IT Central Station is now PeerSpot: Here's why

PortSwigger Burp Suite Professional OverviewUNIXBusinessApplication

PortSwigger Burp Suite Professional is #1 ranked solution in top Fuzz Testing Tools, #3 ranked solution in AST tools, and #6 ranked solution in application security tools. PeerSpot users give PortSwigger Burp Suite Professional an average rating of 8 out of 10. PortSwigger Burp Suite Professional is most commonly compared to OWASP Zap: PortSwigger Burp Suite Professional vs OWASP Zap. PortSwigger Burp Suite Professional is popular among the large enterprise segment, accounting for 62% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
PortSwigger Burp Suite Professional Buyer's Guide

Download the PortSwigger Burp Suite Professional Buyer's Guide including reviews and more. Updated: June 2022

What is PortSwigger Burp Suite Professional?

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger Burp Suite Professional was previously known as Burp.

PortSwigger Burp Suite Professional Customers

Google, Amazon, NASA, FedEx, P&G, Salesforce

PortSwigger Burp Suite Professional Video

PortSwigger Burp Suite Professional Pricing Advice

What users are saying about PortSwigger Burp Suite Professional pricing:
  • "The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable."
  • "There are multiple versions available of PortSwigger Burp Suite, such as enterprise, commercial, professional, and beginners."
  • "At $400 or $500 per license paid annually, it is a very cheap tool."
  • PortSwigger Burp Suite Professional Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Lead Security Architect at a comms service provider with 1,001-5,000 employees
    Real User
    Top 5Leaderboard
    Best for manual penetration testing, a great user interface, and offers good scanning capabilities
    Pros and Cons
    • "The solution has a great user interface."
    • "It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."

    What is our primary use case?

    It's an individual tool that security professionals use for their manual pen-testing. We use it for capturing the traffic, intercepting the traffic between the browser and the application. We try to manipulate the applications, the traffic so that whatever input that is accepted by the application is sanitized and validated. We try to analyze the application for input validation. All inputs are handled correctly.Another use case is having a scanner module built-in where you can browse the entire application. The scanner can continuously scan the application for vulnerabilities based on OWASP Top 10 standards. Likewise, you can come to know what vulnerabilities are in the application. Later, you can go through the vulnerabilities one by one and triage them.   There are many different modules in Burp Suite. We have a comparator module where you can compare the request and response. You have the Repeater module where you can repeat the sequences. They can be used for other test use cases such as doing disciplinary attacks or brute force attacks on the applications.  Basically, there are a wide variety of use cases and applications.

    How has it helped my organization?

    Request handling capacity, it do not handle huge chuck of requests as it freezes. And obviously as all tool does Burp also gives some false positive results, vetting has to be done thoroughly.

    What is most valuable?

    The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure.  The scanner is excellent. The scanner is one of the good features. If you compare it to more expensive tools like WebInspect or IBM AppScan, you'll realize that, at a very low cost, Burp Suite can provide good results. The is a good amount of documentation available online. The solution is stable. The initial setup isn't too complex. The solution offers some great extensions through a BApp store. Users can implement extensions and upload them to the BApp store. The solution has a great user interface. Its strong user community is always helpful when it comes to any problem regarding the tool.

    What needs improvement?

    Although it provides great writeup for the identified vulnerabilities but reporting needs to improve with various reporting templates based on standards like OWASP, SANS Top 25, etc. The tools needs to expand its scope for mobile application security testing, where native mobile apps can be tested and can provide interface to integrate with mobile device platform or mobile simulator's. Burp suite has great ability to integrate with Jenkins, Jira, Teamcity into CI/CD pipeline and should provide better ways of integration with other such similar platforms.
    Buyer's Guide
    PortSwigger Burp Suite Professional
    June 2022
    Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
    608,010 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using the solution for more than eight years now - right from their open-source free version through to their professional version.

    What do I think about the stability of the solution?

    The stability is quite good. We have no complaints. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

    What do I think about the scalability of the solution?

    Obviously, Burp Suite is a DAST tool and good asset for pentester's. However, we need to see how best it can be utilized for automation so that DAST can be automated. Dynamic application testing can be automated and can integrate Burp into CI/CD pipeline using Jenkins. That said, we need to make it use it in a more efficient way. There should be some methods or some guidance from Burp on how best we can use it for automation.

