ZAP by Checkmarx
@zaproxy.org
š¤ 1143
š„ 3
š 79
The Worlds Most Popular Web App Scanner.
Big announcement! We now recommend that you use the Client Spider for crawling modern web apps, instead of the AJAX Spider. More details in the blog post:
www.zaproxy.org/blog/2026-07...
#zaproxy
#appsec
loading . . .
Use the Client Spider for Modern Web Apps
We now recommend the Client Spider over the AJAX Spider for crawling modern web applications. It finds more endpoints, scales much better vs large apps, and unlocks PTKās passive coverage for free.
https://www.zaproxy.org/blog/2026-07-06-client-spider-now-recommended/
9 days ago
1
3
1
ZAP Blog: June Updates
www.zaproxy.org/blog/2026-07...
More PTK integration, lots of Client Spider improvements, and much more..
#zaproxy
#appsec
loading . . .
ZAP Updates - June 2026
In June the OWASP PTK add-on graduated to beta with its integration now properly matching ZAPās architecture, a security advisory was issued and patched for the Viewstate add-on, and the Client Spider...
https://www.zaproxy.org/blog/2026-07-01-zap-updates-june-2026/
14 days ago
0
5
4
Blog Post: Even More OWASP PTK Integration with ZAP. SAST and IAST passive scanning out of the box with the Client Spider, and the active rule is now enabled by default.
www.zaproxy.org/blog/2026-06...
#zaproxy
#owaspptk
#appsec
loading . . .
Even More OWASP PTK Integration with ZAP
The PTK add-on graduates to beta, the active scan rule is on by default, recommended rule defaults reduce noise by avoiding duplicate findings, and a new Engines tab gives you fine-grained control ove...
https://www.zaproxy.org/blog/2026-06-29-even-more-owasp-ptk-integration-with-zap/
16 days ago
1
4
1
An Insecure Java Deserialization vulnerability has been reported in a ZAP add-on via Neo by ProjectDiscovery. Update your ZAP add-ons now, and definitely update from older versions of ZAP. For more details see:
www.zaproxy.org/blog/2026-06...
loading . . .
Java Deserialization Vulnerability in ZAP Viewstate Add-on
A Java Deserialization Vulnerability has been found in the ZAP Viewstate Add-on. Update your ZAP add-ons now, and if you are on an older version of ZAP then update that ASAP.
https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/
21 days ago
0
2
2
ZAP now has a dedicated PTK active scan rule, so you can run the PTK rules in the ZAP active scanner. Check out the dramatic improvement in the scores vs Google Firing Range!
www.zaproxy.org/blog/2026-06...
#zaproxy
#owaspptk
#appsec
loading . . .
Automating OWASP PTK with ZAP (Phase 2)
ZAP now has a dedicated PTK active scan rule, so you can run the PTK rules in the ZAP active scanner. And there are still more changes planned, but the results against Firing Range have been dramatic!
https://www.zaproxy.org/blog/2026-06-05-automating-owasp-ptk-with-zap-phase-2/
about 1 month ago
0
6
4
In May ZAP learned to scan MCP servers as a first-class target, OWASP PTK automation reached Phase 1, and the Params extension moved out of the core into its own add-on.
www.zaproxy.org/blog/2026-06...
#zaproxy
#appsec
loading . . .
ZAP Updates - May 2026
In May ZAP learned to scan MCP servers as a first-class target, OWASP PTK automation reached Phase 1, and the Params extension moved out of the core into its own add-on.
https://www.zaproxy.org/blog/2026-06-02-zap-updates-may-2026/
about 1 month ago
0
4
3
ZAP can now scan MCP Servers, in the Desktop, Automation Framework and in a new GitHub Action. Read all about it on the blog:
www.zaproxy.org/blog/2026-05...
#zaproxy
#appsec
#mcp
loading . . .
Scanning MCP Servers with ZAP
ZAP can now scan MCP (Model Context Protocol) servers as a first-class target. Import an MCP server from the ZAP desktop or the Automation Framework, or run the new action-mcp-scan GitHub Action to sc...
https://www.zaproxy.org/blog/2026-05-21-scanning-mcp-servers-with-zap/
about 2 months ago
0
2
1
Blog: Automating OWASP PTK with ZAP (Phase 1) You can now automate OWASP pentestkit using ZAP
www.zaproxy.org/blog/2026-05...
#zaproxy
#owasp-ptk
#appsec
loading . . .
