PortSwigger Burp Suite Professional Reviews

It's an individual tool that security professionals use for their manual pen-testing. We use it for capturing the traffic, intercepting the traffic between the browser and the application. We try to manipulate the applications, the traffic so that whatever input that is accepted by the application is sanitized and validated. We try to analyze the application for input validation. All inputs are handled correctly.

Another use case is having a scanner module built-in where you can browse the entire application. The scanner can continuously scan the application for vulnerabilities based on OWASP Top 10 standards. Likewise, you can come to know what vulnerabilities are in the application. Later, you can go through the vulnerabilities one by one and triage them.  

There are many different modules in Burp Suite. We have a comparator module where you can compare the request and response. You have the Repeater module where you can repeat the sequences. They can be used for other test use cases such as doing disciplinary attacks or brute force attacks on the applications. 

Basically, there are a wide variety of use cases and applications.

Request handling capacity, it do not handle huge chuck of requests as it freezes.

And obviously as all tool does Burp also gives some false positive results, vetting has to be done thoroughly.

The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure. 

The scanner is excellent. The scanner is one of the good features. If you compare it to more expensive tools like WebInspect or IBM AppScan, you'll realize that, at a very low cost, Burp Suite can provide good results.

The is a good amount of documentation available online. The solution is stable.

The initial setup isn't too complex.

The solution offers some great extensions through a BApp store. Users can implement extensions and upload them to the BApp store.

The solution has a great user interface.

Its strong user community is always helpful when it comes to any problem regarding the tool.

Although it provides great writeup for the identified vulnerabilities but reporting needs to improve with various reporting templates based on standards like OWASP, SANS Top 25, etc. The tools needs to expand its scope for mobile application security testing, where native mobile apps can be tested and can provide interface to integrate with mobile device platform or mobile simulator's. Burp suite has great ability to integrate with Jenkins, Jira, Teamcity into CI/CD pipeline and should provide better ways of integration with other such similar platforms.

I've been using the solution for more than eight years now - right from their open-source free version through to their professional version.

The stability is quite good. We have no complaints. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

Obviously, Burp Suite is a DAST tool and good asset for pentester's. However, we need to see how best it can be utilized for automation so that DAST can be automated. Dynamic application testing can be automated and can integrate Burp into CI/CD pipeline using Jenkins. That said, we need to make it use it in a more efficient way. There should be some methods or some guidance from Burp on how best we can use it for automation.

We've never interacted with tech support. That's mostly due to the fact that there is already a lot of material that is available online. With all of the details readily available, we don't need to interact with tech support.

The initial setup isn't too difficult. It's JAR based. I would say it's an analog file. It just requires minimum requirements like Java and a license. After that, you are good to go.

Burp Suite provides different licenses. They have open-source free-to-use licenses, which can be used by anyone. Then, they have a standalone license that, as a security professional, you can use. They have their Enterprise version as well. I use the professional version.

Initially, when we were using Burp Suite, I hardly remember the version we started at. 

The actual costs vary from country to country, however, I would say it's cheaper if you compare it to other DAST solutions and tools.

Compared to other web applications assessment tools Burp suite is a solid tool for web based penetration testing for a reasonable price.

We are just customers and end-users.

I'd advise other organizations that this solution is a pretty good tool for manual penetration testing. It has good features like the Scanner and Sequencer, Repeater, and there are extensions. Burp extensions are available where they can customize Burp behavior using their own or third-party code. Those features will be really useful for Burp users. It's also obviously a very cost-effective option.

I would rate the solution at a nine out of ten.

PortSwigger Burp Suite Professional has an intercept tab that helps us to scan our APIs, set the response, and request errors.

Scanning APIs using PortSwigger Burp Suite Professional takes a lot of time.

I have been using PortSwigger Burp Suite Professional for the last six months.

PortSwigger Burp Suite Professional is a stable solution.

PortSwigger Burp Suite Professional is a very good product. My experience with the solution has been very good.

Overall, I rate PortSwigger Burp Suite Professional an eight out of ten.

We use PortSwigger Burp Suite Professional for security testing and for doing vulnerability scanning mechanisms.