    How are customer service and support?

    We've never interacted with tech support. That's mostly due to the fact that there is already a lot of material that is available online. With all of the details readily available, we don't need to interact with tech support.

    How was the initial setup?

    The initial setup isn't too difficult. It's JAR based. I would say it's an analog file. It just requires minimum requirements like Java and a license. After that, you are good to go.

    What's my experience with pricing, setup cost, and licensing?

    Burp Suite provides different licenses. They have open-source free-to-use licenses, which can be used by anyone. Then, they have a standalone license that, as a security professional, you can use. They have their Enterprise version as well. I use the professional version. Initially, when we were using Burp Suite, I hardly remember the version we started at.  The actual costs vary from country to country, however, I would say it's cheaper if you compare it to other DAST solutions and tools. Compared to other web applications assessment tools Burp suite is a solid tool for web based penetration testing for a reasonable price.

    What other advice do I have?

    We are just customers and end-users. I'd advise other organizations that this solution is a pretty good tool for manual penetration testing. It has good features like the Scanner and Sequencer, Repeater, and there are extensions. Burp extensions are available where they can customize Burp behavior using their own or third-party code. Those features will be really useful for Burp users. It's also obviously a very cost-effective option. I would rate the solution at a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Cyber Security Analyst at a comms service provider with 10,001+ employees
    Consultant
    Excellent Intruder, Repeater, and Proxy features
    Pros and Cons
    • "The initial setup is simple."
    • "We'd like to have more integration potential across all versions of the product."

    What is our primary use case?

    Mainly, the solution is a proxy. It also contains different tools, including intruder tools for customized automated attacks and tools for repeating requests, or decoding, et cetera. Many tools are there that can perform different tasks for different use cases. Apart from that, we have the BApp Store which contains a lot of tools as well. This Burb Suite is an application where we have all the tools. 

    It is mainly used for pen testing.

    How has it helped my organization?

    Features such as the Intruder, Repeater, and Proxy have helped our organization a lot.

    What is most valuable?

    The Intruder, Repeater, and Proxy features have been great.

    The initial setup is simple.

    It is an easily scalable product.

    The solution is very stable. 

    What needs improvement?

    In some cases, we got a few file postings while doing it by the automatic scan. If that could be better, that would be ideal. The scanner could just be updated a bit more. 

    We'd like to have more integration potential across all versions of the product. The enterprise version seems to have better integration services than others. 

    For how long have I used the solution?

    I've been working with the solution for six years. 

    What do I think about the stability of the solution?

    The solution is quite stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

    What do I think about the scalability of the solution?

    The solution scales well. It's not an issue.

    How are customer service and support?

    I have also had some queries and I have used their support services. It was like all solutions out there. They are quite good in general.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I have used many other tools. This is one of the best tools that I'm using. I found this one much better. 

    How was the initial setup?

    We have found the initial setup to be very simple and straightforward. It's not overly complex or difficult. 

    For any configuration for deployment in our project, we assign two people. We have a small team of two aligned with our project. They will handle everything related to implementation. The setup doesn't take longer than one day.

    In terms of maintenance, for the customers, what we are doing is we have an internal cyber security team, in which there are people doing the pen test. There are people who are doing the vulnerability assessment for the WASP scan, SaaS. For each, we have a separate team, and based on that, most of the deployments are done by these pen testers only. We do not provide maintenance for customers, however, we do provide reporting and technical support.

    What about the implementation team?

    Before Burb Suite, we had our own technical team there for everything, including deployment. We have a separate network team and they will manage everything - including installation. It is very simple. You can download that directly. It's all very easy to do in-house.

    What's my experience with pricing, setup cost, and licensing?

    I don't deal with any aspect of the licensing at this time. I can't speak to the exact pricing. 

    What other advice do I have?

    I'm just a customer and an end-user.

    We're using the latest version of the solution. We usually give an auto-update functionality. All the updates came automatically. We are updating it automatically.

    We actually have an .EXE file in our system. We have the professional version. We've downloaded and given out the access key. It's on-premises, not the cloud. 

    Overall, I've been very happy with the solution. I'd rate it nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Buyer's Guide
    PortSwigger Burp Suite Professional
    June 2022
    Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
    608,010 professionals have used our research since 2012.
    Founder and Director at a financial services firm with 1-10 employees
    Real User
    Top 20
    Great reporting with good crawling capability and offers a simple setup
    Pros and Cons
    • "The solution has a pretty simple setup."
    • "The pricing of the solution is quite high."