Automating OWASP PTK with ZAP (Phase 1)
ZAPās Automation Framework can now drive OWASP PTK scans using the Client Spider. This is an early release - we want you to try it and give us feedback while we work toward deeper integration with ZAP...
https://www.zaproxy.org/blog/2026-05-06-automating-owasp-ptk-with-zap-phase-1/
2 months ago
0
7
4
Blog: Vibe coding security fixes.
www.zaproxy.org/blog/2026-04...
Learn how ZAP can help you make your vibe coded projects more secure.
#zaproxy
#vibecoding
#appsec
loading . . .
Vibe Coding Security Fixes
ZAP now has a āGenerate Fix Promptā option that copies everything an LLM needs to fix a vulnerability straight to your clipboard. Also: ZAP was run 9.5 million times in March. Vibe coding, anyone?
https://www.zaproxy.org/blog/2026-04-15-vibe-coding-security-fixes/
3 months ago
1
3
1
Guest Blog:
www.zaproxy.org/blog/2026-04...
Learn how to integrate ZAP with KRO in a Kubernetes cluster to scan the security of each new deployment. ā Trevor Mountney
#zaproxy
#kubernetes
#appsec
loading . . .
Use ZAP with KRO in Kubernetes
Learn how to integrate ZAP with KRO in a Kubernetes cluster to scan the security of each new deployment.
https://www.zaproxy.org/blog/2026-04-13-use-zap-with-kro-in-kubernetes/
3 months ago
0
1
1
Blog: ZAP Updates for March:
www.zaproxy.org/blog/2026-04...
ZAP was started 9.5 MILLION times .. and we announced significant collaborations with other open source projects
#zaproxy
#appsec
loading . . .
ZAP Updates - March 2026
ZAP was started nearly 9.5 million times in March, published integrations with 3 other open source projects, and released the first of many AI related features.
https://www.zaproxy.org/blog/2026-04-03-zap-updates-march-2026/
3 months ago
0
2
1
Introducing the ZAP MCP Server
www.zaproxy.org/blog/2026-04...
#zaproxy
#mcp
#ai
#appsec
loading . . .
The ZAP MCP Server
Connect AI assistants like Claude and ChatGPT to ZAP via the Model Context Protocol. Start scans, read alerts, and explore your applicationāall through natural conversation.
https://www.zaproxy.org/blog/2026-04-02-zap-mcp-server/
3 months ago
0
3
0
This is huge!
www.zaproxy.org/blog/2026-04...
OWASP PTK massively increases ZAPās browser side testing capabilities .. and automation is up next! Many thanks to Denis Podgurskii for this great integration.
#zaproxy
#owasp
#appsec
loading . . .
OWASP PTK Findings as ZAP Alerts (Juice Shop Walkthrough)
OWASP PTK 9.8.0 and the ZAP OWASP PTK add-on 0.3.0 now let ZAP display OWASP PTK findings directly as ZAP Alerts. This post shows how to install the add-on, choose which PTK rules to run (SAST / IAST ...
https://www.zaproxy.org/blog/2026-04-01-owasp-ptk-findings-to-zap-alerts/
3 months ago
0
6
2
New ZAP Blog Post:
www.zaproxy.org/blog/2026-03...
This post describes an approach that uses static analysis findings to guide ZAPās active scans toward the most relevant endpoints. The result is a faster scanning mode suited for CI/CD pipelines. Thanks to the Seqra Team!
#zaproxy
#appsec
loading . . .
Guided ZAP Scans: Faster CI/CD Feedback Using Static Analysis
This post describes an approach that uses static analysis findings to guide ZAPās active scans toward the most relevant endpoints. The result is a faster scanning mode suited for CI/CD pipelines, buil...
https://www.zaproxy.org/blog/2026-03-27-guided-zap-scans-faster-cicd-feedback-using-sast/
4 months ago
0
3
0
New ZAP Blog Post: Introducing DeepViolet: The Engine Behind ZAPās New TLS Analysis
www.zaproxy.org/blog/2026-03...
Thanks to Milton Smith
#zaproxy
#deepviolet
#appsec
loading . . .
Introducing DeepViolet
Introducing DeepViolet: The Engine Behind ZAPās New TLS Analysis
https://www.zaproxy.org/blog/2026-03-19-introducing-deepviolet/
4 months ago
0
7
4
New blog post: ZAP Updates - February 2026
www.zaproxy.org/blog/2026-03...
#zaproxy
#appsec
loading . . .
