Cyber Tool Stack
All tools
DASTOpen source · Apache-2.0

ZAP by Checkmarx

By Checkmarx

A free, widely used web application scanner that spent years as an OWASP flagship project before its core team left OWASP in 2023 and, after a brief Linux Foundation funding effort fell through, joined Checkmarx in September 2024 — the project is now branded ZAP by Checkmarx, though governance stays with the independent ZAP Core Team rather than Checkmarx itself.

Verified Source: 1

Product type
Software
Deployment
CLIOn-prem
Organization size
IndividualSMBMid-marketEnterprise
Pricing tier
Free

Capability checklist

DAST

How ZAP by Checkmarx measures up against the full Dynamic Application Security Testing taxonomy.

Black-box scanning — supported
Tests a running application from the outside, without access to source code.
Authenticated scanning — supported
Crawls and tests pages that require a logged-in session.
API scanning — supported
Tests REST and GraphQL APIs, not just traditional web pages.
CI/CD scan automation — not supported
Runs scans automatically as part of the build and deploy pipeline.
Automated finding verification — not supported
Confirms exploitability of findings to cut down false positives.
OWASP Top 10 coverage — supported
Tests for the industry-standard set of common web application vulnerability classes.

Alternatives

Other Dynamic Application Security Testing tools with overlapping capabilities, sized for similar teams.

Appears in stacks

Real-world stacks that include ZAP by Checkmarx.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.