OWASP ZAP

free From $0/mo · Founded 2010 · self-hosted / desktop

Most popular free open-source DAST scanner — active/passive web scanning, intercepting proxy, CI/CD integration.

Free tier: fully free, open-source (Apache 2.0)

Completely free and open-source under the Apache 2.0 license with no feature restrictions.
Extensive functionality through a large marketplace of free add-ons for various scanning needs.
Offers multiple operational modes, including a desktop GUI, daemon mode, and CI/CD automation.

Self-hosted only, requiring users to manage installation, updates, and system resources themselves.
Can generate a high number of false positives without careful tuning and context configuration.
Lacks dedicated enterprise support; relies on community forums and documentation for help.

Tags: web-appapidastopen-sourcefree-tiersolosmall-teamself-hosted

Alternatives to OWASP ZAP

free

Template-driven fast scanner — community templates cover thousands of CVEs. Free CLI, paid managed cloud.

free

Long-running open-source web server scanner — checks 6,700+ dangerous files and outdated software.

freemium

Industry-standard pentest proxy — free Community for manual work, Pro $449/yr per user, Enterprise from $6,995/yr.

freemium

Online toolkit of 25+ pentest scanners (web, network, recon) — paid plans from $93/mo with unlimited scans.