OWASP ZAP — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

The free, open-source Burp alternative — full proxy + scanner + automation framework, maintained by OWASP/Checkmarx.

Use case: Web ApplicationDifficulty: IntermediateHomepage: https://www.zaproxy.org

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (deb)

sudo snap install zaproxy --classic

macOS (brew)

brew install --cask zap

Docker (headless)

docker run -t softwaresecurityproject/zap-stable zap-baseline.py -t https://target.com

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Quick baseline scan (CI-friendly)

docker run -t softwaresecurityproject/zap-stable zap-baseline.py -t https://target.com -r report.html

Full scan (active)

docker run -t softwaresecurityproject/zap-stable zap-full-scan.py -t https://target.com

API-only scan

docker run -t softwaresecurityproject/zap-stable zap-api-scan.py -t https://target.com/openapi.json -f openapi

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Headless Docker is the right way to use ZAP in CI — GUI is slow.
  • Increase JVM heap: -Xmx2g in zap.sh. Default 512MB OOMs on large apps.
  • Spider Ajax mode covers SPA apps; pure spider misses React/Vue routing.
  • Use ZAP’s passive scan only mode in production — generates no destructive payloads.
  • Custom scan policies: disable noisy rules (10038, 10063) for cleaner reports.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • False positive rate is HIGHER than Burp Pro out of the box. Tune scan policies before declaring findings.
  • Some active rules send password-spray-like traffic. Always check with the client before running zap-full-scan.
  • API key for ZAP API (-config api.key=...) — without it, the API is unauthenticated and dangerous to expose.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Burp Pro — better UX, paid.
  • Nuclei — for known CVE templates rather than fuzzing.
  • w3af — older, abandoned-ish.

India context and engagement notes

For startups in India who can’t afford Burp Pro: ZAP + manual Burp Community is a viable kit. The OWASP brand carries weight in regulatory audits — ZAP output is accepted in DPDP impact assessments.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants