Skip to content
Home DAST Tools Burp Suite
Burp Suite

Burp Suite

Category: DAST
License: Freemium
0 Comments
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 7, 2026
3 min read
0 Comments

Burp Suite is a widely used toolkit for web application security testing, popular among penetration testers and security researchers.

Burp Suite dashboard showing scan overview and target information

Developed by PortSwigger, pre-installed in Kali Linux, and backed by over two decades of web security research. Three editions: Community (free), Professional ($499/year), and Burp Suite DAST (formerly Enterprise) for automated CI/CD scanning.

Key Features

FeatureDetails
EditionsCommunity (free), Professional ($499/yr), DAST (enterprise)
ProxyIntercepting proxy for HTTP/HTTPS/WebSocket
ScannerActive and passive vulnerability scanning (Pro/DAST)
Extensions500+ BApps in the BApp Store
Attack toolsIntruder (Sniper, Battering Ram, Pitchfork, Cluster Bomb)
AIBurp AI for scan analysis and attack suggestions
CI/CDDocker-based scanning for DAST edition
Vuln coverageXSS, SQLi, CSRF, XXE, SSRF, directory traversal, and more
Intercepting Proxy
The core of Burp Suite. Sits between your browser and the target, capturing every HTTP/HTTPS request and response. Inspect, modify, and replay traffic in real-time. Handles TLS interception, WebSocket messages, and match-and-replace rules.
Scanner (Pro/DAST)
Automated vulnerability detection with active probing and passive analysis. Covers OWASP Top 10 and beyond. Configurable scan profiles let you tune speed vs. thoroughness. The DAST edition runs from a Docker container for CI/CD integration.
BApp Store
Hundreds of community and PortSwigger extensions. Active Scan++ for deeper scanning, Autorize for access control testing, JWT Editor for token manipulation, Logger++ for traffic analysis. Write your own in Java or Python.

Burp Suite scan results showing vulnerability findings categorized by severity

Manual Testing Tools

The manual testing tools are what separate Burp from automated-only DAST scanners:

  • Repeater — Send individual requests and iterate. Modify parameters, headers, and payloads to probe application behavior one request at a time.
  • Intruder — Automated attack tool for fuzzing and brute-forcing. Four attack types: Sniper (single position), Battering Ram (same payload everywhere), Pitchfork (parallel payloads), Cluster Bomb (all combinations).
  • Comparer — Diff two responses to spot subtle differences in application behavior.
  • Decoder — Encode and decode data in various formats (Base64, URL, hex, HTML).
  • Sequencer — Analyze the quality of randomness in tokens and session IDs.
Burp AI
PortSwigger added Burp AI to help testers understand application behavior, suggest attack vectors, and explain vulnerability findings. It is integrated into the Professional and DAST editions.

Editions Compared

Community Edition — Free. Manual testing tools with throttled scanning. Good for learning and basic assessments. No automated scanner.

Professional — $499/year. Full automated scanner, unthrottled Intruder, all manual tools, BApp Store access, Burp AI. The go-to for individual pentesters and security researchers.

Burp Suite DAST — Formerly Enterprise Edition, renamed April 2025. Designed for teams and CI/CD. Runs from Docker containers. Supports Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and TeamCity. Cloud-hosted or self-hosted options.

Integrations

CI/CD (DAST Edition)
Jenkins Jenkins
GitHub Actions GitHub Actions
GitLab CI GitLab CI
Azure DevOps Azure DevOps
TeamCity TeamCity
Issue Tracking & Reporting
GitLab GitLab
Jira Jira
Trello Trello
Slack Slack
Splunk Splunk

The DAST edition supports custom extensions, BChecks, and BApps in CI-driven scans.

Getting Started

1
Download and install — Get Community or Professional from portswigger.net. Runs on Windows, macOS, and Linux. Pre-installed in Kali Linux.
2
Configure your browser — Burp listens on 127.0.0.1:8080 by default. Set your browser to use this proxy, or use Burp’s built-in Chromium browser with the CA certificate pre-installed.
3
Browse and capture — Navigate your target application. Burp captures all traffic in the HTTP history. Use scope settings to filter out irrelevant domains.
4
Test and scan — Send interesting requests to Repeater for manual testing or Intruder for automated attacks. Run active scans (Pro/DAST) against specific endpoints or the entire target.
5
Report — Export findings as HTML, XML, or push to issue trackers. The DAST edition generates JUnit and Burp XML for CI/CD integration.
Best For
Professional penetration testers and security researchers who need manual control over web traffic. Nothing else gives you the same combination of proxy, scanner, and extensibility. For teams that only need automated CI/CD scanning, the DAST edition runs Burp’s scanner engine without requiring manual interaction.

Limitations

The Community Edition is severely limited for real-world work. Scan speeds are throttled, and you cannot save projects. If you are serious about web security testing, you need at least Professional.

Burp Suite is focused on web applications. It does not scan infrastructure, APIs defined only by specifications (without a running server), or mobile application binaries. For developer-friendly automated DAST without manual testing, consider Bright Security or StackHawk. For open-source alternatives, see ZAP.

Burp Suite is a DAST tool. It does not replace SAST for source code analysis, though it pairs well with static tools for full coverage.

Note: Enterprise Edition renamed to Burp Suite DAST in April 2025. Available as cloud-hosted or self-hosted.

Frequently Asked Questions

What does Burp Suite do?
Burp Suite is a web application security testing platform from PortSwigger. It acts as an intercepting proxy between your browser and the target application, letting you inspect, modify, and replay HTTP requests to find vulnerabilities like SQL injection and XSS.
Is Burp Suite free?
The Community Edition is free but limited to manual testing with throttled scan speeds. Professional costs $499/year and unlocks the full automated scanner. Burp Suite DAST (formerly Enterprise) has separate pricing for automated CI/CD scanning.
How does Burp Suite compare to OWASP ZAP?
Burp Suite Pro has a more polished interface and generally catches more vulnerability types in head-to-head tests. ZAP is fully free and open-source, making it the better choice for teams on a budget or those who want full customization without license restrictions.
Can Burp Suite run in CI/CD pipelines?
Burp Suite DAST is built for CI/CD integration. It runs from a Docker container and supports Jenkins, GitHub Actions, GitLab CI, and Azure DevOps. The Professional edition is a desktop tool for manual testers, not built for pipeline automation.
What are BApps?
BApps are extensions from the BApp Store, PortSwigger’s extension directory. There are hundreds available, covering everything from active scanning enhancements to JWT manipulation and access control testing. You can also write custom extensions in Java or Python.
How we review tools Suggest an edit

Other DAST Tools

AppCheck
AppCheck

Former Internal Pentest Tool

Invicti
Invicti

Proof-Based Scanning

Nikto
Nikto

Fast Web Server Scanner

Qualys WAS
Qualys WAS

AI-Powered Cloud DAST

See all DAST tools

Complement with IAST

Pair dynamic testing with runtime instrumentation for broader coverage.

Contrast Assess
Contrast Assess

Runtime IAST with Low False Positives

Acunetix AcuSensor
Acunetix AcuSensor

Line-of-Code Details

See all IAST tools

Learn More

AI-Generated Code Security API Security Testing Application Security Checklist AppSec Compliance Mapping

Compare Burp Suite

Burp Suite vs ZAP Invicti vs Burp Suite
Burp Suite Alternatives

Comments

Powered by Giscus — comments are stored in GitHub Discussions.