# Web-app vulnerability-scanner comparison [2026 edition] — how to choose among OWASP ZAP / Burp Suite / Semgrep / commercial & Japanese SaaS

> A comparison guide for correctly choosing web-app vulnerability-scanning tools by type (SAST/DAST/SCA/secrets) and role. The difference between free ZAP (Apache-2.0) and the $475/year Burp Suite Professional, SAST like Semgrep, dependency assessment with npm audit/Dependabot, Japanese SaaS-type tools (AeyeScan/VAddy/Securify), and commercial integrated DAST — with a selection flow by scale/budget/setup, and honestly showing the area tools can't close.

- Published: 2026-06-28
- Author: 友田 陽大
- Tags: セキュリティ, 脆弱性診断, OWASP, DevSecOps
- URL: https://tomodahinata.com/en/blog/web-application-vulnerability-scanner-tools-comparison-zap-burp-semgrep-guide
- Category: Application-layer security
- Pillar guide: https://tomodahinata.com/en/blog/nextjs-supabase-application-security-guide

## Key points

- There's no 'one tool for everything' in vulnerability scanning. Combine layers with different roles — SAST (code), DAST (behavior), SCA (dependencies), secret scanning. Understanding the types first is the starting point of selection.
- DAST headliner comparison: OWASP ZAP is completely free (Apache-2.0, maintained even under Checkmarx) and strong at YAML automation and GitHub Actions integration. Burp Suite Professional is $475/user/year, strong in the breadth of detection types, UI, and manual-testing features. ZAP for CI in-house, Burp for manual scrutiny.
- For SAST, Semgrep (OSS + OWASP rules + SARIF) is the most cost-effective starting point. For SCA, npm audit + Dependabot is enough. For secrets, Gitleaks + GitHub Push Protection. All of these are available for free.
- Japanese SaaS-type tools (AeyeScan/VAddy/Securify) are strong at 'in-house automated assessment without expertise' via AI auto-crawling, Japanese-language support, and CI integration. An option to buy out the operational effort of OSS.
- Every tool stops at 'horizontal holes.' Authorization/IDOR, business logic, and tenant separation (vertical risks) can't be closed by adding more tool types — beyond here is the domain of manual assessment and audit.

---

"Which vulnerability-scanning tool should I use, in the end?" — to answer in one phrase, **"one isn't enough; combine tools with different roles in layers."** A tool that hunts SQL injection, a tool that hunts CVEs in dependency libraries, and a tool that hunts broken authorization are looking at completely different things.

The typical failure in tool selection is **"introduce one famous tool and be satisfied."** Burp Suite and ZAP are both excellent DAST, but with those alone you see **neither the code's contents (SAST), nor dependency vulnerabilities (SCA), nor leaked secrets (secrets).** This article first shows a **map of types**, then compares the staples of each category, and lands on **how to choose by scale/budget/setup.**

Here's the conclusion map up front.

| Layer | Type | What it sees | Free staple | Commercial/SaaS staple |
|---|---|---|---|---|
| Code | **SAST** | Data flow in the source | **Semgrep**, CodeQL | Snyk Code, Checkmarx |
| Behavior | **DAST** | The running app | **OWASP ZAP**, Nuclei | **Burp Suite**, Acunetix, Invicti |
| Dependencies | **SCA** | lockfile / dependency tree | **npm audit**, Dependabot, OSV-Scanner | Snyk Open Source |
| Secrets | **Secret scan** | Repository, diffs | **Gitleaks**, GitHub Secret Scanning | GitGuardian |
| Integrated SaaS | **Automated assessment** | The above bundled into SaaS | — | **AeyeScan / VAddy / Securify** (Japanese) |

Below, layer by layer, I make concrete "which to choose, and when."

---

## 1. First understand the "types" — SAST / DAST / SCA / secrets

Tools organize at once when classified by **what they observe.**

- **SAST (static analysis)**: trace data flow **without running** the code. Can run at an early stage (commit/PR), and the fix location is easy to pin. On the flip side, weak at problems only visible at runtime.
- **DAST (dynamic analysis)**: send requests to **the running app** and judge by externally visible behavior. Strong at real-environment problems (config, headers, reflected XSS), but requires deployment and doesn't tell the location in code.
- **SCA (dependency analysis)**: see **the known CVEs inside `node_modules`**, not your code. The cheapest and most effective.
- **Secret scan**: see the **mixing-in** of API keys and tokens.

These four are **complementary, not competing.** SAST and DAST differ by "seeing from inside or outside," and **doing both makes detection overlap while complementing each other.** The implementation procedure of each layer is covered in detail in the [hands-on OWASP-official-methodology article](/blog/web-application-vulnerability-assessment-owasp-zap-sast-dast-guide). This article concentrates on "which tool to choose."