It has partially improved the organization requirement however, The scanning mechanism is pretty slow and takes long duration to scan. Moreover, The server hangs up while scanning. 

This solution provides a very good mechanism for fixing interval time. For example, we can create a schedule, and the schedule runs on time. PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running.

It is quite fast and easy to install as well.

It is also a budget-friendly tool.

The reporting needs to be improved; it is very bad.

The dashboard feature or the front-end of the tool does not look good and is not very creative or user-friendly. It looks complicated when we log in to the tool. It looks boring and outdated.

I've been using this solution within the last 12 months.

Stability-wise, improvements have been made, and it is reliable.

Technical support is not so easy to get a hold of. We had to learn most of the things through the documentation. However, the documentation is not readily available online. We have to create new calls for it, and we have to email them. So, if you have a problem, then it can take some time to resolve it.

No dint use. 

The initial setup was straightforward and took about one to two weeks.

It's a budget-based tool, and it's a pretty decent budget tool for the mid-version of the application. It's a lower priced tool that we can rely on with good standard mechanisms. We have a yearly license.

Client provided product

If you're looking for a budget-friendly tool, I would recommend PortSwigger Burp Suite Professional.

On a scale from one to ten, I would rate this tool at seven.

Our use cases are to identify the vulnerabilities of OAST and the other applications we are using. 

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.

We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.

We've had a license for the professional version for the past two years.

In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.

Right now we have two or three people using it.

PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.

The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.

PortSwigger Burp costs around $7,000 and around $2,309 for licensing.

On a scale of one to ten I would rate PortSwigger Burp a seven.

For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.

Our primary use case for this solution is to perform application security testing.

I don't have specific metrics but I can say that using this tool adds value.

There are several features that I like about this solution. The most valuable feature is that it has support for add-ons where we can add extra little scripts to the tool to perform more automated testing.

I like using the Repeater feature to perform proxy testing, and the Repeaters have dashboards now. The add-ons are compatible with the dashboards, as well. 

There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual. This would help us to better understand the product, and we would not need to buy a separate book.

In the next release, I want to see it more interactive and have more multitasking with some faster features. Sometimes scanning takes a long time, so they need to add more tricks to reduce the time spent in security testing.

Stability-wise it is good.

It is possible to work on multiple projects at the same time. I have tried five or six, and it is working fine. I would agree that the scalability is very good, and we have not found a limit yet.

We have approximately thirty users for this solution and they are the testers. As our team grows, we'll need to buy more licenses.

We have used technical support three times, and each time received an email within twenty-four hours. They first try to understand the problem, and then after this, they provide step by step instructions for what to do. It's pretty easy.

We have always used Burp Suite because it is a well-known tool.

This solution is very easy to install and understand.

For a single user, it will take thirty to forty-five minutes. For our organization, it took between eight and nine hours.

We handled the implementation and deployment ourselves.

We have seen ROI with this product.

The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.

We considered using OWASP Zed Attack Proxy, which is open source. We decided to use this alongside the current solution, and also with IBM Security AppScan.

This tool is more accurate than the other solutions that we use and reports fewer false positives.

They are steadily improving things and adding features to this product. It was only three months ago when they added the dashboard support. Before that, they only had passive and active scanning to perform the testing part. It now has a complete website of scanning features which were previously not there.

I would rate this solution a seven out of ten.

The primary use case is security for the development lifecycle. We use the application for security testing.

The solution helps to identify security issues quickly.

The Spider is the most useful feature. It helps to analyze the entire web application and it finds all the passes and offers an automated identification of security issues.

The number of false positives needs to be reduced on the solution.

I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.

The solution is very stable.

The solution is not designed to be scalable. You have an individual license, and I use it individually.

I have not needed to use the solution's technical support.

Before Burp I was manually proxying the data myself. I have experience making my own tools for security assessment. Burp is pretty convenient, and it's one of the most popular tools, which is why I began using it.

I also use Wireshark, which is pretty effective too.

The initial setup was straightforward.

We implemented the solution ourselves.

Licensing is paid on a yearly basis. The yearly cost is about $300.

For application security testing, I would suggest Burp. It's probably the leader in this area. It's just like analog tools such as OWASP ZAP, which is open-source. OWASP ZAP is still not as effective as Burp is.

