We changed our name from IT Central Station: Here's why

OWASP Zap vs PortSwigger Burp Suite Professional comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
564,599 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"Automatic scanning is a valuable feature and very easy to use.""They offer free access to some other tools.""Simple to use, good user interface.""The interface is easy to use.""Automatic updates and pull request analysis.""The solution is good at reporting the vulnerabilities of the application.""It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).""The stability of the solution is very good."

More OWASP Zap Pros →

"In my area of expertise, I feel like it has almost everything I could possibly require at this moment.""The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.""The most valuable feature is the application security. It also has a reasonable price.""The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs.""The extension that it provides with the community version for the skills mapping is excellent.""The solution has a great user interface.""You can scan any number of applications and it updates its database.""The active scanner, which does an automated search of any web vulnerabilities."

More PortSwigger Burp Suite Professional Pros →

Cons
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities.""The documentation needs to be improved because I had to learn everything from watching YouTube videos.""Too many false positives; test reports could be improved.""It would be a great improvement if they could include a marketplace to add extra features to the tool.""Reporting format has no output, is cluttered and very long.""The forced browse has been incorporated into the program and it is resource-intensive.""Deployment is somewhat complicated."

More OWASP Zap Cons →

"We wish that the Spider feature would appear in the same shape that it does in previous versions.""The pricing of the solution is quite high.""If we're running a huge number of scans regularly, it slows down the tool.""A lot of our interns find it difficult to get used to PortSwigger Burp's environment.""As with most automated security tools, too many false positives.""The Burp Collaborator needs improvement. There also needs to be improved integration.""There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI.""I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us."

More PortSwigger Burp Suite Professional Cons →

Pricing and Cost Advice
  • "This is an open-source solution and can be used free of charge."
  • "This solution is open source and free."
  • More OWASP Zap Pricing and Cost Advice →

  • "There are different licenses available that include a free version."
  • "At $400 or $500 per license paid annually, it is a very cheap tool."
  • "PortSwigger is reasonably-priced. It's fair."
  • "It has a yearly license. I am satisfied with its price."
  • "We are using the community version, which is free."
  • "It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep."
  • "The price for the solution is expensive and could be cheaper. We pay an annual license and our team has several of them."
  • "It's a lower priced tool that we can rely on with good standard mechanisms."
  • More PortSwigger Burp Suite Professional Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    564,599 professionals have used our research since 2012.
    Answers from the Community
    Anonymous User
    author avatarVishalDhamke
    Real User

    Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro  will give you more options, its one of the best tool to have for pentesters so defo worth it.

    author avatarAvinash-Kumar
    Real User

    First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.

    Questions from the Community
    Top Answer: 
    OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer: 
    It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).
    Top Answer: 
    We use the solution for vulnerability assessment in respect of the application and the sites.
    Top Answer: 
    We wish that the Spider feature would appear in the same shape that it does in previous versions. I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted… more »
    Ranking
    Views
    31,876
    Comparisons
    21,072
    Reviews
    9
    Average Words per Review
    471
    Rating
    7.0
    Views
    21,981
    Comparisons
    18,295
    Reviews
    21
    Average Words per Review
    559
    Rating
    8.4
    Comparisons
    Also Known As
    Burp
    Learn More
    Overview

    Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

    Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

    PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

    Offer
    Learn more about OWASP Zap
    Learn more about PortSwigger Burp Suite Professional
    Sample Customers
    Information Not Available
    Google, Amazon, NASA, FedEx, P&G, Salesforce
    Top Industries
    REVIEWERS
    Computer Software Company27%
    Financial Services Firm18%
    Retailer9%
    Manufacturing Company9%
    VISITORS READING REVIEWS
    Computer Software Company30%
    Comms Service Provider25%
    Government6%
    Financial Services Firm5%
    REVIEWERS
    Manufacturing Company40%
    Financial Services Firm33%
    Insurance Company7%
    University7%
    VISITORS READING REVIEWS
    Computer Software Company29%
    Comms Service Provider26%
    Government7%
    Media Company5%
    Company Size
    REVIEWERS
    Small Business18%
    Midsize Enterprise32%
    Large Enterprise50%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise16%
    Large Enterprise71%
    REVIEWERS
    Small Business21%
    Midsize Enterprise21%
    Large Enterprise58%
    Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
    564,599 professionals have used our research since 2012.

    OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 18 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.4. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix by Invicti, Qualys Web Application Scanning, Fortify WebInspect and Netsparker by Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix by Invicti, Tenable.io Web Application Scanning, HCL AppScan and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.