We performed a comparison between OWASP Zap and Acunetix based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, OWASP Zap comes out ahead of Acunetix. Although both products have valuable features and have straightforward deployments, our reviewers found that Acunetix has high pricing, which is considered expensive by some users, especially for small organizations.
"Picks up weaknesses in our app setups."
"Their technical support has been very active. If I have an issue, I can reach out to them and get an answer pretty quick."
"Overall, it's a very good tool and a very good engine."
"Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
"It comes equipped with an internal applicator, which automatically identifies and addresses vulnerabilities within the program."
"We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why."
"The solution is highly stable."
"I haven't seen reporting of that level in any other tool."
"The solution is scalable."
"Simple to use, good user interface."
"The scalability of this product is very good."
"Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope."
"The API is exceptional."
"It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"You can run it against multiple targets."
"Tools that would allow us to work more efficiently with the mobile environment, with Android and iOS."
"I had some issues with the JSON parameters where it found some strange vulnerabilities, but it didn't alert the person using it or me about these vulnerabilities, e.g., an error for SQL injection."
"The solution's pricing could be better."
"Acunetix needs to include agent analysis."
"When monitoring the traffic we always have issues with the bandwidth consumption and the throttling of traffic."
"The vulnerability identification speed should be improved."
"You can't actually change your password after you've set it unless you go back into the administration account and you change it there. Thus, if you're locked out and don't remember your password, that's a thing."
"Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"The port scanner is a little too slow."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The reporting feature could be more descriptive."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"Reporting format has no output, is cluttered and very long."
Acunetix is ranked 11th in Application Security Testing (AST) with 26 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews. Acunetix is rated 7.6, while OWASP Zap is rated 7.6. The top reviewer of Acunetix writes "Fantastic reporting features hindered by slow scanning ". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Acunetix is most compared with Tenable.io Web Application Scanning, PortSwigger Burp Suite Professional, HCL AppScan, Fortify WebInspect and Veracode, whereas OWASP Zap is most compared with SonarQube, PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Veracode and Checkmarx One. See our Acunetix vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.