The solution helps to find different security issues, and it helps identify many, many security issues quickly, and that's what makes it such a useful tool.

I would rate the solution seven out of ten.

PortSwigger Burp Suite Professional can be used on the cloud or on-premise.

The most valuable feature of PortSwigger Burp Suite Professional is the dashboard. It is very informative and you can receive all the information you need in one place. It's clear, well-defined, and organized. Anybody without any cybersecurity can use it.

PortSwigger Burp Suite Professional could improve the static code review.

In an upcoming release, PortSwigger Burp Suite Professional can give some possible remedies for any issues it has discovered after a scan of an application. At this time it provides vulnerabilities, having the possible remedies would be a benefit. It would be useful for the developers, to fix the issue immediately.

I have been using PortSwigger Burp Suite Professional for approximately five years.

The stability of PortSwigger Burp Suite Professional is good.

The scalability of PortSwigger Burp Suite Professional is good, it can integrate with other platforms.

In my previous company, I worked for we had 50 people using this solution and in my current company we have approximately 500 people using it.

We can easily reach out to PortSwigger Burp Suite Professional support by phone, email, chat option, and a ticketing option, which is very good.

I rate the support from PortSwigger Burp Suite Professional a five out of five.

Positive

The initial setup of PortSwigger Burp Suite Professional is very simple.

Before choosing PortSwigger Burp Suite Professional I compared other tools, such as IBM AppScan. I found that PortSwigger Burp Suite Professional was more into web application security. The solution is very helpful, easy to use, and install.  They have a free version and anybody can start within minutes.

What solution is best depends on the client size and their requirements. If the client has a large enough budget, or if they're looking for an overall feature, I would recommend PortSwigger Burp Suite Professional as the primary go-to tool. However, if they're having any specific requirements, then they will have to think about using IBM AppScan.

I would recommend the solution to technical professionals and non-technical persons. It is easy to use.

I rate PortSwigger Burp Suite Professional a nine out of ten.

Mainly, the solution is a proxy. It also contains different tools, including intruder tools for customized automated attacks and tools for repeating requests, or decoding, et cetera. Many tools are there that can perform different tasks for different use cases. Apart from that, we have the BApp Store which contains a lot of tools as well. This Burb Suite is an application where we have all the tools. 

It is mainly used for pen testing.

Features such as the Intruder, Repeater, and Proxy have helped our organization a lot.

The Intruder, Repeater, and Proxy features have been great.

The initial setup is simple.

It is an easily scalable product.

The solution is very stable. 

In some cases, we got a few file postings while doing it by the automatic scan. If that could be better, that would be ideal. The scanner could just be updated a bit more. 

We'd like to have more integration potential across all versions of the product. The enterprise version seems to have better integration services than others. 

I've been working with the solution for six years. 

The solution is quite stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

The solution scales well. It's not an issue.

I have also had some queries and I have used their support services. It was like all solutions out there. They are quite good in general.

Positive

I have used many other tools. This is one of the best tools that I'm using. I found this one much better. 

We have found the initial setup to be very simple and straightforward. It's not overly complex or difficult. 

For any configuration for deployment in our project, we assign two people. We have a small team of two aligned with our project. They will handle everything related to implementation. The setup doesn't take longer than one day.

In terms of maintenance, for the customers, what we are doing is we have an internal cyber security team, in which there are people doing the pen test. There are people who are doing the vulnerability assessment for the WASP scan, SaaS. For each, we have a separate team, and based on that, most of the deployments are done by these pen testers only. We do not provide maintenance for customers, however, we do provide reporting and technical support.

Before Burb Suite, we had our own technical team there for everything, including deployment. We have a separate network team and they will manage everything - including installation. It is very simple. You can download that directly. It's all very easy to do in-house.

I don't deal with any aspect of the licensing at this time. I can't speak to the exact pricing. 

I'm just a customer and an end-user.

We're using the latest version of the solution. We usually give an auto-update functionality. All the updates came automatically. We are updating it automatically.

We actually have an .EXE file in our system. We have the professional version. We've downloaded and given out the access key. It's on-premises, not the cloud. 

Overall, I've been very happy with the solution. I'd rate it nine out of ten.