---

## 2. DAST showdown: OWASP ZAP vs Burp Suite Professional

The two giants of dynamic assessment. **Many teams agonize over this choice first.** To say it from the conclusion: **"ZAP if you want to automate in CI, Burp for skilled manual scrutiny."**

| Comparison item | **OWASP ZAP** | **Burp Suite Professional** |
|---|---|---|
| Price | **Completely free** (Apache-2.0) | **$475 / user / year** (2026) |
| Operation | Under Checkmarx (formerly OWASP; free is maintained) | PortSwigger |
| License unit | No limit | **Per user** (for individual testers) |
| Automation / CI | **YAML (Automation Framework) + GitHub Action** is powerful | DAST (formerly Enterprise) is a separate product, contact required |
| Manual testing | Possible (proxy, various tools) | **Industry standard** (Repeater/Intruder/extensions) |
| Breadth of detection | Plenty practical. "Good enough" or beyond for many teams | Tends to have more detection types in benchmarks |
| Learning curve | Mid (automation is easy to learn) | Mid-to-high (given the manual freedom) |
| AI assist | — | Burp AI included |

(Sources: [PortSwigger official pricing](https://portswigger.net/buy/pro) / [ZAP official](https://www.zaproxy.org/))

### Which to choose

- **Individual development / startup / CI in-house is the goal** → **ZAP, the only choice.** Completely free, and you can set up GitHub Actions integration via `zaproxy/action-baseline` the same day. It delivers value beyond "good enough" at zero cost.
- **A dedicated security engineer attacks deeply by hand** → **Burp Professional.** The operability of Repeater/Intruder and the extension ecosystem (BApp Store) are a head above on manual-scrutiny productivity. $475/year is a cheap investment against a pro's effort value.
- **Using both** is normal too. Many teams split roles — ZAP in CI, Burp for manual deep dives. **They're not exclusive.**

> **A note (the free-version pitfall):** Burp Suite **Community** (the free version) has no scanner, and Intruder is throttled. **For "want to automate DAST for free," the right answer is ZAP, not Community.**

---

## 3. SAST: start from Semgrep

For static code analysis, **[Semgrep](https://semgrep.dev/)** is a practical starting point you can begin free.

- **OWASP Top 10 rules** (`p/owasp-top-ten`) are officially provided, so you can **report detections mapped to the Top 10 categories.**
- **SARIF output** can be aggregated into GitHub Code Scanning, permanently preventing regression.
- The rules are readable (YAML), so it's easy to **add your own forbidden patterns** (ETC: easy to change).

```bash
# OWASP Top 10 + TypeScript/React ルールでスキャンし、SARIFで出力
npx semgrep scan \
  --config=p/owasp-top-ten --config=p/typescript --config=p/react \
  --sarif --output=semgrep.sarif
```

For a GitHub-centric organization, **CodeQL** (GitHub-native, free for public repos) is a powerful option too. Commercially, Snyk Code / Checkmarx differentiate on IDE integration, large-scale operations, and support. **Start with Semgrep, and consider commercial as operations scale** — that's the reasonable order.

---

## 4. SCA & secrets: all free here

The dependency and secrets layers are **plenty with free ecosystem standards.** There's hardly any need to include this layer in a paid tool.

| Use | Tool | One line |
|---|---|---|
| Dependency CVE detection | **`npm audit`** | One command. `--audit-level=moderate` in CI |
| Auto fix-PR for dependencies | **Dependabot** | Just place `.github/dependabot.yml` |
| Cross-cutting dependency matching | **OSV-Scanner** (Google) | OSV.dev-based, multilingual |
| Secret detection | **Gitleaks** | Scans full history, SARIF-capable |
| Block secret pushes | **GitHub Secret Scanning (Push Protection)** | Blocks the push if a secret mixes into a commit |

Commercial **Snyk** and **GitGuardian** deliver value with dashboards, prioritization, and cross-org visibility, but **first solidifying the foundation for free** is the iron rule.

---

## 5. Japanese SaaS-type automated assessment: AeyeScan / VAddy / Securify

"Can't spare the operational effort for OSS," "need Japanese-language support and reports," "want even a team without expertise to run it" — for these requirements, **Japanese SaaS-type automated-assessment tools** are a fit. An option to **buy out** the freedom of OSS with operational ease and support.

