We changed our name from IT Central Station: Here's why

OWASP Zap vs PortSwigger Burp Suite Professional comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
564,599 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The interface is easy to use.""The solution is good at reporting the vulnerabilities of the application.""Simple to use, good user interface.""The solution is scalable.""They offer free access to some other tools.""Automatic scanning is a valuable feature and very easy to use.""The stability of the solution is very good.""It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."

More OWASP Zap Pros →

"I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis.""The solution has a great user interface.""The active scanner, which does an automated search of any web vulnerabilities.""The most valuable feature is the application security. It also has a reasonable price.""With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp.""The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs.""The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.""The most valuable features are Burp Intruder and Burp Scanner."

More PortSwigger Burp Suite Professional Pros →

Cons
"The documentation needs to be improved because I had to learn everything from watching YouTube videos.""Too many false positives; test reports could be improved.""The forced browse has been incorporated into the program and it is resource-intensive.""It would be a great improvement if they could include a marketplace to add extra features to the tool.""It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful.""Deployment is somewhat complicated.""Reporting format has no output, is cluttered and very long.""Zap could improve by providing better reports for security and recommendations for the vulnerabilities."

More OWASP Zap Cons →

"The use of system memory is an area that can be improved because it uses a lot.""The reporting needs to be improved; it is very bad.""There is not much automation in the tool.""There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment.""As with most automated security tools, too many false positives.""We wish that the Spider feature would appear in the same shape that it does in previous versions.""One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome.""One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."

More PortSwigger Burp Suite Professional Cons →

Pricing and Cost Advice
  • "This is an open-source solution and can be used free of charge."
  • "This solution is open source and free."
  • More OWASP Zap Pricing and Cost Advice →

  • "There are different licenses available that include a free version."
  • "At $400 or $500 per license paid annually, it is a very cheap tool."
  • "PortSwigger is reasonably-priced. It's fair."
  • "It has a yearly license. I am satisfied with its price."
  • "We are using the community version, which is free."
  • "It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep."
  • "The price for the solution is expensive and could be cheaper. We pay an annual license and our team has several of them."
  • "It's a lower priced tool that we can rely on with good standard mechanisms."
  • More PortSwigger Burp Suite Professional Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    564,599 professionals have used our research since 2012.
    Answers from the Community
    Anonymous User
    author avatarVishalDhamke
    Real User

    Yes OWASP ZAP is a good option as it's an open source so always preferred but Burp Suite Pro  will give you more options, its one of the best tool to have for pentesters so defo worth it.

    author avatarAvinash-Kumar
    Real User

    First things first both are having their own merits, however in my personal experience ZAP can replace your burpsuite for sure considering the License. Also as the latest ZAP versions are covering more advanced techniques and spidering patterns with lots of options in it, it is worth considering ZAP. However remember that burpsuite from latest versions with inbuilt chromium and it's emerging plugin support (Installable jars) you can use burp to the fullest and you can keep it as a swiss knife for your web and app pentesting. Couple of extensions in burp pro are interesting especially the race condition one. I always prefer using Burp and at instances I go with ZAP.

    Questions from the Community
    Top Answer: 
    OWASP Zap and PortSwigger Burp Suite Pro have many similar features. OWASP Zap has web application scanning available with basic security vulnerabilities while Burp Suite Pro has it available with… more »
    Top Answer: 
    It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).
    Top Answer: 
    We use the solution for vulnerability assessment in respect of the application and the sites.
    Top Answer: 
    We wish that the Spider feature would appear in the same shape that it does in previous versions. I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted… more »
    Ranking
    Views
    31,876
    Comparisons
    21,072
    Reviews
    9
    Average Words per Review
    471
    Rating
    7.0
    Views
    21,981
    Comparisons
    18,295
    Reviews
    21
    Average Words per Review
    559
    Rating
    8.4
    Comparisons
    Also Known As
    Burp
    Learn More
    Overview

    Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

    Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

    PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

    Offer
    Learn more about OWASP Zap
    Learn more about PortSwigger Burp Suite Professional
    Sample Customers
    Information Not Available
    Google, Amazon, NASA, FedEx, P&G, Salesforce
    Top Industries
    REVIEWERS
    Computer Software Company27%
    Financial Services Firm18%
    Retailer9%
    Manufacturing Company9%
    VISITORS READING REVIEWS
    Computer Software Company30%
    Comms Service Provider25%
    Government6%
    Financial Services Firm5%
    REVIEWERS
    Manufacturing Company40%
    Financial Services Firm33%
    Insurance Company7%
    University7%
    VISITORS READING REVIEWS
    Computer Software Company29%
    Comms Service Provider26%
    Government7%
    Media Company5%
    Company Size
    REVIEWERS
    Small Business18%
    Midsize Enterprise32%
    Large Enterprise50%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise16%
    Large Enterprise71%
    REVIEWERS
    Small Business21%
    Midsize Enterprise21%
    Large Enterprise58%
    Find out what your peers are saying about OWASP Zap vs. PortSwigger Burp Suite Professional and other solutions. Updated: January 2022.
    564,599 professionals have used our research since 2012.

    OWASP Zap is ranked 6th in Application Security Testing (AST) with 9 reviews while PortSwigger Burp Suite Professional is ranked 3rd in Application Security Testing (AST) with 19 reviews. OWASP Zap is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.4. The top reviewer of OWASP Zap writes "Great at reporting vulnerabilities, helps with security, and reveals development threats well". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". OWASP Zap is most compared with Veracode, Acunetix by Invicti, Qualys Web Application Scanning, Fortify WebInspect and Netsparker by Invicti, whereas PortSwigger Burp Suite Professional is most compared with Fortify WebInspect, Acunetix by Invicti, Tenable.io Web Application Scanning, HCL AppScan and Qualys Web Application Scanning. See our OWASP Zap vs. PortSwigger Burp Suite Professional report.

    See our list of best Application Security Testing (AST) vendors.

    We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.