"Which vulnerability-scanning tool should I use, in the end?" — to answer in one phrase, "one isn't enough; combine tools with different roles in layers." A tool that hunts SQL injection, a tool that hunts CVEs in dependency libraries, and a tool that hunts broken authorization are looking at completely different things.
The typical failure in tool selection is "introduce one famous tool and be satisfied." Burp Suite and ZAP are both excellent DAST, but with those alone you see neither the code's contents (SAST), nor dependency vulnerabilities (SCA), nor leaked secrets (secrets). This article first shows a map of types, then compares the staples of each category, and lands on how to choose by scale/budget/setup.
Here's the conclusion map up front.
| Layer | Type | What it sees | Free staple | Commercial/SaaS staple |
|---|---|---|---|---|
| Code | SAST | Data flow in the source | Semgrep, CodeQL | Snyk Code, Checkmarx |
| Behavior | DAST | The running app | OWASP ZAP, Nuclei | Burp Suite, Acunetix, Invicti |
| Dependencies | SCA | lockfile / dependency tree | npm audit, Dependabot, OSV-Scanner | Snyk Open Source |
| Secrets | Secret scan | Repository, diffs | Gitleaks, GitHub Secret Scanning | GitGuardian |
| Integrated SaaS | Automated assessment | The above bundled into SaaS | — | AeyeScan / VAddy / Securify (Japanese) |
Below, layer by layer, I make concrete "which to choose, and when."
1. First understand the "types" — SAST / DAST / SCA / secrets
Tools organize at once when classified by what they observe.
- SAST (static analysis): trace data flow without running the code. Can run at an early stage (commit/PR), and the fix location is easy to pin. On the flip side, weak at problems only visible at runtime.
- DAST (dynamic analysis): send requests to the running app and judge by externally visible behavior. Strong at real-environment problems (config, headers, reflected XSS), but requires deployment and doesn't tell the location in code.
- SCA (dependency analysis): see the known CVEs inside
node_modules, not your code. The cheapest and most effective. - Secret scan: see the mixing-in of API keys and tokens.
These four are complementary, not competing. SAST and DAST differ by "seeing from inside or outside," and doing both makes detection overlap while complementing each other. The implementation procedure of each layer is covered in detail in the hands-on OWASP-official-methodology article. This article concentrates on "which tool to choose."
2. DAST showdown: OWASP ZAP vs Burp Suite Professional
The two giants of dynamic assessment. Many teams agonize over this choice first. To say it from the conclusion: "ZAP if you want to automate in CI, Burp for skilled manual scrutiny."
| Comparison item | OWASP ZAP | Burp Suite Professional |
|---|---|---|
| Price | Completely free (Apache-2.0) | $475 / user / year (2026) |
| Operation | Under Checkmarx (formerly OWASP; free is maintained) | PortSwigger |
| License unit | No limit | Per user (for individual testers) |
| Automation / CI | YAML (Automation Framework) + GitHub Action is powerful | DAST (formerly Enterprise) is a separate product, contact required |
| Manual testing | Possible (proxy, various tools) | Industry standard (Repeater/Intruder/extensions) |
| Breadth of detection | Plenty practical. "Good enough" or beyond for many teams | Tends to have more detection types in benchmarks |
| Learning curve | Mid (automation is easy to learn) | Mid-to-high (given the manual freedom) |
| AI assist | — | Burp AI included |
(Sources: PortSwigger official pricing / ZAP official)
Which to choose
- Individual development / startup / CI in-house is the goal → ZAP, the only choice. Completely free, and you can set up GitHub Actions integration via
zaproxy/action-baselinethe same day. It delivers value beyond "good enough" at zero cost. - A dedicated security engineer attacks deeply by hand → Burp Professional. The operability of Repeater/Intruder and the extension ecosystem (BApp Store) are a head above on manual-scrutiny productivity. $475/year is a cheap investment against a pro's effort value.
- Using both is normal too. Many teams split roles — ZAP in CI, Burp for manual deep dives. They're not exclusive.
A note (the free-version pitfall): Burp Suite Community (the free version) has no scanner, and Intruder is throttled. For "want to automate DAST for free," the right answer is ZAP, not Community.
3. SAST: start from Semgrep
For static code analysis, Semgrep is a practical starting point you can begin free.
- OWASP Top 10 rules (
p/owasp-top-ten) are officially provided, so you can report detections mapped to the Top 10 categories. - SARIF output can be aggregated into GitHub Code Scanning, permanently preventing regression.
- The rules are readable (YAML), so it's easy to add your own forbidden patterns (ETC: easy to change).
# OWASP Top 10 + TypeScript/React ルールでスキャンし、SARIFで出力
npx semgrep scan \
--config=p/owasp-top-ten --config=p/typescript --config=p/react \
--sarif --output=semgrep.sarif
For a GitHub-centric organization, CodeQL (GitHub-native, free for public repos) is a powerful option too. Commercially, Snyk Code / Checkmarx differentiate on IDE integration, large-scale operations, and support. Start with Semgrep, and consider commercial as operations scale — that's the reasonable order.
