Best ZAP MCP Servers

Zap (OWASP ZAP) is an open-source web application security scanner that helps find vulnerabilities in web applications during development and testing.

View all ZAP MCP Servers

Why this server?
Offers full integration with OWASP ZAP proxy for processing requests, conducting spider scans, performing active security scanning, and managing vulnerability alerts.
VulneraMCP
Penetration Testing Security Testing & QA Tools
telmon95
A
license
B
quality
D
maintenance
AI-powered bug bounty hunting platform that integrates security tools (OWASP ZAP, Caido, Burp Suite) for automated reconnaissance, vulnerability testing, JavaScript analysis, and finding management with PostgreSQL storage.
Last updated 2025-11-28
47
31
MIT
Why this server?
Enables creation and validation of workflow diagrams using FlowZap's visual diagramming tool and FlowZap Code DSL, generating shareable playground URLs for workflow visualizations.
FlowZap MCP Server
Software Architecture CI/CD & DevOps Developer Tools
flowzap-xyz
A
license
A
quality
C
maintenance
Enables AI assistants to create and validate workflow diagrams using FlowZap's text-based DSL. Generates shareable playground URLs for visualizing flowcharts, process diagrams, and CI/CD pipelines through natural language descriptions.
Last updated 2026-04-09
7
29
3
MIT
Why this server?
Provides tools for dynamic application security testing (DAST) using OWASP ZAP to identify vulnerabilities in running web applications.
DevSecOps MCP Server
Testing & QA Tools Security Developer Tools
JesusDavidQuarksoft
A
license
B
quality
C
maintenance
An MCP server that integrates SAST, DAST, and SCA security tools to enable AI-driven vulnerability scanning and automated security reporting. It allows AI assistants to execute and analyze results from tools like Semgrep, OWASP ZAP, and Trivy within a DevSecOps workflow.
Last updated 2026-02-04
6
MIT
Why this server?
Leverages OWASP ZAP for web application penetration testing including SQL injection, XSS, and CSRF vulnerability detection
MCP Shamash
Security Penetration Testing Testing & QA Tools
NeoTecDigital
F
license
B
quality
C
maintenance
Enables security auditing, penetration testing, and compliance validation with tools like Semgrep, Trivy, Gitleaks, and OWASP ZAP. Features strict project boundary enforcement and supports OWASP, CIS, and NIST compliance frameworks.
Last updated 2026-02-28
7
Why this server?
Provides tools for managing and executing web security scans using OWASP ZAP, including spidering, active scanning, passive scanning, API imports, findings, and reports.
MCP ZAP Server
Penetration Testing Security Hybrid
dtkmn
A
license
-
quality
A
maintenance
Safe, self-hosted OWASP ZAP operator for guided AI security scans, findings, and reports. Requires a separately running OWASP ZAP daemon.
Last updated 2026-05-22
54
Apache 2.0
Why this server?
Integrates with OWASP ZAP to perform dynamic application security testing (DAST) against running web components to identify potential security exposures.
VibeShift
Testing & QA Tools Security Autonomous Agents
GroundNG
A
license
-
quality
D
maintenance
An automated security engineer that integrates with AI coding assistants to perform vulnerability scanning, static analysis, and AI-driven remediation. It also provides tools for recording and executing self-healing web tests using Playwright, including visual regression and test discovery.
Last updated 2025-11-29
67
Apache 2.0
Why this server?
Integrates with OWASP ZAP (Zed Attack Proxy) to provide AI-powered security testing capabilities including active scans, passive analysis, AJAX spider scans, vulnerability reporting, and session management for web application security assessment.
ZAP MCP Server
Penetration Testing Testing & QA Tools Security
LisBerndt
A
license
-
quality
C
maintenance
Integrates OWASP ZAP security testing with AI assistants through MCP, enabling automated vulnerability scanning and AI-powered security analysis during development. Supports multiple scan types including active, passive, and AJAX spider scans with real-time status updates.
Last updated 2025-12-22
5
MIT
Why this server?
Conducts Dynamic Application Security Testing (DAST) to identify security vulnerabilities in running web applications through automated scanning.
Security MCP Server
Security Code Analysis Testing & QA Tools
michoo
A
license
-
quality
C
maintenance
Enables security scanning of codebases through integrated tools for secret detection, SCA, SAST, and DAST vulnerabilities, with AI-powered remediation suggestions based on findings.
Last updated 2025-09-30
MIT
Why this server?
Integrates OWASP ZAP for automated web application security scanning and vulnerability detection.
Bug Bounty Hunter MCP
Penetration Testing API Testing Web Scraping
MauricioDuarte100
A
license
-
quality
C
maintenance
Professional security testing server with 50+ integrated tools for web application vulnerability scanning, reconnaissance, fuzzing, and API testing. Enables comprehensive bug bounty hunting workflows including subdomain enumeration, XSS/SQLi detection, and automated security assessments.
Last updated 2026-01-29
MIT