Passive Scan

ZAP by default passively scans all HTTP messages (requests and responses) sent to the web application being tested.
Passive scanning does not change the requests nor the responses in any way and is therefore safe to use.
Scanning is performed in a background thread to ensure that it does not slow down the exploration of an application.

The (main) behaviour of the passive scanner can be configured using the Options Passive Scanner Screen.

Passive scanning can also be used for automatically adding tags and raising alerts for potential issues.
A set of rules for automatic tagging are provided by default. These can be changed, deleted or added to via the Options Passive Scan Tags screen.

The alerts raised by passive scanners can be configured using the Options Passive Scan Rules screen.

See also

UI Overview for an overview of the user interface
Features provided by ZAP
Active scanning
Scanner Rules supported by default