4. SCA & secrets: all free here
The dependency and secrets layers are plenty with free ecosystem standards. There's hardly any need to include this layer in a paid tool.
| Use | Tool | One line |
|---|---|---|
| Dependency CVE detection | npm audit | One command. --audit-level=moderate in CI |
| Auto fix-PR for dependencies | Dependabot | Just place .github/dependabot.yml |
| Cross-cutting dependency matching | OSV-Scanner (Google) | OSV.dev-based, multilingual |
| Secret detection | Gitleaks | Scans full history, SARIF-capable |
| Block secret pushes | GitHub Secret Scanning (Push Protection) | Blocks the push if a secret mixes into a commit |
Commercial Snyk and GitGuardian deliver value with dashboards, prioritization, and cross-org visibility, but first solidifying the foundation for free is the iron rule.
5. Japanese SaaS-type automated assessment: AeyeScan / VAddy / Securify
"Can't spare the operational effort for OSS," "need Japanese-language support and reports," "want even a team without expertise to run it" — for these requirements, Japanese SaaS-type automated-assessment tools are a fit. An option to buy out the freedom of OSS with operational ease and support.
- AeyeScan (AI Security Lab): a cloud DAST that covers SPAs and complex screen transitions with AI auto-crawling. It's published as #1 by vendor share (FY2024 actual) in the relevant market of ITR Market View.
- VAddy (Bitforest): a cloud type designed on the premise of integration into CI/CD. Suited to DevSecOps use that runs automated assessment on every deploy.
- Securify (Three-shake): a Japanese integrated platform bundling vulnerability assessment, cloud monitoring, and asset management.
These can be the optimum for the need to "run automated assessment (= horizontal holes) in-house, continuously, with Japanese-language support." However — the limit in the next section doesn't change for SaaS or OSS.
6. Commercial integrated DAST: the enterprise option
For organizations that are large-scale, have many apps, or have compliance requirements, integrated commercial DAST enters the options. Acunetix / Invicti (formerly Netsparker) / Burp Suite DAST (formerly Enterprise), etc., selling scheduled execution, team management, centralized management of many apps, and few false positives (proof-based detection). Pricing is basically "contact us," on the scale of several hundred thousand to several million yen per year. It's a category where cost-effectiveness emerges only at the stage of "there are dozens to hundreds of apps, and humans can't keep up."
7. The area no amount of tools can close
This is the line this article most wants to convey. ZAP, Burp, Semgrep, and Japanese SaaS are all looking at "horizontal holes." No matter how many tool types you add, the following "vertical risks" can't in principle be detected.
| What tools can close (horizontal) | What tools can't close (vertical) |
|---|---|
| Injection, misconfiguration, known CVEs, secret leakage | Authorization/IDOR (others' data is visible) |
| Reflected XSS, missing headers, vulnerable dependencies | Business-logic abuse (quantity, price, state transitions) |
| Structural flaws of known patterns | Tenant separation, privilege escalation, design validity |
The reason is clear. "Who may see this invoice" depends on the 'meaning' of your business rules, and a tool doesn't know your data model. So no matter how expensive the scanner, it can't judge a missing authorization as "missing." Broken authorization (IDOR/BOLA), the representative of this vertical risk, has been #1 in the OWASP API Security Top 10 since its first edition — "the most common leak." The specifics of detection and defense in depth are summarized in the IDOR / broken-authorization detection article, and the boundary between tools and humans in what does a security audit look at.
8. Selection flowchart — by scale, budget, setup
Finally, a practical guide when you're unsure.
- First the free foundation (common to all scales): SCA (
npm audit+ Dependabot) → secrets (Gitleaks + Push Protection) → SAST (Semgrep) → DAST (ZAP baseline). Up to here is zero-budget, same-day. - Want to automate in CI → ZAP (Automation Framework + GitHub Action) + Semgrep (SARIF). CI-integration procedure here.
- Want to attack deeply by hand / have a dedicated person → add Burp Suite Professional ($475/year).
- Can't spare in-house operational effort / need Japanese support → Japanese SaaS-type (AeyeScan / VAddy / Securify).
- Many apps / compliance requirements → commercial integrated DAST (Acunetix / Invicti / Burp DAST).
- Want to guarantee the validity of authorization/business logic → impossible with any tool. To manual assessment / audit.
The iron rule is "sweep horizontal for free → pay only where it's lacking → vertical by hand." Rather than buying an expensive tool from the start, solidify the foundation for free and invest once the bottleneck is visible — the most cost-efficient order.
Summary — choose tools by "layer" and know the limits correctly
- Vulnerability-scanning tools can't do everything with one. Build SAST/DAST/SCA/secrets in layers.
- DAST is ZAP (free, CI automation) or Burp ($475/year, manual scrutiny). Role division, not exclusive.
- SAST = Semgrep, SCA = npm audit + Dependabot, secrets = Gitleaks. The foundation is all free.
- Japanese SaaS (AeyeScan/VAddy/Securify) is an option to buy out operational effort and support.
- No matter how much you add, authorization/IDOR and business logic can't be closed. Vertical is the human domain.
Tool selection is decided not by a product's popularity but by "which layer, with which setup, you protect." First build the free foundation, and route investment only to where it fits your scale and setup — I can help from that design. Starting by visualizing the current state with my own free OSS Aegis is also recommended.