"Automatic scanning is a valuable feature and very easy to use."
"They offer free access to some other tools."
"Simple to use, good user interface."
"The interface is easy to use."
"Automatic updates and pull request analysis."
"The solution is good at reporting the vulnerabilities of the application."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The stability of the solution is very good."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
"The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
"The most valuable feature is the application security. It also has a reasonable price."
"The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."
"The extension that it provides with the community version for the skills mapping is excellent."
"The solution has a great user interface."
"You can scan any number of applications and it updates its database."
"The active scanner, which does an automated search of any web vulnerabilities."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"Too many false positives; test reports could be improved."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"Reporting format has no output, is cluttered and very long."
"The forced browse has been incorporated into the program and it is resource-intensive."
"Deployment is somewhat complicated."
"We wish that the Spider feature would appear in the same shape that it does in previous versions."
"The pricing of the solution is quite high."
"If we're running a huge number of scans regularly, it slows down the tool."
"A lot of our interns find it difficult to get used to PortSwigger Burp's environment."
"As with most automated security tools, too many false positives."
"The Burp Collaborator needs improvement. There also needs to be improved integration."
"There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."
"I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us."
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.
PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.
OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 18 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.4. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix by Invicti, Qualys Web Application Scanning, Fortify WebInspect and Netsparker by Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix by Invicti, Tenable.io Web Application Scanning, HCL AppScan and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.