diff --git a/src/registrar/models/domain_application.py b/src/registrar/models/domain_application.py
index 67f1ee5d9..a335688f4 100644
--- a/src/registrar/models/domain_application.py
+++ b/src/registrar/models/domain_application.py
@@ -590,6 +590,11 @@ class DomainApplication(TimeStampedModel):
@transition(field="status", source=[SUBMITTED, IN_REVIEW], target=WITHDRAWN)
def withdraw(self):
"""Withdraw an application that has been submitted."""
+ self._send_status_update_email(
+ "action needed",
+ "emails/domain_request_withdrawn.txt",
+ "emails/domain_request_withdrawn_subject.txt",
+ )
@transition(field="status", source=[IN_REVIEW, APPROVED], target=REJECTED)
def reject(self):
diff --git a/src/registrar/templates/emails/domain_request_withdrawn.txt b/src/registrar/templates/emails/domain_request_withdrawn.txt
new file mode 100644
index 000000000..6c671394b
--- /dev/null
+++ b/src/registrar/templates/emails/domain_request_withdrawn.txt
@@ -0,0 +1,69 @@
+{% autoescape off %}{# In a text file, we don't want to have HTML entities escaped #}
+Hi {{ application.submitter.first_name }}.
+
+Your .gov domain request has been withdrawn.
+DOMAIN REQUESTED: {{ application.requested_domain.name }}
+REQUEST #: {{ application.id }}
+STATUS: Withdrawn
+
+
+YOU CAN EDIT YOUR WITHDRAWN REQUEST
+The details of your withdrawn request are included below. You can edit and resubmit this application by logging into the registrar. .
+THANK YOU
+.Gov helps the public identify official, trusted information. Thank you for requesting a .gov domain.
+
+----------------------------------------------------------------
+SUMMARY OF YOUR DOMAIN REQUEST
+Type of organization:
+
+Organization name and mailing address:
+{{ application.organization_name }}
+{{ application.address_line1 }}
+{{ application.address_line2 }}
+{{ application.city }}
+{{ application.state_territory }}
+{{ application.zipcode }}
+
+Type of work:
+{{ application.type_of_work }}
+
+Authorizing official:
+{{ application.authorizing_official }}
+
+Current website for your organization:
+just current_websites
+{{ application.current_websites }}
+all
+{{ application.current_websites.all }}
+
+
+.gov domain:
+{{ application.requested_domain.name }}
+
+Purpose of your domain:
+{{ application.purpose }}
+
+Your contact information:
+{{ application.submitter.title }}
+{{ application.submitter }}
+{{ application.submitter.email }}
+{{ application.submitter.phone }}
+
+Other employees from your organization:
+all
+{{ application.other_contacts.all }}
+name
+{{ application.other_contacts.name }}
+
+Anything else we should know?:
+{{ application.anything_else }}
+
+Requirements for operating .gov domains:
+{{ application.more_organization_information }}
+
+----------------------------------------------------------------
+
+The .gov team
+Contact us:
+Visit
+{% endautoescape %}
\ No newline at end of file
diff --git a/src/registrar/templates/emails/domain_request_withdrawn_subject.txt b/src/registrar/templates/emails/domain_request_withdrawn_subject.txt
new file mode 100644
index 000000000..ab935fb1d
--- /dev/null
+++ b/src/registrar/templates/emails/domain_request_withdrawn_subject.txt
@@ -0,0 +1 @@
+Your .gov domain request has been withdrawn
\ No newline at end of file
diff --git a/src/zap.conf b/src/zap.conf
index bdd6b017d..b4e037ae4 100644
--- a/src/zap.conf
+++ b/src/zap.conf
@@ -31,7 +31,7 @@
10027 OUTOFSCOPE http://app:8080/public/js/uswds-init.min.js
# get-gov.js contains suspicious word "from" as in `Array.from()`
10027 OUTOFSCOPE http://app:8080/public/js/get-gov.js
-# Ignore wording of "TODO"
+# Ignores suspicious word "TODO"
10027 OUTOFSCOPE http://app:8080.*$
10028 FAIL (Open Redirect - Passive/beta)
10029 FAIL (Cookie Poisoning - Passive/beta)