ZAP has a ‘mode’ which can be:
It is recommended that you use the Protected mode to ensure that you only attack sites that you mean to.
The mode can be changed via the toolbar (or the ZAP API) and is persisted between sessions.
Examples of the things that will not be possible in either Safe mode or in Protected mode when not acting on URLs in the Scope:
You can define the Scan Policy to be used for the Attack mode the Options Active Scan screen.
|UI Overview||for an overview of the user interface|
|Features||provided by ZAP|