ZAP Updates - February 2026
February was another busy month for the ZAP project, with improvements across browser automation, GraphQL and the Encode/Decode/Hash add-on.
https://www.zaproxy.org/blog/2026-03-02-zap-updates-february-2026/
4 months ago
0
2
1
Do you need even more control over the browsers that you can launch from ZAP? Youāve got it!
www.zaproxy.org/blog/2026-02...
#zaproxy
#appsec
loading . . .
Custom Browsers and Preferences
You can now add custom browsers to ZAP and manage any browser preferences.
https://www.zaproxy.org/blog/2026-02-24-custom-browsers-and-preferences/
5 months ago
0
2
0
Combine the Encode/Decode/Hash add-on with CyberChef operations in ZAP Encode/Decode Scripts for flexible encoding, decoding, and hashing in your testing workflow.
www.zaproxy.org/blog/2026-02...
#zaproxy
#appsec
#cyberchef
loading . . .
Using ZAP's Encode/Decode/Hash Add-on with CyberChef via Encode/Decode Scripts
Combine the Encode/Decode/Hash add-on with CyberChef operations in ZAP Encode/Decode Scripts for flexible encoding, decoding, and hashing in your testing workflow.
https://www.zaproxy.org/blog/2026-02-17-encoder-cyberchef-via-scripts/
5 months ago
0
4
3
New Blog Post: Detecting Circular Type References in GraphQL Schemas
www.zaproxy.org/blog/2026-02...
#zaproxy
#appsec
#graphql
loading . . .
Detecting Circular Type References in GraphQL Schemas
ZAP can now detect cycles in GraphQL schemas that could lead to denial of service attacks.
https://www.zaproxy.org/blog/2026-02-06-detecting-graphql-cycles/
5 months ago
0
4
1
New blog post:
www.zaproxy.org/blog/2026-02...
Highlights of 2025 and our initial plans for 2026, including more 3rd Party tool integrations, enhanced exploring and, yes, AI integration!
#zaproxy
#appsec
#ai
loading . . .
ZAP Updates - 2025 Highlights and Plans for 2026
Highlights of 2025 and our initial plans for 2026, including more 3rd Party tool integrations, enhanced exploring and, yes, AI integration!
https://www.zaproxy.org/blog/2026-02-02-zap-updates-2025-highlights-2026-plans/
5 months ago
0
4
3
www.zaproxy.org/blog/2026-01...
#zaproxy
#owasp
#appsec
loading . . .
OWASP PTK Integration with ZAP
OWASP PTK is now pre-installed in the browsers launched by ZAP (Chrome, Edge and Firefox). This post shows how to run PTKās DAST, IAST, SAST, and SCA inside the same authenticated session youāre testi...
https://www.zaproxy.org/blog/2026-01-19-owasp-ptk-add-on/
6 months ago
0
5
4
New āGetting Further with ZAP Scriptingā pages:
www.zaproxy.org/docs/getting...
Looking for something more? Let
@psiinon.bsky.social
know!
loading . . .
ZAP ā Getting Further with ZAP Scripting
The worldās most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.
https://www.zaproxy.org/docs/getting-further/scripting/
6 months ago
0
2
1
ZAP 2.17.0 is now available! It includes performance improvements, a significant reduction in āduplicateā alerts reported, and new Insights which give you key information about scans.
www.zaproxy.org/blog/2025-12...
#zaproxy
#appsec
loading . . .
ZAP 2.17.0
ZAP 2.17.0 has just been released. The release includes core performance improvements and will significantly reduce the number of āduplicateā alerts reported.
https://www.zaproxy.org/blog/2025-12-15-zap-2-17-0/
7 months ago
0
5
2
New blog post:
#React2Shell
Detection with ZAP
www.zaproxy.org/blog/2025-12...
#zaproxy
#appsec
loading . . .
React2Shell Detection with ZAP
React2Shell is the latest big ānamedā vulnerability - heres how you can detect it with ZAP.
https://www.zaproxy.org/blog/2025-12-05-react2shell-detection-with-zap/
7 months ago
0
8
4
The latest version of the retirejs add-on includes a test for CVE-2025-66478 which is marked as "critical" so update now to detect this vulnerability.
7 months ago
0
4
2
ZAP Updates for November 2025:
www.zaproxy.org/blog/2025-12...
2.17.0 is coming soon, along with Insights and fixes for some issues that caused ZAP to log 50 million errors in one day!
#zaproxy
#appsec
loading . . .
