We performed a comparison between OWASP Zap and Acunetix based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Acunetix. Although both products have valuable features and have straightforward deployments, our reviewers found that Acunetix has high pricing, which is considered expensive by some users, especially for small organizations.
"It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
"Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
"Our developers can run the attacks directly from their environments, desktops."
"The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great."
"The vulnerability scanning option for analyzing the security loopholes on the websites is the most valuable feature of this solution."
"Overall, it's a very good tool and a very good engine."
"Their technical support has been very active. If I have an issue, I can reach out to them and get an answer pretty quick."
"One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that."
"The stability of the solution is very good."
"It updates repositories and libraries quickly."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"The most valuable feature is scanning the URL to drill down all the different sites."
"The solution is scalable."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The application scanning feature is the most valuable feature."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"There are some versions of the solution that are not as stable as others."
"The solution limits the number of scans. It would be much better if we could have unlimited scans."
"While we do have it integrated with other solutions, it could still offer more integrations."
"The solution's pricing could be better."
"We want to see how much bandwidth usage it consumes. When we monitor traffic we have issues with the consumption and throttling of the traffic."
"There's a clear need for a reduction in pricing to make the service more accessible."
"You can't actually change your password after you've set it unless you go back into the administration account and you change it there. Thus, if you're locked out and don't remember your password, that's a thing."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"It would be nice to have a solid SQL injection engine built into Zap."
"Deployment is somewhat complicated."
"There isn't too much information about it online."
"There are too many false positives."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
Acunetix is ranked 11th in Application Security Testing (AST) with 26 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews. Acunetix is rated 7.6, while OWASP Zap is rated 7.6. The top reviewer of Acunetix writes "Fantastic reporting features hindered by slow scanning ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Acunetix is most compared with Tenable.io Web Application Scanning, PortSwigger Burp Suite Professional, HCL AppScan, Fortify WebInspect and Veracode, whereas OWASP Zap is most compared with SonarQube, PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Veracode and Checkmarx One. See our Acunetix vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.