Amelia Coen |
13 February 2025 at 13:52 UTC
Our commitment to innovation
At PortSwigger, we’re always striving to push the boundaries of what’s possible in application security, with a world-leading Research team dedicated to pioneering new hacking techniques.
Burp Suite has long been the go-to tool for pentesters, known for its extensibility, enabling security professionals to customize and enhance their workflows with powerful integrations and automation.
As part of this commitment, we’ve been exploring how artificial intelligence can further support your work. Today, we’re excited to announce that we’ve taken extensibility to the next level—introducing AI-powered extensions within Burp Suite Professional!
Extensibility with AI
AI-powered extensibility opens up new possibilities for solving challenges that were previously difficult or even impossible with traditional code alone. Now, you can leverage AI to enhance security testing, automate tedious tasks, and gain deeper insights into web application vulnerabilities.
By using our purpose-built Montoya API, you can seamlessly integrate AI capabilities with minimal overhead. When you integrate via the Montoya API, all of your interactions with AI are securely managed by Burp’s purpose-built, trusted platform, and all remain within PortSwigger’s trust boundary. This allows you to focus on developing your own tailored testing solution rather than managing complex AI infrastructures, while having confidence that none of your data is being used for training purposes.
Why use the Montoya API instead of wiring into AI directly?
- Purpose-built for security professionals.
- Seamless integration into Burp Suite with minimal setup.
- Allows you to focus on your solution, not the underlying AI infrastructure.
- Share your innovation with a community of 80,000+ testers via the BApp Store.
- Users of Burp Suite Professional will initially have access to a bundle of 10,000 free AI credits, so your extension can be used immediately, without cost concerns.
- You can create and use your AI-enhanced extension without having to set up your own account with an AI provider.
AI in Hackvertor
Gareth Heyes has been experimenting with AI extensibility, and now he has enhanced his Hackvertor extension with AI-powered functionality. These new capabilities showcase what’s possible when AI is seamlessly integrated into Burp Suite.
Gareth has enhanced Hackvertor with powerful new AI features that let you create custom tags for performing advanced transformations on a given input, all without writing a single line of code:
- Create custom tags that use AI to convert a given input based on instructions you provide as a natural language prompt.
- Use AI to automatically generate the code for a custom tag in your preferred language (JavaScript, Python, Java, Groovy) based on a given input and expected output. The AI also generates a natural language description of how the code works.
- Use AI to automatically generate pairs of tags for encoding/decoding strings based on encoded values it observes in Repeater requests.
To see Hackvertor’s AI-powered enhancements in action, watch Gareth’s video demonstration.
If you’re an extension developer, take inspiration from Gareth’s updates to Hackvertor and start enhancing your own extension with AI.
Experiment with AI in your extensions for free
To help you get started, all users of Burp Suite Professional have been awarded a set of 10,000 free AI credits. This means you can experiment, build, and deploy AI-powered extensions without incurring any costs – we encourage you to take advantage of this and start experimenting as soon as possible!
If you’re curious about how the credit system works, check out our documentation for a detailed explanation.
Trust & Security
We understand that AI in security tools raises important questions. As a long-standing and trusted vendor in the application security industry, we take your security and data seriously. Our goal is to empower you with AI-driven tools while maintaining the highest standards of trust and transparency.
For a more technical breakdown of how we ensure security and reliability, read more about how your data is handled in our documentation.
We’re committed to building trust through transparency, ensuring that AI in Burp Suite meets the highest security standards. To learn more about how we’re approaching AI integration at PortSwigger, and why we feel the AppSec industry should reconsider its natural skepticism, check out the following blog post from Burp Suite creator and PortSwigger’s Chief Swig, Dafydd Stuttard: Why it’s time for AppSec to embrace AI: How PortSwigger is leading the charge.
If you have any additional concerns, please reach out to us here.
Start building your own AI-powered extension
If you’re looking to learn more about AI-powered extensibility in action watch Gareth Heyes’ Hackvertor demo here.
We also have an example AI-powered extension to demonstrate using AI functionality with the Montoya API. This extension demonstrates using Burp’s built-in functionality to issue requests to an LLM and process the responses. It also uses an LLM to analyze in-scope requests and determine whether they are related to authentication.
Check out this example extension.
Ready to jump right in?
Experiment by building your own AI-powered extension using the Montoya API with your free credits. You can also submit it to the BApp store to allow thousands of security testers to benefit from your extension.
We’d love to hear how you’re getting on with this new AI functionality. Join the conversation on the PortSwigger Discord, and let the community know how you’re innovating with AI in Burp Suite in the dedicated Burp AI channel.
The future of security testing is here—supercharge your extensions with AI today!