I’ve stated that ZAP is the world’s most popular free and open source web application scanner on stage at security conferences around the world for many years. No one has ever contradicted me so it must be true :)
However I’ve started to wonder if ZAP is actually more popular than most if not all of the commercial scanners as well?
That is actually pretty hard to tell - ZAP is a free tool that anyone can download, so determining how many users we really have is difficult. I’ve also not been able to find any figures published by our commercial competitors.
However we do have some statistics for ZAP.
ZAP also by default performs up to one check-for-updates request per day and checks for news every time it starts. All of the ‘calls home’ are documented and can be disabled via the
-silent command line option.
We record these figures every month, and it is clear that ZAP usage has been increasing ever since it was launched in 2010. In fact its use appears to be accelerating.
Last month, March 2020:
- ZAP was directly downloaded more than 85,000 times
- ZAP Docker images were pulled more than 220,000 times
- ZAP was started more than 1 million times!
Does this make ZAP the world’s most popular web security scanner?
I don’t know, but we’re happy to update this post to link to any similar stats that other web scanners publish.
We don't get much other information, but we can see that around two thirds of the time the ZAP desktop is started while one third of the time the ZAP daemon is used.
The top 3 countries that use the ZAP desktop are:
The top 3 countries that use the ZAP daemon are:
One thing is clear.
If you want to have an impact in the web security field then you should seriously consider contributing to ZAP. Any improvements you make, any new or improved scan rules you add will be heavily used and will help to make the online world safer.
ZAP is, of course, completely open source and highly extensible. If you want to learn more about contributing to or extending ZAP then see the Contributing Guide.