Listing Thumbnail

    OWASP ZAP | Support by cloudimg

     Info
    Sold by: cloudimg 
    Deployed on AWS
    Free Trial
    AWS Free Tier
    This product has charges associated with it for seller support. OWASP ZAP (Zed Attack Proxy), the world's most popular open source web-application security scanner, preinstalled and running as a headless daemon with its authenticated REST API enabled on loopback. A fresh API key is generated on first boot. Drive spiders, active and passive scans, and read findings over the API within minutes of launch. Backed by 24/7 cloudimg support.

    Overview

    Open image

    This is a repackaged open source software product wherein additional charges apply for cloudimg support services.

    Overview OWASP ZAP (the Zed Attack Proxy) is the world's most widely used open source web-application security scanner. It finds vulnerabilities in web applications and APIs through automated spidering, passive scanning and active attack rules, and is a staple of DAST pipelines and penetration testing. This image delivers ZAP fully installed and running as a headless daemon with its REST API enabled, so a scanning appliance is ready to drive within minutes of launch.

    Headless Scanner Service ZAP runs in daemon mode under the bundled systemd service, started on boot and restarted on failure. There is no desktop GUI to manage: you drive every capability, spiders, the AJAX spider, passive scanning, active scanning, alerts and reporting, through the authenticated REST API. A bundled OpenJDK 17 headless runtime means no extra setup. The session database and scan state live on a dedicated, independently resizable data disk.

    Per-Instance API Key A random ZAP API key is generated fresh on the first boot of every instance and recorded for the administrator, so no shared or build-time secret ever ships in the image. The REST API is bound to loopback and, by default, only accepts connections from the instance itself, so the scanner is private until you choose to expose it (for example by tunnelling the API port over SSH). Every API call is authenticated with the per-instance key.

    Automate Your Scans The REST API exposes the full ZAP feature set: define contexts and scopes, run the traditional and AJAX spiders, let the passive scanner flag issues as traffic flows, launch active scans with tunable attack strength and alert thresholds, then pull the alerts and generate HTML, JSON or Markdown reports. Wire ZAP into CI/CD for DAST, or proxy a manual or automated test suite through it to surface findings.

    Ready To Use Connect over SSH and the daemon is already running. Read the welcome notes for the per-instance API key and example calls, confirm the version over the API, then point ZAP at your targets. The ZAP home directory, session database and results live on a dedicated, independently resizable data disk.

    cloudimg Support 24/7 technical support by email and chat. Help with daemon configuration, the REST API, scan policies and attack strength, contexts and authentication handling, CI/CD integration for DAST, reporting and upgrade planning.

    Use Cases Automated DAST scanning of web applications and APIs in a CI/CD pipeline. A scanning proxy for manual and automated penetration testing. A scheduled vulnerability scanner for staging and production web estates. A self-hosted, API-driven alternative to commercial web-app scanners.

    All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

    Highlights

    • OWASP ZAP, the world's most popular Apache-2.0 open source web-application security scanner, preinstalled and running as a headless daemon with the authenticated REST API enabled, no manual setup required
    • A random ZAP API key is generated fresh on the first boot of every instance (no shared or build-time secret ships in the image) and the REST API is bound to loopback, private until you choose to expose it
    • Drive the full ZAP feature set over the REST API (spiders, passive and active scanning, alerts and reporting) with a bundled OpenJDK runtime and the session database on a dedicated, resizable data disk, plus 24/7 cloudimg support

    Details

    Sold by

    Delivery method

    Delivery option
    64-bit (x86) Amazon Machine Image (AMI)

    Latest version

    Operating system
    Ubuntu 24.04

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Free trial

    Try this product free for 7 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.

    OWASP ZAP | Support by cloudimg

     Info
    Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.
    If you are an AWS Free Tier customer with a free plan, you are eligible to subscribe to this offer. You can use free credits to cover the cost of eligible AWS infrastructure. See AWS Free Tier  for more details. If you created an AWS account before July 15th, 2025, and qualify for the Legacy AWS Free Tier, Amazon EC2 charges for Micro instances are free for up to 750 hours per month. See Legacy AWS Free Tier  for more details.

    Usage costs (800)

     Info
    • ...
    Dimension
    Description
    Cost/hour
    t3.medium
    Recommended
    t3.medium
    $0.08
    t2.micro
    t2.micro instance type
    $0.04
    t3.micro
    t3.micro instance type
    $0.04
    c5a.12xlarge
    c5a.12xlarge instance type
    $0.24
    c5a.16xlarge
    c5a.16xlarge instance type
    $0.24
    c5a.24xlarge
    c5a.24xlarge instance type
    $0.24
    c5a.2xlarge
    c5a.2xlarge instance type
    $0.24
    c5a.4xlarge
    c5a.4xlarge instance type
    $0.24
    c5a.8xlarge
    c5a.8xlarge instance type
    $0.24
    c5a.large
    c5a.large instance type
    $0.08

    Vendor refund policy

    Refunds available on request.

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    64-bit (x86) Amazon Machine Image (AMI)

    Amazon Machine Image (AMI)

    An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

    Version release notes

    Initial release of OWASP ZAP 2.17.0, the Zed Attack Proxy web-application security scanner, as a ready-to-use headless daemon with the authenticated REST API enabled and a per-instance API key generated on first boot.

    Additional details

    Usage instructions

    Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). This is a headless scanner service: there is no desktop GUI. Read the welcome notes, including the per-instance ZAP API key, with: sudo cat /root/owasp-zap-info.txt. Confirm the daemon is running with: systemctl status zap. The ZAP REST API is bound to loopback on port 8080 and is authenticated with the per-instance key: KEY=$(sudo grep '^zap.api.key=' /root/owasp-zap-info.txt | cut -d= -f2-); curl "http://127.0.0.1:8080/JSON/core/view/version/?apikey=${KEY} ". Drive spiders, passive and active scans, alerts and reporting over the API (see the user guide). The ZAP home directory, session database and scan results live on a dedicated data disk mounted at /var/lib/zaproxy. The API only accepts loopback connections by default; to reach it from your workstation, tunnel the port over SSH (ssh -L 8080:127.0.0.1:8080). Open whatever ports your scan targets require in the instance security group.

    Resources

    Vendor resources

    Support

    Vendor support

    cloudimg provides 24/7 technical support for this product by email and live chat. Our engineers help with deployment, configuration, updates, performance tuning and troubleshooting; critical issues receive a one hour average response. Contact support@cloudimg.co.uk .

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.