisms like OAuth, SAML, or MFA can be tricky. While it’s possible through extensive configuration and scripting, it’s not an out-of-the-box process and often requires deep knowledge of both ZAP and your application's authentication flow.
5. Limited Scope Beyond Web Applications: It's important to remember that ZAP is a highly specialized web application security scanner. It’s not designed to test other targets like thick-client applications, mobile app binaries (beyond their APIs), or network infrastructure. To achieve comprehensive security coverage, you’ll need to supplement ZAP with other specialized tools.
Getting Started:
Ready to get started with OWASP ZAP?
Step 1:
First, download the latest release for your platform from https://www.zaproxy.org/download/ and extract the archive. Make sure you have Java 8 or newer installed. To launch ZAP, just navigate to the extracted folder and run:
Linux/macOS:
./zap.shWindows:
zap.batStep 2:
Once ZAP starts, its GUI will open, and you can begin scanning your web applications. For detailed documentation, head over to https://www.zaproxy.org/docs/. If you're a Docker user, you can also run:
docker run -u zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxySecure your SDLC from start to finish
See why Wiz is one of the few cloud security platforms that security and devops teams both love to use.
Alternatives
| Feature | ZAP (formerly OWASP ZAP) | Burp Suite (Community/Professional) | Acunetix | Invicti (formerly Netsparker) |
|---|---|---|---|---|
| Primary Focus | Free and open-source DAST tool that empowers developers and security professionals to find web app vulnerabilities, backed by strong community support | Comprehensive platform for web security testing, offering both manual and automated capabilitiesWidely adopted by penetration testers and bug bounty hunters Commercial and free versions available | Commercial, automated web application security scanner known for speed, accuracy, and low false positivesDesigned for comprehensive vulnerability detection | Commercial DAST solution focused on automated, scalable, and accurate web application security testing, featuring unique Proof-Based Scanning™ to confirm vulnerabilities and reduce false positivesAimed at enterprise-level use |
| Active/Passive Scanning | Supports both active (probing for vulnerabilities) and passive (traffic analysis, safe for production) scanning | Includes a powerful vulnerability scanner for active analysis; also functions as an intercepting proxy for passive observation and manual manipulation | Automated DAST with deep-scanning capabilities that actively probes for a wide range of vulnerabilities like SQL injection and XSS | Automated DAST with active scanning capabilities, including Proof-Based Scanning™ to exploit and confirm identified vulnerabilities, ensuring high accuracy |
| Spidering | Features a traditional HTML spider, AJAX Spider, and Client Spider for comprehensive mapping of modern, JavaScript-rich web applications | Offers detailed site mapping and discovery capabilities to identify application structure and content | Employs a deep-scanning crawler that effectively navigates and maps complex modern web applications, including single-page applications (SPAs) and authenticated sections | Advanced crawling capabilities to discover all parts of web applications, including complex, authenticated, and JavaScript-heavy applications |
| Fuzzing | Provides fuzzing capabilities with built-in and custom payloads to test input validation and error handling by injecting malformed data | Includes an 'Intruder' tool for automated customized attacks, which can be used for various fuzzing scenarios by injecting diverse payloads into requests | While primarily automated, it aims to uncover vulnerabilities related to input handling through its scanning engine, reducing the need for explicit fuzzing by the user for common attack vectors | Automatically identifies and exploits vulnerabilities related to input validation and error handling through its scanning process, including variations of malicious inputs without requiring manual fuzzing |
| API Security Testing | Offers robust capabilities for testing the security of both REST and SOAP APIs, crucial for securing modern backend interfaces | Capable of testing APIs through its proxy and various tools (Repeater, Intruder) for manual and automated API vulnerability assessment | Supports scanning of REST and SOAP web services to identify vulnerabilities in API endpoints | Provides comprehensive security testing for REST and SOAP APIs, ensuring critical API endpoints are thoroughly scrutinized |
| Automation & Integration | A powerful API enables extensive scripting and automation, making it ideal for integration into CI/CD pipelines for automated and repeatable security tests | Features an extensive API that allows for automation and integration into development workflows Professional edition offers more advanced integration options | Integrates with various development tools and issue tracking systems to streamline security testing within the software development life cycle (SDLC) Offers automation capabilities | Designed for high automation and scalability, integrating with CI/CD pipelines and other security toolsFeatures its own API for custom integrations and automating scans |