    What is our primary use case?

    We primarily use the solution for security testing - specifically for web-application security. 

    What is most valuable?

    The crawling capability is excellent.

    The product has very good reporting capabilities. They give you multiple reporting options.

    The solution has a variety of different extensions that you can use.

    The solution has a pretty simple setup.

    What needs improvement?

    The pricing of the solution is quite high. It would be ideal for the customers if they could lower the costs involved in their subscription.

    We have new tools in R language programming platforms that are coming up. The solution needs to ensure its compatible with that language.

    For how long have I used the solution?

    I've been using the solution for about two years at this point.

    What do I think about the stability of the solution?

    We use this solution every day. I don't have any issues with the solution. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable.

    What do I think about the scalability of the solution?

    I'm a consultant. I tend to use the tool for my clients. I only have one license on my computer. I don't need to scale the product.

    The solution is scalable, however. There's a different version for that aspect. You have Community, Professional, and Enterprise editions. Each has different capabilities.

    How are customer service and technical support?

    The solution offers good support services. There's also the product team that can assist. Overall, I've been happy with the level of service I've received.

    Which solution did I use previously and why did I switch?

    I've worked with other solutions, such as Acutenix. As a consultant, I always have two to three tools for running and validating for testing. There is no plus or minus to each tool, really. The process itself would be more like using multiple tools to find out whether it appears in all the tools or not.

    How was the initial setup?

    The initial setup is not overly complex. It's easy and straightforward. A company shouldn't have any issues with the implementation process.

    The deployment takes a maximum of an hour, actually. If you have to configure some prerequisites, it is one hour tops. There are advanced setups, however, how advanced the implementation depends on the client environment. If a company has an advanced setup, it could take some time. 

    Ultimately, the solution is installed directly onto my laptop.

    The maintenance process is pretty minimal. The yearly subscription keeps everything updated. They will notify you if there is an upgrade that needs to be addressed.

    What's my experience with pricing, setup cost, and licensing?

    The pricing of the solution is quite high. Costs are based on their subscription model. The pricing affects whether a client will engage with me and the solution or not. It could be a deal-breaker. Budgets are often tight.

    What other advice do I have?

    The solution has an annual subscription model, and therefore you'll have to keep updating the new version. It's part of the package. They release a new version and that is covered under your subscription.

    I'm a consultant. I buy tools from multiple vendors. I provide development assessment services for my clients.

    This is one more product in the suite of tools or applications, which are used for testing. Anyone at any sized company could use this solution.

    I'd recommend this solution. It's one more tool to have in your bag.

    I would rate the solution at a ten out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Consultant
    VinothKumar5 - PeerSpot reviewer
    Senior Technical Architect at Hexaware Technologies Limited
    Real User
    Effective automatic scanning, Academy portal for learning, and reliable
    Pros and Cons
    • "The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
    • "There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."

    What is our primary use case?

    The solution is for web security testing and the primary use is to eliminate the false positives.

    How has it helped my organization?

    This solution has helped our company in many ways. PortSwigger Acadamy has given us the knowledge to be able to do deeper tests. The effectiveness of the tests is directly proportional to your knowledge about security testing. Even if you do not have this knowledge at the beginning you still you can perform some kind of testing. If you do not know how to choose your payload then it is going to suggest the built-in payloads to which you can perform those test attacks.

    You do not need to be an expert to use the solution, an intermediate skilled person can use it and over time they can become an expert. Sometimes it is difficult to find skilled employees to start working in this field for your company but with PortSwigger the new employee does not have to be an expert because they are able to grow quite quickly in their knowledge.

    What is most valuable?

    The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.

    What needs improvement?

    There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI.

    In a future release, if there could be some kind of autonomous function, or user behavior prediction that would be beneficial.

    For how long have I used the solution?

    I have been using this solution for approximately three years.

    What do I think about the stability of the solution?

    The solution has not had any crashes or any problems. It is reliable.

    What do I think about the scalability of the solution?

    The solution is scalable. There are types of operations we can do and it has good peak performance.

    How are customer service and technical support?

    PortSwigger has something called Academy where you can go to learn about many things related to security testing.

    How was the initial setup?

