The free, open-source Burp alternative — full proxy + scanner + automation framework, maintained by OWASP/Checkmarx.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (deb)
sudo snap install zaproxy --classic
macOS (brew)
brew install --cask zap
Docker (headless)
docker run -t softwaresecurityproject/zap-stable zap-baseline.py -t https://target.com
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Quick baseline scan (CI-friendly)
docker run -t softwaresecurityproject/zap-stable zap-baseline.py -t https://target.com -r report.html
Full scan (active)
docker run -t softwaresecurityproject/zap-stable zap-full-scan.py -t https://target.com
API-only scan
docker run -t softwaresecurityproject/zap-stable zap-api-scan.py -t https://target.com/openapi.json -f openapi
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Headless Docker is the right way to use ZAP in CI — GUI is slow.
- Increase JVM heap:
-Xmx2gin zap.sh. Default 512MB OOMs on large apps. - Spider Ajax mode covers SPA apps; pure spider misses React/Vue routing.
- Use ZAP’s
passive scan onlymode in production — generates no destructive payloads. - Custom scan policies: disable noisy rules (10038, 10063) for cleaner reports.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- False positive rate is HIGHER than Burp Pro out of the box. Tune scan policies before declaring findings.
- Some active rules send password-spray-like traffic. Always check with the client before running zap-full-scan.
- API key for ZAP API (
-config api.key=...) — without it, the API is unauthenticated and dangerous to expose.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Burp Pro — better UX, paid.
- Nuclei — for known CVE templates rather than fuzzing.
- w3af — older, abandoned-ish.
India context and engagement notes
For startups in India who can’t afford Burp Pro: ZAP + manual Burp Community is a viable kit. The OWASP brand carries weight in regulatory audits — ZAP output is accepted in DPDP impact assessments.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.