ZAP Updates - November 2025
2.17.0 is coming soon, along with Insights and fixes for some issues that caused ZAP to log 50 million errors in one day!
https://www.zaproxy.org/blog/2025-12-03-zap-updates-november-2025/
7 months ago
0
2
1
New ZAP blog post - read how Telmon Maluleka is enhancing ZAP with AI for Bug Bounty Hunting
www.zaproxy.org/blog/2025-11...
loading . . .
Enhancing ZAP with AI for Bug Bounty Hunting
Building an intelligent security testing system that leverages ZAPās automation capabilities and machine learning to improve vulnerability detection
https://www.zaproxy.org/blog/2025-11-28-enhancing-zap-with-ai-for-bug-bounty-hunting/
8 months ago
0
3
1
ZAP logged 50 MILLION errors yesterday š® Read the blog for more details!
www.zaproxy.org/blog/2025-11...
#zaproxy
#appsec
loading . . .
50 Million Errors in One Day?!
ZAP logged a LOT of errors yesterday - heres why, and what we have already done to address the underlying problems
https://www.zaproxy.org/blog/2025-11-25-50-million-errors-in-one-day/
8 months ago
0
6
1
Todayās weekly is the 2.17 Release Candidate!
github.com/zaproxy/zapr...
Feedback appreciated
loading . . .
Release w2025-11-24 Ā· zaproxy/zaproxy
File Checksum (SHA-256) ZAP_WEEKLY_D-2025-11-24.zip 6a0bab4207bdd498c24fd0edc6eddfa0789cf80510a8290ba3481d573458ccf2
https://github.com/zaproxy/zaproxy/releases/tag/w2025-11-24
8 months ago
0
2
2
The ZAP services may well be unavailable due to the ongoing Cloudflare problems. See
www.cloudflarestatus.com
for more information.
loading . . .
Cloudflare Status
Welcome to Cloudflare's home for real-time and historical data on system performance.
https://www.cloudflarestatus.com/
8 months ago
0
2
1
ZAP Updates for October:
www.zaproxy.org/blog/2025-11...
#zaproxy
#appsec
loading . . .
ZAP Updates - October 2025
Systemic alerts, check for updates bug, auth improvements, project pulse, etc See what the ZAP team has been up to.
https://www.zaproxy.org/blog/2025-11-06-zap-updates-october-2025/
8 months ago
0
4
1
We have just published a new ZAP weekly release, to fix a bug which could cause invalid JSON reports to be generated. If you are using the most recent weekly we recommend you update ASAP.
9 months ago
0
1
1
Sorry, we messed up! A new scan rule triggered the ZAP Check for Updates call even if you used the "silent" mode. For more details see
www.zaproxy.org/blog/2025-10...
loading . . .
SHH! ZAP Was Not So Silent
A new ZAP scan rule unintentionally caused a Check for Updates call even when āsilentā mode was used.
https://www.zaproxy.org/blog/2025-10-21-zap-was-not-so-silent/
9 months ago
0
3
2
ZAP Blog: How to solve the Caido Labs using ZAP
www.zaproxy.org/blog/2025-10...
c/o 5ubterranean_
loading . . .
Solving Caido Labs
In this blog we show how to solve Caido labs using ZAP.
https://www.zaproxy.org/blog/2025-10-15-solving-caido-labs/
9 months ago
0
1
1
ZAP updates for September:
www.zaproxy.org/blog/2025-10...
#zaproxy
#appsec
loading . . .
ZAP Updates - September 2025
Configuring scan policies with alert tags, WAVSEP adoption, alert de-duplication and a new add-on publishing guide.
https://www.zaproxy.org/blog/2025-10-01-zap-updates-september-2025/
10 months ago
0
3
2
New blog post: Alert De-Duplification
www.zaproxy.org/blog/2025-09...
#zaproxy
#appsec
loading . . .
Alert De-Duplication
How and why we will be reporting fewer āduplicateā alerts in ZAP.
https://www.zaproxy.org/blog/2025-09-30-alert-de-duplication/
10 months ago
0
3
3
The ZAP team has forked and will maintain WAVSEP going forwards. This blog post explains why.
www.zaproxy.org/blog/2025-09...
#zaproxy
#appsec
#wavsep
loading . . .
ZAP is Adopting WAVSEP
The ZAP team has forked and will maintain WAVSEP going forwards. This blog post explains why.
https://www.zaproxy.org/blog/2025-09-08-zap-is-adopting-wavsep/
10 months ago
0
1
1
You can now configure ZAP Scan Policies using Alert Tags:
www.zaproxy.org/blog/2025-09...
#zaproxy
#appsec
loading . . .