    The installation is very easy.

    What's my experience with pricing, setup cost, and licensing?

    The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable.

    Which other solutions did I evaluate?

    I have evaluated Zap.

    What other advice do I have?

    My advice to others just starting out with security testing is to evaluate Zap, which is open-source, to allow them to get an understanding of the processes. Then once they have an understanding they should look into PortSwigger Burp Suite Professional. This solution would win in comparison with its features and would be a very good choice after they have some experience.

    I rate PortSwigger Burp Suite Professional an eight out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Saminda Jayawardene - PeerSpot reviewer
    Compliance Manager at a tech services company with 201-500 employees
    Real User
    Top 5Leaderboard
    Evaluate and ensure the security of web-based applications
    Pros and Cons
    • "In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
    • "A lot of our interns find it difficult to get used to PortSwigger Burp's environment."

    What is our primary use case?

    We're a software development company. We specialize in ensuring application security for our customers. For each and every application we release, we issue a certificate explaining that the application is up to date and that all security testing has been successfully completed. In that certificate, we also mention that PortSwigger is one of the tools that we used to test the application.

    Presently, we have three users. In the future, regarding product testing, I am thinking of hiring another two people, which will make us a team of five. Currently, we're releasing a lot of applications. 

    Primarily we have three users, but keep in mind, we only have a single environment, which we need to improve and expand. 

    What is most valuable?

    The traffic interception capabilities are great. Spidering also produced some good results for us.

    What needs improvement?

    A lot of our interns find it difficult to get used to PortSwigger Burp's environment. The environment should be improved a little bit. Once you get used to it, it's fine, but it should be more simplified for newcomers. This would save us from constantly having to brief our interns. 

    What do I think about the stability of the solution?

    The stability is good; so far, we haven't come across any bugs.

    What do I think about the scalability of the solution?

    We use some different tools for web application testing, like Nmap and others. If PortSwigger Burp could actually scale up for web application scanning, that would be really good. This way, instead of using different tools, we could easily rely on one tool for all testing.

    How are customer service and technical support?

    We haven't had any reason yet to contact technical support. Aside from support, they should hold consistent webinars and offer updates, briefings, and panel discussions. This would greatly enhance our knowledge.

    Otherwise, the technical support is good enough. We haven't required their assistance yet, but soon we'll be needing assistance and information surrounding the latest improvements and updates.

    How was the initial setup?

    The initial setup can be complex. It needs to be deployed in between the traffic. They should include some case-scenarios to help, like a scenario-based briefing, that would really help and add a lot of value for the initial application tester. 

    What's my experience with pricing, setup cost, and licensing?

    It's a very unique way of pricing. It varies depending on the type of testing you are performing. Manual testing is expensive, but as we don't have another option, it seems to be fair.

    What other advice do I have?

    I would definitely recommend PortSwigger Burp. I've actually recommended it to some of my colleagues, students, and interns. I'm really comfortable and happy with it; besides, there are no other products to compare it to. 

    On a scale from one to ten, I would give this solution a rating of eight.

    If they included example scenarios and hosted educational webinars, I would give this solution a rating of ten.

    In my area of expertise, I feel like it has almost everything I could possibly require at this moment. Generally, I don't come across situations like that, so I am very happy with it.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    SivaPrakash - PeerSpot reviewer
    Senior Test Engineer II at a financial services firm with 201-500 employees
    Real User
    Top 5Leaderboard
    Finds vulnerabilities but is not always cost effective
    Pros and Cons
    • "The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
    • "One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."

    What is our primary use case?

    Our use cases are to identify the vulnerabilities of OAST and the other applications we are using. 

    What is most valuable?

    The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

    Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

    What needs improvement?

    One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

    One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.

    For how long have I used the solution?

    We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.

    We've had a license for the professional version for the past two years.

    What do I think about the scalability of the solution?

    In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.

    Right now we have two or three people using it.

    How are customer service and technical support?

    PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.

    How was the initial setup?

    The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.

    What's my experience with pricing, setup cost, and licensing?

    PortSwigger Burp costs around $7,000 and around $2,309 for licensing.

    What other advice do I have?

    On a scale of one to ten I would rate PortSwigger Burp a seven.

    For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    AnkithKumar - PeerSpot reviewer
    Application Security Consultant at a tech services company with 10,001+ employees
    Real User
    Useful advanced tools, integrates well, and quick implementation
    Pros and Cons
    • "The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools."
    • "PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try."

