ZeroThreat is an AI-powered DAST tool that combines dynamic application security testing with automated penetration testing for web apps and APIs. It scans for over 40,000 vulnerabilities including OWASP Top 10 and CWE Top 25.
The platform tests REST, SOAP, GraphQL, and gRPC endpoints from a single interface. Founded in 2023 and headquartered in Carol Stream, Illinois, ZeroThreat launched publicly at Web Summit 2024 in Lisbon.
What is ZeroThreat?
ZeroThreat is a cloud-based DAST scanner that uses AI to find and validate vulnerabilities in running web applications. Instead of relying only on pattern matching, the platform attempts to validate whether detected issues are actually exploitable. ZeroThreat claims 98.9% detection accuracy with near-zero false positives.
You enter a URL and ZeroThreat handles the rest. No agents to install, no complex configuration. The platform crawls your application, discovers endpoints, and runs attack simulations against them.
| Feature | Details |
|---|---|
| Vulnerability checks | 40,000+ including OWASP Top 10, CWE Top 25 |
| API protocols | REST, SOAP, GraphQL, gRPC |
| Authentication | Login recording via Chrome extension, MFA support |
| Business logic | BOLA, IDOR, access control testing |
| Scan speed | 13,942 URLs scanned in 9 minutes (vendor benchmark) |
| Compliance | GDPR, ISO 27001, PCI-DSS, HIPAA reporting |
| Deployment | Cloud SaaS + on-premises proxy for internal targets |
| Certifications | ISO certified, SOC 2 certified |
Key Features
Web Application Scanning
ZeroThreat crawls web applications and runs attack simulations covering SQL injection, XSS, SSRF, IDOR, authentication flaws, and misconfigurations. These vulnerability classes align with the OWASP Top 10, which the platform uses as a baseline for its scanning coverage. Playwright-based SPA scanning for JavaScript-heavy applications is listed as coming soon.
The dashboard shows results as they come in. Each finding includes the request/response evidence and a severity rating. You can re-scan individual issues instantly after applying fixes, without running a full scan again.
API Security Testing
ZeroThreat tests API endpoints across four protocols: REST, SOAP, GraphQL, and gRPC. It discovers API routes during crawling and tests them for injection, broken authentication, excessive data exposure, and business logic flaws.
The platform supports internal API scanning through an on-premises proxy option, configured via the ON_PREM_PROXY_API_URL parameter in CI/CD integrations.
Authenticated Scanning
For applications behind login pages, ZeroThreat provides a Chrome extension called ZeroThreat AI Recorder. Record your login flow in the browser, and the platform replays it during scans to test authenticated areas.
The scanner goes beyond authentication into authorization testing. It checks roles, permissions, and session behavior to find access control issues like BOLA and IDOR. According to the OWASP Top 10 (2021), Broken Access Control moved to the number one position, making this type of testing particularly relevant.
AI-Powered Remediation
When the scanner finds a vulnerability, it generates code-level fix suggestions. The remediation reports include the affected request, the evidence of the vulnerability, and specific guidance on how to fix it.
Compliance Reporting
ZeroThreat generates compliance reports aligned with GDPR, ISO 27001, PCI-DSS, and HIPAA. Findings map to the relevant compliance requirements, which makes audit preparation more straightforward.
Integrations
GitHub Actions
GitLab CI
Jenkins
Azure DevOps
CircleCI
Bamboo
TeamCity
Jira
Slack
Microsoft Teams
Asana
GitHub IssuesAll integrations are available on every plan, including the free tier. Connections use encrypted channels (HTTPS/TLS). A REST API and CLI are also available for custom workflows.
Pricing
ZeroThreat publishes pricing on its website. All plans include the full feature set.
| Plan | Price | What You Get |
|---|---|---|
| Free | $0 | 1 scan credit/month, 1 target, OWASP Top 10 coverage, high-level overview |
| Professional | $100/month per target | Unlimited scans, AI remediation, business logic testing, API pentesting, compliance reports. Additional targets $75 each |
| Pay Per Scan | $25/credit | Unlimited targets, 7-day retest window, volume discounts from 5% (10+ credits) to 20% (250+ credits) |
New accounts get 5 free scan credits on signup (valid 15 days, no credit card required). The Professional plan offers a 20% discount on annual billing.
Getting Started
When to Use ZeroThreat
ZeroThreat fits teams that want DAST with API testing at a lower price point than enterprise platforms like Invicti or Acunetix. The free tier and pay-per-scan model make it accessible for smaller teams or one-off assessments.
Strengths:
- Affordable entry point ($100/month or $25/scan vs. enterprise pricing)
- Free tier with actual scanning capability
- Broad API protocol support (REST, SOAP, GraphQL, gRPC in one tool)
- Business logic testing for BOLA, IDOR, access control
- CI/CD integrations included on all plans
- Zero-config onboarding
Limitations:
- Young product (founded 2023, public since late 2024) with limited track record
- Small community and low GitHub star counts on integration repos
- No mobile application scanning
- Several features still marked “Coming Soon” (Playwright SPA scanning, Agentic AI pentesting, Nuclei template support)
- 98.9% accuracy claim is vendor-reported, not independently verified
- On-premises deployment is proxy-only, not a full self-hosted option
For established enterprise DAST, see Invicti or Acunetix. For free and open-source alternatives, consider ZAP or Nuclei — we cover more options in our free DAST tools guide. For API-focused security testing, see 42Crunch.
