DASTOpen source · Apache-2.0
ZAP by Checkmarx
By Checkmarx
A free, widely used web application scanner that spent years as an OWASP flagship project before its core team left OWASP in 2023 and, after a brief Linux Foundation funding effort fell through, joined Checkmarx in September 2024 — the project is now branded ZAP by Checkmarx, though governance stays with the independent ZAP Core Team rather than Checkmarx itself.
Verified Source: 1
- Product type
- Software
- Deployment
- CLIOn-prem
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
DASTHow ZAP by Checkmarx measures up against the full Dynamic Application Security Testing taxonomy.
- Black-box scanning — supported
- Tests a running application from the outside, without access to source code.
- Authenticated scanning — supported
- Crawls and tests pages that require a logged-in session.
- API scanning — supported
- Tests REST and GraphQL APIs, not just traditional web pages.
- CI/CD scan automation — not supported
- Runs scans automatically as part of the build and deploy pipeline.
- Automated finding verification — not supported
- Confirms exploitability of findings to cut down false positives.
- OWASP Top 10 coverage — supported
- Tests for the industry-standard set of common web application vulnerability classes.
Alternatives
Other Dynamic Application Security Testing tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include ZAP by Checkmarx.