    What is our primary use case?

    We use PortSwigger Burp Suite Professional for security. I'm a security tester and I need it for my daily activities, I require it.

    How has it helped my organization?

    PortSwigger Burp Suite Professional has improved the organization by providing the security standards of the applications across the organization.

    We can test the weakness or loopholes in the application an attacker can use. We have an internal team that conducts the pen-testing from a hacker's point of view and try to close the issue before it is opened to the internet.

    What is most valuable?

    The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools.

    What needs improvement?

    PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try.

    For how long have I used the solution?

    I have been using PortSwigger Burp Suite Professional for approximately two years.

    What do I think about the stability of the solution?

    The reliability of PortSwigger Burp Suite Professional is good. It doesn't hang very much, and it doesn't get stuck anywhere, it is reliable.

    What do I think about the scalability of the solution?

    PortSwigger Burp Suite Professional is scalable. You can add in-scope items, and remove any items that are not on the scope.

    We have approximately 30 people using the solution in my organization. We have managers, consultants, and senior consultants using it. If our testers increase the number of users will increase and then we will increase our usage of this solution.

    How are customer service and support?

    I have not needed to use the support from PortSwigger Burp Suite Professional.

    Which solution did I use previously and why did I switch?

    I was previously using OWASP Zap.

    How was the initial setup?

    The initial setup of PortSwigger Burp Suite Professional was simple. It can be done in approximately three minutes.

    I rate the initial setup of PortSwigger Burp Suite Professional a five out of five.

    What about the implementation team?

    I did the implementation of PortSwigger Burp Suite Professional myself.

    If there is a software update it is fairly simple to upgrade. There is a lot of reference material online. 

    What's my experience with pricing, setup cost, and licensing?

    There are multiple versions available of PortSwigger Burp Suite, such as enterprise, commercial, professional, and beginners.

    Which other solutions did I evaluate?

    My company has paid for the license for the solution. The price of the solution could be less expensive.

    What other advice do I have?

    This is one of the best solutions in the market. I would advise others to try this solution out.

    I rate PortSwigger Burp Suite Professional a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Shrey Sethi - PeerSpot reviewer
    Penetration Tester at a tech services company with 1,001-5,000 employees
    Real User
    Top 20Leaderboard
    Good interface, feature-rich, and consistently being updated
    Pros and Cons
    • "With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp."
    • "There is not much automation in the tool."

    What is our primary use case?

    I am a penetration tester at my company and PortSwigger Burp is one of the products that I use in this capacity. It is a manual testing penetration tool.

    What is most valuable?

    There are a lot of good features and the most valuable one varies depending on what test you are performing. They are also consistently improving and releasing new features.

    Two of the most valuable features are the Extender Tab and Repeater.

    With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp. It's not limited to their features because we can always add or do some customization of the features.

    Even if you don't know how to code, there are hundreds of third-party plugins that are available to extend the features of the product. Some of them are open-source and there are some that are provided by Burp.

    The user interface is good, having been changed within the past two years.

    What needs improvement?

    There is not much automation in the tool.

    For how long have I used the solution?

    I have been using Burp Suite for between four and five years.

    What do I think about the stability of the solution?

    This is a very stable product. The tool is 15 years old and very mature.

    What do I think about the scalability of the solution?

    Scalability is not an issue because it is not centrally connected. Rather, it is a per-license, user-based tool. We have more than 20 users in the company.

    How are customer service and technical support?

    The documentation is very good, so I have never needed to contact technical support.

    How was the initial setup?

    The initial setup is very straightforward and simple.

    What about the implementation team?

    No staff is required for maintenance.

    What's my experience with pricing, setup cost, and licensing?

    At $400 or $500 per license paid annually, it is a very cheap tool.

    Which other solutions did I evaluate?

    In comparing features, there is no real competition for this solution. There are a couple of open-source products, but there is no real competitor for the Burp Suite.

    What other advice do I have?

    This is a standard tool in this industry and anybody who is doing application security testing should be aware of it. My advice for anybody who is considering it is that it is very easy to install and configure, and there is lots of documentation available.

    I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros sharing their opinions.
    Updated: June 2022
    Buyer's Guide
    Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros sharing their opinions.