PortSwigger Burp Suite Professional Reviews

We use the solution for scanning our in-house external facing website.

It has been provide user direct access to users scan their websites and find vulnerability in good price. Burp is one of the most extensively used tool in org to do other security based investigations. We are trying to mitigate risk using vulnerabilities identified by Burp.

The solution is very user-friendly.

The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately. 

The biggest drawback is reporting. It's not so good. I can download reports, but they're not so informative. 

For example, they are providing very good information about vulnerabilities, but when you are scanning the whole pathway, we want to see information like percentages, how much is finishing, and how much it is not, etc. If the scan fails, they should tell us when or how it stopped, if it failed, why it has failed, and how to avoid something like this from happening again. They need something more in-depth and more technical. 

I would like to have some more features, which I can play around with. It's not so flexible.

I've been using the solution for more than 1 year.

The solution sometimes has stability problems when they have fixed or released some new package. Instability has happened to us two or three times. It was difficult because we had to implement this disaster recovery plan at that point in time. It wasn't a disaster, but the whole system does stop because of that.

Easily scalable when it comes to Enterprise version. but Enterprise version itself is not as effective as pro.

The technical support team is very good. They are quick at responding and they help us to resolve issues within the organization.

In the past, we had issues around connectivity while we were doing some scanning. The scanning kept getting killed somehow. The quality of the job was poor. The scan was not completed successfully, so we needed technical support to assist. It was hard to identify what the issue was and how to fix it, but they did.

The installation is not difficult. We only needed one person to handle the implementation. Setting up the agents may be tricky, but if a person is knowledgable, it shouldn't be an issue.

Inhouse one

When we had an issue with scanning, we did look into exploring other options like OWASP Zap, Acunetix, etc. We stayed with Burp because we had it set up in our system, and then they had our scanning issue fixed.

We use the on-premises deployment model.

I would rate the solution seven out of ten.

Currently, we're trying to import the solution to implement it to other applications for our website. So far, it's been fantastic.

The suite testing models are very good. It's very secure.

The solution isn't too stable. The fundamentals of it make it difficult to use. Sometimes it takes me to other applications that are being run.

The scalability capabilities of the solution could be improved.

I've been using the solution for three years.

The stability is okay, but we are finding issues.

The solution doesn't offer very good scalability.

We haven't had to contact technical support.

We didn't previously use a different solution.

The initial setup is straightforward. Deployment doesn't take more than two to three hours.

We handled the implementation ourselves.

We use the on-premises deployment model.

I'd rate the solution nine out of ten. I haven't compared it with other vendors, but it is a best-seller currently.

We use this solution for the security assessment of web applications before their release to the internet. The security assessment team uses this product to identify vulnerabilities and vulnerable code that developers may introduce. We host all of the beta applications in our internal web servers and then the security team starts assessments when the development freezes.

In the early years, we did not check our web applications for security vulnerabilities before releasing them to customers. Since we began this practice for every application, our clients are really happy and value our work.

BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding. 

The auto scanning feature provides really good details about issues that it finds.

Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.

The Auto Scanning features should be updated more frequently and should include the latest attack vectors.

It would be really helpful if the issue details contained example recommendations on how to fix the issues identified, or perhaps point to external recommendations for reference. 

I have never had issues running this application, so I would say it is stable.

Scalability is very simple and easy.

We have not needed to contact technical support, although there is a very big community of users.

Prior to this solution, we used various open-source or free applications. We wanted to streamline and improve productivity by standardizing the products that we use.

The initial setup of this solution is very straightforward and easy.

We performed the deployment in-house. There were no complicated steps.

Our ROI is above two hundred percent.

There is no setup cost and the cost of licensing is affordable.

We tested all of the free apps and could not find a stable all-in-one solution other than BurpSuite.

All application development organizations should purchase BurpSuite and train their developers on how to use this solution to identify security flaws. This will help to ensure that the applications released to the public internet will have better protection from malicious attackers.

The primary use case is security for the development lifecycle. We use the application for security testing.

The solution helps to identify security issues quickly.

The Spider is the most useful feature. It helps to analyze the entire web application and it finds all the passes and offers an automated identification of security issues.

The number of false positives needs to be reduced on the solution.

I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.

The solution is very stable.

The solution is not designed to be scalable. You have an individual license, and I use it individually.

I have not needed to use the solution's technical support.

Before Burp I was manually proxying the data myself. I have experience making my own tools for security assessment. Burp is pretty convenient, and it's one of the most popular tools, which is why I began using it.

I also use Wireshark, which is pretty effective too.

The initial setup was straightforward.

We implemented the solution ourselves.

Licensing is paid on a yearly basis. The yearly cost is about $300.

