The OWASP PTK Options dialog has three tabs: Engines , Scan Rules , and Active Scan .
Controls where each PTK engine runs during a scan. Each engine (SAST, IAST, DAST) has an independent Run Location drop-down with three options:
The scan rules tree lists all available PTK rules grouped by engine (SAST, IAST, DAST) and module. Any rule that is enabled here will be available to PTK when it runs in the browser. Rules that are disabled will be ignored by PTK entirely.
Hover over any node in the tree to see its internal ID, which is the value used in command-line configuration keys.
The Use recommended defaults checkbox at the top of the tab applies a curated set of rules suited to security testing of web applications in a developer or CI context. When checked, the checkboxes in the tree are greyed out to show the recommended state — you can still expand and collapse the tree to see which rules are included — but the individual rules cannot be changed while this mode is active.
Some rules are excluded from the recommended set because they overlap with existing ZAP rules, or because they are more relevant to penetration testers than to developers.
If you uncheck Use recommended defaults, the tree becomes fully editable starting from the recommended state. Any changes you make and save become your custom configuration. Rechecking the option reapplies the recommended state.
This option is enabled by default for new installations.
Enable Active Scan Rule controls whether the PTK active scan rule runs during ZAP active scans.
Enable automated scanning (deprecated) controls the older in-browser automated mode
exposed via the PTK API (mode:auto). It is disabled while the active scan rule is enabled.
When unchecked, PTK will still be active in the browser but no automated scanning will take place.
Browser , Action Wait Time (seconds) , and Number of Browser Windows to Open apply to the PTK active scan rule. The default thread count is half the number of available processor cores.
PTK scan-rule state can be set directly from the ZAP command line using the -config flag, without opening the Options dialog. This is useful for headless or automated runs where you want to enable or disable specific engines, modules, or rules.
This is a temporary solution - we plan to add support for configuring the PTK rules in a similar way to other ZAP rules in due course.
ptk.useRecommendedDefaults — true to use the recommended rule set (default); false to use custom per-rule flagsptk.scanrules.ENGINE.enabled — enable or disable an entire engine (only applied when ptk.useRecommendedDefaults=false)ptk.scanrules.ENGINE .moduleId.enabled — enable or disable a module within an engineptk.scanrules.ENGINE .moduleId .ruleId.enabled — enable or disable a single ruleptk.engine.ENGINE.runLocation — run location for an engine: CLIENT_SPIDER, ACTIVE_SCAN_RULE, or MANUALptk.activescan.rule.enabled — enable or disable the PTK active scan ruleptk.automatedScanning.enabled — enable or disable automated scanning (deprecated; use the active scan rule instead)ptk.activescan.browserId — browser ID for the PTK active scan rule (see Selenium documentation for valid IDs)ptk.activescan.actionWaitTime — action wait time in seconds for the PTK active scan ruleptk.activescan.threadCount — number of browser windows (threads) for the PTK active scan ruleEngine names are SAST, IAST, and DAST. Module and rule IDs can be found by hovering over a node in the Options dialog tree — the tooltip shows the internal ID used in configuration keys.
Scan-rule settings are inherited from parent to child: a rule-level key overrides its module key, which overrides the engine key, which overrides the default of true (enabled). This means you can disable an entire engine with a single key and then selectively re-enable individual rules or modules.
Use the recommended rule set (the default):
zap.sh -config ptk.useRecommendedDefaults=true
Disable recommended defaults and use fully custom per-rule flags:
zap.sh -config ptk.useRecommendedDefaults=false
Disable all IAST and DAST rules, leaving only SAST active (custom mode):
zap.sh -config ptk.useRecommendedDefaults=false \
-config ptk.scanrules.IAST.enabled=false \
-config ptk.scanrules.DAST.enabled=false
Disable a specific SAST module (custom mode):
zap.sh -config ptk.useRecommendedDefaults=false \
-config ptk.scanrules.SAST.dom-xss.enabled=false
Disable a single rule within a module (custom mode):
zap.sh -config ptk.useRecommendedDefaults=false \
-config ptk.scanrules.SAST.dom-xss.no-inner-outer-html.enabled=false
Disable all SAST rules except one (custom mode):
zap.sh -config ptk.useRecommendedDefaults=false \
-config ptk.scanrules.SAST.enabled=false \
-config ptk.scanrules.SAST.dom-xss.no-inner-outer-html.enabled=true
Run DAST in the Client Spider instead of the active scan rule:
zap.sh -config ptk.engine.DAST.runLocation=CLIENT_SPIDER
Enable the PTK active scan rule:
zap.sh -config ptk.activescan.rule.enabled=true
Enable automated scanning (deprecated):
zap.sh -config ptk.automatedScanning.enabled=true
Configure the PTK active scan rule browser, action wait time, and thread count:
zap.sh -config ptk.activescan.browserId=firefox-headless \
-config ptk.activescan.actionWaitTime=2 \
-config ptk.activescan.threadCount=4
For many options, use a properties file with -configfile:
ptk.useRecommendedDefaults=false
ptk.scanrules.IAST.enabled=false
ptk.scanrules.DAST.enabled=false
ptk.scanrules.SAST.dom-xss.no-inner-outer-html.enabled=false
zap.sh -configfile my-ptk-config.properties
PTK will raise ZAP alerts for any issues it finds. The full list of alerts raised by PTK is available at https://www.zaproxy.org/alerttags/tool_ptk/.
See also: OWASP PTK