ZAP by Checkmarx
Dynamic application security testing (DAST) software
Penetration testing tools
DevSecOps software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if ZAP by Checkmarx and its alternatives fit your requirements.
Completely free
Free Trial unavailable
Free version
Small
Medium
Large
- Public sector and nonprofit organizations
- Arts, entertainment, and recreation
- Media and communications
What is ZAP by Checkmarx
ZAP (Zed Attack Proxy) is an open-source dynamic application security testing (DAST) and web application penetration testing tool used to find security issues in web applications and APIs. Security teams and developers use it for interactive testing via a proxy as well as automated scanning in CI/CD pipelines. It provides an intercepting proxy, active and passive scanners, and an extensible add-on marketplace, with options to run headless or in containers for automation.
Open-source and extensible
ZAP is open source and supports a large ecosystem of add-ons that extend scanners, authentication helpers, and reporting. Teams can tailor the tool to specific application stacks and testing workflows without being locked into a proprietary plugin model. The project also supports scripting to customize scans and test logic for complex applications.
Automation-friendly for CI/CD
ZAP supports headless execution and common automation patterns, including Docker images and a daemon mode suitable for pipelines. It offers APIs and packaged automation options (for example, baseline and full scan approaches) that make it practical to integrate into DevSecOps workflows. This helps teams run repeatable DAST checks alongside builds and deployments.
Strong interactive testing workflow
As an intercepting proxy, ZAP supports manual exploration, request/response inspection, and targeted testing during security reviews. Features such as spidering and active scanning help testers move from discovery to verification within the same tool. This makes it useful for both developer-led debugging and dedicated penetration testing activities.
Tuning required to reduce noise
DAST results often require configuration to fit an application’s authentication, session handling, and business logic. Without careful scope definition and scan policy tuning, ZAP can produce findings that need manual triage and validation. Teams typically invest time to calibrate rules, contexts, and exclusions for reliable pipeline use.
Limited for non-web targets
ZAP primarily focuses on web applications and HTTP(S)-based APIs. It is not designed as a general-purpose network vulnerability scanner or a comprehensive mobile application testing suite. Organizations with broader testing needs may require additional tools for other environments and protocols.
Enterprise governance features vary
Compared with many commercial platforms, ZAP’s built-in capabilities for centralized user management, role-based access control, and enterprise reporting workflows can be less turnkey. While integrations and add-ons exist, larger organizations may need to build supporting processes around it. This can increase operational effort for standardization across many teams.
Plan & Pricing
Pricing model: Open-source / Permanently free Free tier/trial: ZAP is distributed under an open-source (Apache-2.0) license and is available to download and use at no cost. No paid tiers or pricing for "ZAP by Checkmarx" are listed on the vendor product page. Notes: Checkmarx hosts a ZAP product page that describes ZAP as a free, open-source web application security scanner and links to the official download (zaproxy.org). Checkmarx also announced the ZAP core team joining Checkmarx to continue development while ZAP remains community-driven.
Seller details
ZAP (Zed Attack Proxy) Project (open-source; originally OWASP)
2010
Open Source
https://www.zaproxy.org/
https://x.com/zaproxy
https://www.linkedin.com/company/zaproxy/