- **[AeyeScan](https://www.aeyescan.jp/)** (AI Security Lab): a cloud DAST that covers SPAs and complex screen transitions with **AI auto-crawling.** It's published as **#1 by vendor share** (FY2024 actual) in the relevant market of ITR Market View.
- **VAddy** (Bitforest): a cloud type designed on the premise of **integration into CI/CD.** Suited to DevSecOps use that runs automated assessment on every deploy.
- **Securify** (Three-shake): a **Japanese integrated platform** bundling vulnerability assessment, cloud monitoring, and asset management.

These can be the optimum for the need to "**run automated assessment (= horizontal holes) in-house, continuously, with Japanese-language support.**" However — the limit in the next section doesn't change for SaaS or OSS.

---

## 6. Commercial integrated DAST: the enterprise option

For organizations that are large-scale, have many apps, or have compliance requirements, **integrated commercial DAST** enters the options. **Acunetix** / **Invicti** (formerly Netsparker) / **Burp Suite DAST** (formerly Enterprise), etc., selling scheduled execution, team management, centralized management of many apps, and few false positives (proof-based detection). Pricing is basically "contact us," on the scale of several hundred thousand to several million yen per year. It's a category where cost-effectiveness emerges only at the stage of "there are dozens to hundreds of apps, and humans can't keep up."

---

## 7. The area no amount of tools can close

This is the line this article most wants to convey. **ZAP, Burp, Semgrep, and Japanese SaaS are all looking at "horizontal holes."** No matter how many tool types you add, the following **"vertical risks"** can't in principle be detected.

| What tools can close (horizontal) | What tools can't close (vertical) |
|---|---|
| Injection, misconfiguration, known CVEs, secret leakage | **Authorization/IDOR** (others' data is visible) |
| Reflected XSS, missing headers, vulnerable dependencies | **Business-logic abuse** (quantity, price, state transitions) |
| Structural flaws of known patterns | **Tenant separation, privilege escalation, design validity** |

The reason is clear. "Who may see this invoice" depends on **the 'meaning' of your business rules**, and a tool doesn't know your data model. So no matter how expensive the scanner, it can't judge a missing authorization as "missing." Broken authorization (IDOR/BOLA), the representative of this vertical risk, has been [#1 in the OWASP API Security Top 10 since its first edition](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/) — "the most common leak." The specifics of detection and defense in depth are summarized in the [IDOR / broken-authorization detection article](/blog/nextjs-supabase-idor-broken-authorization-rls-detection-guide), and the boundary between tools and humans in [what does a security audit look at](/blog/nextjs-supabase-security-audit-scope-when-needed-guide).

---

## 8. Selection flowchart — by scale, budget, setup

Finally, a practical guide when you're unsure.

1. **First the free foundation (common to all scales)**: SCA (`npm audit` + Dependabot) → secrets (Gitleaks + Push Protection) → SAST (Semgrep) → DAST (ZAP baseline). **Up to here is zero-budget, same-day.**
2. **Want to automate in CI** → ZAP (Automation Framework + GitHub Action) + Semgrep (SARIF). [CI-integration procedure here](/blog/nextjs-supabase-security-ci-sarif-github-actions-guide).
3. **Want to attack deeply by hand / have a dedicated person** → add Burp Suite Professional ($475/year).
4. **Can't spare in-house operational effort / need Japanese support** → Japanese SaaS-type (AeyeScan / VAddy / Securify).
5. **Many apps / compliance requirements** → commercial integrated DAST (Acunetix / Invicti / Burp DAST).
6. **Want to guarantee the validity of authorization/business logic** → **impossible with any tool.** To manual assessment / audit.

**The iron rule is "sweep horizontal for free → pay only where it's lacking → vertical by hand."** Rather than buying an expensive tool from the start, solidify the foundation for free and invest once the bottleneck is visible — the most cost-efficient order.

---

## Summary — choose tools by "layer" and know the limits correctly

- Vulnerability-scanning tools **can't do everything with one.** Build SAST/DAST/SCA/secrets **in layers.**
- **DAST is ZAP (free, CI automation) or Burp ($475/year, manual scrutiny).** Role division, not exclusive.
- **SAST = Semgrep, SCA = npm audit + Dependabot, secrets = Gitleaks.** The foundation is all free.
- **Japanese SaaS (AeyeScan/VAddy/Securify)** is an option to buy out operational effort and support.
- No matter how much you add, **authorization/IDOR and business logic can't be closed.** Vertical is the human domain.

Tool selection is decided not by a product's popularity but by **"which layer, with which setup, you protect."** First build the free foundation, and route investment only to where it fits your scale and setup — I can help from that design. Starting by visualizing the current state with my own free OSS [Aegis](/aegis) is also recommended.