For application security testing, I would suggest Burp. It's probably the leader in this area. It's just like analog tools such as OWASP ZAP, which is open-source. OWASP ZAP is still not as effective as Burp is.

The solution helps to find different security issues, and it helps identify many, many security issues quickly, and that's what makes it such a useful tool.

I would rate the solution seven out of ten.

Our primary use for this solution is to perform vulnerability scanning before we deploy software in production.

This solution has done a lot to improve our organization. It allows us to be proactive and solve issues before our external auditors find them. 

The most valuable feature of this solution is the scanning functionality. Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them.

Burp Intruder is another very good feature in this solution.

I would like to see a more optimized solution, as it currently uses a lot of CPU power and memory. Sometimes, the application is blocking.

The reporting also needs improvement. Specifically, if there is an issue that exists on many pages, then I do not want to see the same thing repeated many times throughout the report. Rather, it should be pointed out as a global error, and only shown the one time. 

In the next version, I would like an option to scan the environment where the application is installed. I would also like a better cryptographic study, with more controls.

This solution is very stable.

I would say that this is a very scalable solution.

We do plan to increase our usage, but not beyond the Professional version. It is not our intention to move to the Enterprise version right now.

I would rate their technical support a five out of five.

The initial setup and deployment are straightforward and take very little time.

Only one person from the IT department is required for deployment and maintenance.

We handled the implementation internally.

Our licensing cost is approximately $400 USD per year. There are no costs in addition to the standard licensing fees.

We did evaluate other options before choosing this solution.

I would recommend this product to others. It is very straightforward and it is oriented to the application, which is why we chose it. I would also recommend reviewing and using the extensions that are available.

I would rate this solution a nine out of ten.

I use this primarily for intercepting mobile HTTP and HTTPS requests with SSL pinning bypass. It's a better tool for manual tasks.

This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps.

The best feature that I've found is the built-in manual tools.

The scanner and crawler need to be improved.

Our primary use case for this solution is to perform application security testing.

I don't have specific metrics but I can say that using this tool adds value.

There are several features that I like about this solution. The most valuable feature is that it has support for add-ons where we can add extra little scripts to the tool to perform more automated testing.

I like using the Repeater feature to perform proxy testing, and the Repeaters have dashboards now. The add-ons are compatible with the dashboards, as well. 

There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual. This would help us to better understand the product, and we would not need to buy a separate book.

In the next release, I want to see it more interactive and have more multitasking with some faster features. Sometimes scanning takes a long time, so they need to add more tricks to reduce the time spent in security testing.

Stability-wise it is good.

It is possible to work on multiple projects at the same time. I have tried five or six, and it is working fine. I would agree that the scalability is very good, and we have not found a limit yet.

We have approximately thirty users for this solution and they are the testers. As our team grows, we'll need to buy more licenses.

We have used technical support three times, and each time received an email within twenty-four hours. They first try to understand the problem, and then after this, they provide step by step instructions for what to do. It's pretty easy.

We have always used Burp Suite because it is a well-known tool.

This solution is very easy to install and understand.

For a single user, it will take thirty to forty-five minutes. For our organization, it took between eight and nine hours.

We handled the implementation and deployment ourselves.

We have seen ROI with this product.

The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.

We considered using OWASP Zed Attack Proxy, which is open source. We decided to use this alongside the current solution, and also with IBM Security AppScan.

This tool is more accurate than the other solutions that we use and reports fewer false positives.

They are steadily improving things and adding features to this product. It was only three months ago when they added the dashboard support. Before that, they only had passive and active scanning to perform the testing part. It now has a complete website of scanning features which were previously not there.

I would rate this solution a seven out of ten.

My primary use case for this solution is designed around my own personal use. Burp Suite is a graphical tool for testing Web application security. The tool is written in Java.

I use Burp Suite on my laptop in my room for my personal research study. Since I don't use it for corporate work or company research purposes I can't comment on how it has improved my organization. 

In my opinion, all of the features seem to be of equal value really. I'm currently using the latest version.

The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.

My impressions of the stability of the solution are quite good.

My impressions of the scalability of the solution are good.

At work, I use an open source SAP solution. It's a free tool. It's a fully automated tool and it's fully furnished. Currently, I'm the only user and it's my job to analyze this product.

The initial setup was somewhat complex, to be honest.

My only advice for anyone looking for a personal use case for testing Web application security is this is a good option.

Before choosing this tool, no, I didn't evaluate any other options. I know what I wanted and I'm very happy with it.

It's actually a very good product. It's pretty automated and it's easy to work with. No additional features need to be added because it's already an extraordinary tool. So there's no need for additional improvement.

Great product. I rate this product a 9 out of 10 for its total package of value-added features.