File: roadmap.md | Updated: 11/18/2025
No target dates are given as much of the work on ZAP is done by volunteers. We also aim to react very quickly to urgent issues which inevitably delays other planned work.
For details of how to sponsor ZAP developments see the Support page.
These are the major items on ZAP’s roadmap for the next few years:
| Year | Status <br> Show Archived | Sponsor | Item | | --- | --- | --- | --- | | 2025 | ⌚ Planned | Checkmarx Ltd. | Release 2.18 | | 2025 | ⌚ Planned | Checkmarx Ltd. | Release 2.17 | | 2025 | ⌚ Planned | Checkmarx Ltd. | Expand Custom Payloads support to additional rules | | 2025 | ⌚ Planned | | Expand PCAP import support | | 2025 | ⌚ Planned | | Expand gRPC support | | 2025 | ⚡ In progress | Checkmarx Ltd. | Improved Authentication Handling | | 2025 | ⚡ In progress | Checkmarx Ltd. | Continue to improve modern web app handling | | 2025 | ⚡ In progress | Checkmarx Ltd. | Automation Framework enhancements | | 2025 | ⚡ In progress | | Move Break Functionality to an add-on | | 2025 | ⚡ In progress | | OpenSSF Best Practices: Silver Currently 54 of 55 criteria met | | 2025 | ⚡ In progress | | Ensure alert details and examples are complete and up to date | | n/a | ♻ Ongoing | | Continue working on issues | | n/a | ♻ Ongoing | | Continue improving scan rules | | n/a | ♻ Ongoing | | Move core functionality to add-ons | | 2025 | 🎉 Finished | Checkmarx Ltd. | Release 2.16 | | 2025 | 🎉 Finished | Checkmarx Ltd. | Move Passive Scanner to an add-on | | 2025 | 🎉 Finished | Checkmarx Ltd. | Promote the Custom Payloads add-on to Release | | 2024 | 🎉 Finished | Checkmarx Ltd. | Improve sequence scanning functionality | | 2024 | 🎉 Finished | | Initial PCAP import support | | 2024 | 🎉 Finished | ZAProxy Ltd | Initial gRPC Support | | 2024 | 🎉 Finished | Checkmarx Ltd. | Improve modern web app handling | | 2024 | 🎉 Finished | CrashOverride | Secure Funding for ZAP Development | | 2024 | 🎉 Finished | | Automation Framework GitHub Action | | 2024 | 🎉 Finished | | Scripts as First Class Scan Rules | | 2024 | 🎉 Finished | | Release 2.15 | | 2024 | 🎉 Finished | NightVision | Document Target Scanning Issues | | 2024 | 🎉 Finished | NightVision | OpenAPI Authenticated Import | | 2024 | 🎉 Finished | NightVision | OAST API | | 2023 | 🎉 Finished | Google Summer of Code | Browser Recorder | | 2023 | 🎉 Finished | Google Summer of Code | Import Postman API Definitions into ZAP | | 2023 | 🎉 Finished | | Rebrand | | 2023 | 🎉 Finished | | Release 2.14 | | 2023 | 🎉 Finished | | Release 2.13 | | 2023 | 🎉 Finished | NightVision | AJAX Spider Element Exclusion | | 2023 | 🎉 Finished | Jit | Authentication handling improvements | | 2022 | 🎉 Finished | | Networking overhaul | | 2022 | 🎉 Finished | | Migrate manual request editor out of core | | 2022 | 🎉 Finished | | Migrate Spider out of core | | 2022 | 🎉 Finished | | Update minimum Java version to 11 | | 2022 | 🎉 Finished | | Add permanent DB support | | 2022 | 🎉 Finished | | Release 2.12 |