We like the functionality.

It's great that we can use it with Portswigger Burp.

There is a good community surrounding the solution. 

The initial setup is easy.

It's stable and reliable.

The solution can scale.

The most beneficial thing is that the solution is open-source, so there is no cost involved. It's useful for beginners who are looking to learn about penetration testing.

The best part for me is that OWASP Zap provides several features, and it's absolutely free because it's open source. Unlike commercial web scanners that have strict feature limits in their free versions, OWASP Zap is open source, and we can scan freely. We can fuzz and do the scanning indefinitely. 

The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult. 

The automatic scan will get blocked, or the IP will be blocked. But with the Zap HUD, we can manually explore the website without being blocked by the web application firewall.

It is a good solution. We get good feedback about the product from our clients. The product helps users to scan and fix vulnerabilities in the pipeline.

The ZAP scan and code crawler are valuable features. It is automated in the DevOps pipeline. The scans are run automatically if a new project is set up and merged into the development branch. It makes our detection process easier. There are long-term benefits because we are not fixing it after we've developed. We are fixing it while we develop.

It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).

It comes up in your browser and you have control of the program while you are on the website, in your browser. Everything that you can do in the program, you can do from your browser on the fly. It is similar to a targeted attack. You can see what you are doing.

It's a Java program installed on your computer.

The report design is very useful. The explanation is very clear. It also provides additional solutions and plugins. The product discovers more vulnerabilities compared to other tools. It might have additional plugins and features for testing.

I think the automation feature is the one I used the most in the tool. For the crawling and enumeration one and the feature, we can manipulate the insides of the response. So, we can manipulate web responses and use them to test a certain website's security.

Two features are valuable. The first one is that the scan gets completed really quickly, and the second one is that even though it searches in a limited scope, what it does in that limited scope is very good. When you use Zap for testing, you're only using it for specific aspects or you're only looking for certain things. It works very well in that limited scope.

ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube.

There's a way to set up jobs where you can get it to run all the processes against the target to avoid doing so manually. You can run it against multiple targets. 

It is easy to set up.

The solution is stable. 

The solution is good at reporting the vulnerabilities of the application. 

It can help us with security, SQL injection vulnerability, known vulnerabilities, et cetera. Any kind of a threat that we get in the development cycle, is what we will look for. This solution helps us find them.

The solution enables a person to add the certificate and check the queries, to see if there are any that are undefined. This way, a person can have a list of the types of queries and can trace them. 

The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks.

The most valuable feature is scanning the URL to drill down all the different sites and features embedded within the URL, like the crawler and the Spy Dream.

The application scanning feature is the most valuable feature. 

The vulnerabilities that it finds, because the primary goal is to secure applications and websites.

• Interception of proxy traffic
• Session comparisons
• Port scanner
• Fuzzing
• Brute force
• Cookie management

The automatic scanning is a valuable feature and very easy. The major advantage to this solution is the privacy it offers. We are able to achieve our objectives to some extent, but only for non-business critical applications.

The most valuable feature is the spidering because, being a security person, it is very important for me to know each and every section of that application, so we cannot afford to miss any single web page or any single link on a particular website. The spidering mechanism is very good.

Zap is an open-source and sophisticated product. It not only saves us money but also provides us with a good amount of information. In terms of testing and attack simulations, it's pretty good. It updates its repositories and libraries pretty quickly. 

Automatic scanning after a manual walkthrough is the most valuable feature. 

The valuable features are that it's very simple to use and the user interface is very good, particularly for beginners so they can start the application easily. It's enough to refer to an online tutorial to be able to start using this application. It's not very complex.

Fuzzer and Java APIs help a lot with our custom needs.

The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.

The solution is very easy to use.

The initial setup is straightforward.

The solution is free due to the fact that it is open-source.

The stability of the solution is very good.

The product has a strong community surrounding it to help with issues and troubleshooting.

• Automatic scanner: It makes work easier. 
• I like the new solution, ZAP Browser Launch. 
• Automation script

The API is exceptional.

They offer free access to some other tools.

The HUD, Heads Up Display, is a good feature. It provides on-site testing and saves a lot of time.

I would say that the automatic update is a very valuable feature because we are able to update our internal data base. The pull request analysis is also very good.

• Very good open source security tool supporting the top 10 vulnerabilities (Injections, Session Management, XSS, Authentication, Authorization, etc.).
• Simple and easy to learn and master.
• Good online product documentation.
• Built in features include: Intercepting proxy, Plug and Hack support, Automated scanning, Passing scan, Fuzzer, Traditional and Ajax Crawling and Web Socket support and so on.
• Detailed reporting mechanism.
• The tool has been translated in 25 different languages.
• Can be executed through GUI, command line and also in Daemon mode with the help of REST API.
• Very good API support for automating security tests.
• Supports multiple platforms like Mac, Linux and Windows.
• It's easy to create add-ons and extensions to scale up the features of the tool.

The interface is easy to use.

The community support that ZAP provides me. As an open source, it provides me flexibility and is convenient to use.