The evolution of modern web application security testing is closely aligned with the trajectory of OWASP ZAP, now widely recognized as ZAP by Checkmarx. At the center of this progression is Simon Bennetts, whose leadership shaped ZAP into one of the most widely adopted dynamic application security testing tools globally.

ZAP represents more than a scanner. It is a case study in sustainable open source governance, technical transparency, and the long-term viability of community-driven security tooling.

Foundational Origins: From Paros to ZAP

ZAP originated in 2010 when Simon Bennetts forked the Paros Proxy, which had ceased active maintenance in 2006. The functional vacuum left by Paros created a gap in accessible, developer-friendly web security tooling.

Bennetts’ objective was practical: enable developers to run repeatable security regression testing without reliance on costly commercial platforms. The tool was designed to expose HTTP traffic directly, ensuring that vulnerability discovery was transparent and educational rather than opaque.

By July 2011, ZAP was designated a flagship project under the OWASP Foundation, reflecting its maturity and adoption within the security community.

Governance Evolution and Sustainability

OWASP Stewardship (2010–2023)

For thirteen years, ZAP operated under OWASP, benefiting from its nonprofit umbrella and community reach. However, as ZAP scaled in usage and complexity, sustaining development through a volunteer-driven model became increasingly challenging.

The project required consistent engineering capacity, infrastructure support, and enterprise-grade refinement that exceeded what a purely volunteer model could reliably provide.

Transition to the Software Security Project

In August 2023, ZAP departed OWASP and joined the Software Security Project under the Linux Foundation. The move was intended to secure a governance model capable of supporting full-time contributors and long-term funding stability.

The tool was rebranded simply as ZAP during this transition.

Partnership with Checkmarx (2024–Present)

In September 2024, ZAP entered a commercial partnership with Checkmarx. This agreement preserved ZAP’s Apache v2 open source license while enabling the three core leaders, including Bennetts, to become full-time employees focused on ZAP development.

This partnership resolved several structural constraints:

• Dedicated full-time development capacity

• Direct access to enterprise-scale deployment feedback

• Improved operational infrastructure

The result was the formal emergence of ZAP by Checkmarx, combining community transparency with commercial stability.

Technical Architecture and Core Functionality

ZAP functions as an intercepting proxy positioned between a browser and a target application. This architecture allows comprehensive inspection of request and response traffic while enabling both manual and automated testing workflows.

Passive and Active Scanning

ZAP distinguishes between two primary scanning methodologies:

• Passive scanning inspects traffic without modifying requests, identifying misconfigurations such as insecure cookies or missing security headers.

• Active scanning injects crafted payloads to provoke responses indicative of vulnerabilities such as SQL injection or cross-site scripting.

By 2026, the active scanner includes enhanced support for asynchronous frameworks, WebSockets, and single-page applications.

Automation Framework

The ZAP Automation Framework introduced YAML-based configuration plans designed for headless execution within CI/CD pipelines. This development aligned ZAP with DevSecOps practices, allowing repeatable, scalable testing without GUI dependency.

GitHub Actions and Docker-based package scans further reduced friction for integration into development workflows.

Educational Philosophy and Transparency

ZAP’s design philosophy emphasizes visibility into vulnerability mechanics. Unlike purely automated scanners that abstract testing logic, ZAP presents raw HTTP exchanges, enabling practitioners to observe payload behavior and server responses directly.

This transparency has made ZAP a foundational tool in academic programs and professional training environments. When paired with benchmark applications, it provides measurable evaluation of vulnerability detection capabilities.

Community initiatives, including student recognition programs and structured contribution pathways, have reinforced its educational mission.

Advanced Extensibility and Zest

ZAP supports scripting for complex scenarios, particularly authentication workflows.

Zest, a domain-specific scripting language originally developed by the Mozilla Security Team, enables structured recording and replay of authentication sequences. Through assertions and conditional logic, Zest scripts maintain authenticated scanning states in environments involving CSRF tokens or multi-step flows.

Recent enhancements include Client Script Authentication integrated into the Automation Framework, reducing operational overhead for modern authentication testing.

Performance and Scale

As of September 2024:

• Over 353 million recorded starts since December 2021

• Approximately 922,000 monthly active scans

• More than 30 billion alerts identified

These metrics reflect sustained global adoption. Performance tuning recommendations, particularly within containerized environments, mitigate resource constraints during high-volume scanning.

Continuous benchmarking against standardized vulnerability datasets has demonstrated iterative improvements in detection accuracy across recent versions.

Competitive Positioning

ZAP is frequently compared to Burp Suite. While Burp Suite Pro maintains strong positioning in manual penetration testing workflows, ZAP provides fully open automation capabilities without licensing restrictions.

Commercial DAST platforms such as StackHawk and Beagle Security emphasize streamlined developer experience. ZAP remains differentiated through granular control, extensibility, and community-driven transparency.

Professional Services and Sustainability Model

Following its departure from OWASP, ZAP introduced structured professional services through ZAProxy Ltd. Revenue generated through support packages and sponsored development is reinvested into the project.

This hybrid sustainability model combines:

• Corporate sponsorship

• Professional service revenue

• Community contributions

It represents a mature approach to funding open source security tooling at enterprise scale.

Strategic Direction: AI and Browser-Native Testing

The 2.17.0 release introduced advanced alert de-duplication, reducing signal noise within large-scale scan results.

Planned initiatives for 2026 include:

• Integration with browser-native testing workflows

• Expanded support for DOM-based vulnerability detection

• Optional AI-assisted capabilities for payload generation and result summarization

AI features remain opt-in, ensuring practitioner control over integration decisions.

Strategic Significance

ZAP’s progression from a 2010 Paros fork to a commercially supported open source DAST engine demonstrates that hybrid governance models can sustain mission-critical tooling without compromising transparency.

Simon Bennetts’ leadership maintained a consistent technical philosophy centered on practicality and education. This continuity ensured that ZAP evolved in capability without abandoning its foundational principles.

In 2026, ZAP by Checkmarx stands as a structured example of how open source security software can achieve scale, enterprise integration, and long-term sustainability while remaining accessible to the global security community.

Subscribe and Comment.

Copyright © 2026 911Cyber. All Rights Reserved.

Follow 911Cyber on:

LinkedIn, Substack, X, Instagram, Facebook