Configuring Scan Policies with Alert Tags
A new feature in ZAPās automation framework allows you to configure scan policies using alert tags, making it easier to target specific types of vulnerabilities without manually managing individual sc...
https://www.zaproxy.org/blog/2025-09-03-configuring-scan-policies-with-alert-tags/
10 months ago
0
4
2
ZAP Updates - August 2025:
www.zaproxy.org/blog/2025-09...
Microsoft Online Login Support, forking wavsep and much, much more!
#zaproxy
#appsec
loading . . .
ZAP Updates - August 2025
Microsoft Online Login Support, forking wavsep and much, much more!
https://www.zaproxy.org/blog/2025-09-02-zap-updates-august-2025/
11 months ago
0
2
1
All of the translated ZAP help files on the Marketplace have been updated. Thanks to the Crowdin translators for their hard work!
crowdin.com/project/zap-...
loading . . .
ZAP Help ā Translation Project on Crowdin
Help us translate ZAP Help and bring it to the world!
https://crowdin.com/project/zap-help
11 months ago
0
3
1
We have a new
#evangelists
channel on the ZAP Slack:
www.zaproxy.org/slack/
For an invite go to
www.zaproxy.org/slack/invite
Join up and help spread the word about
#zaproxy
!
loading . . .
Slack
https://www.zaproxy.org/slack/
11 months ago
0
2
2
All of the ZAP Docker images in the Software Security Project Docker Hub org have now been deleted. If you were pulling from this org then please switch to the zaproxy org or use GHCR as per
www.zaproxy.org/download/#do...
#zaproxy
#appsec
loading . . .
ZAP ā Download
The worldās most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.
https://www.zaproxy.org/download/#docker
11 months ago
0
5
2
ZAP Updates - July 2025 Authentication improvements, Edge support, timing rule changes, Docker news, and a new scan rule.
www.zaproxy.org/blog/2025-08...
#zaproxy
#appsec
loading . . .
ZAP Updates - July 2025
Authentication improvements, Edge support, timing rule changes, Docker news, and a new scan rule.
https://www.zaproxy.org/blog/2025-08-01-zap-updates-july-2025/
12 months ago
0
3
2
Yesterday there were more than 25K ZAP scans run using old versions of ZAP. These are no longer being maintained. Update your ZAP installs now!
#zaproxy
#appsec
12 months ago
0
8
3
We will be deleting all of the ZAP Docker images from the Software Security Project Docker Hub within the next 2 weeks. If you are still pulling images from there then please switch to one of the maintained options:
www.zaproxy.org/download/#do...
loading . . .
ZAP ā Download
The worldās most widely used web app scanner. Free and open source. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project.
https://www.zaproxy.org/download/#docker
12 months ago
1
5
2
There is a new "ZAP is Out of Date" scan rule - learn more about it via this blog post
www.zaproxy.org/blog/2025-07...
#zaproxy
#appsec
loading . . .
The New 'ZAP is Out of Date' Rule
If you are using an old version of ZAP then you might start seeing a new alertā¦
https://www.zaproxy.org/blog/2025-07-25-the-new-zap-is-out-of-date-rule/
12 months ago
0
3
2
We've recently made some requested changes to the naming and implementation of scan rules which used Time Based attacks.
@kingthorin.bsky.social
has written about it here:
www.zaproxy.org/blog/2025-07...
#zaproxy
#appsec
loading . . .
Timing Related Scan Rule Changes
Scan rules related to time based attacks have been split or renamed.
https://www.zaproxy.org/blog/2025-07-22-timing-rule-changes/
12 months ago
0
2
2
None of the major browsers are currently flagging the latest ZAP downloads as suspiciousš Thank you to whoever sorted that out!
about 1 year ago
0
3
1
ZAP now has full support for Microsoft Edge š
www.zaproxy.org/blog/2025-07...
#zaproxy
#appsec
loading . . .
Edge Support
ZAP now has ātier 1ā support for Microsoft Edge, including exploring, crawling, and attacking.
https://www.zaproxy.org/blog/2025-07-10-edge-support/
about 1 year ago
0
6
3
As promised, here is the first set of documentation for all of the authentication improvements the team has been working on
www.zaproxy.org/blog/2025-07...
#zaproxy
#appsec
loading . . .
Authentication Improvements
Weāve made a lot of improvements in ZAPās handling of authentication - hereās a summary of the most significant changes weāve made.
https://www.zaproxy.org/blog/2025-07-03-authentication-improvements/
about 1 year ago
0
6
3
Load more
feeds!
log in