We just raised a $30M Series A: Read our story

PortSwigger Burp Suite Professional OverviewUNIXBusinessApplication

PortSwigger Burp Suite Professional is #1 ranked solution in top Fuzz Testing Tools, #3 ranked solution in AST tools, and #5 ranked solution in application security tools. IT Central Station users give PortSwigger Burp Suite Professional an average rating of 8 out of 10. PortSwigger Burp Suite Professional is most commonly compared to OWASP Zap:PortSwigger Burp Suite Professional vs OWASP Zap. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
What is PortSwigger Burp Suite Professional?

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger Burp Suite Professional is also known as Burp.

PortSwigger Burp Suite Professional Buyer's Guide

Download the PortSwigger Burp Suite Professional Buyer's Guide including reviews and more. Updated: November 2021

PortSwigger Burp Suite Professional Customers

Google, Amazon, NASA, FedEx, P&G, Salesforce

PortSwigger Burp Suite Professional Video

Pricing Advice

What users are saying about PortSwigger Burp Suite Professional pricing:
  • "Licensing costs are about $450/year for one use. For larger organizations, they're able to test against multiple applications while simultaneously others might have multiple versions of applications which needs to be tested which is why we have the enterprise edition."
  • "The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable."
  • "There are different licenses available that include a free version."

PortSwigger Burp Suite Professional Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Great design, excellent features like Intruder, Repeater, Decoder with plenty of plug-ins from community forums.

Pros and Cons

  • "Once I capture the proxy, I'm able to transfer across. All the requested information is there. I can send across the request to what we call a repeater, where I get to ready the payload that I send to the application. Put in malicious content and then see if it's responding to it."
  • "The biggest improvement that I would like to see from PortSwigger that today many people see as an issue in their testing. There might be a feature which might be desired."

What is our primary use case?

Clients come to me for an assessment of their web applications to see the risks that they are facing with their applications. They want to ensure that their application is free of being manipulated and also secure, so they reach out to us to do vulnerability assessment and application penetration testing. We make use of PortSwigger's BurpSuite tool carry this out. We look at it more from an application standpoint, what common vulnerabilities there are like the top 10 OWASP vulnerabilities like Injection(OS/SQL/CMD), broken authentication, session management, cross site request forgery, unvalidated redirects/forwards, etc. Those are the primary uses we make use for this tool.

How has it helped my organization?

We're an independent IT organization that specializes in vulnerability assessment and penetration testing, and we focus here on application security. This tool really helps me unearth security issues and vulnerabilities that are on the applications shared by my clients. Unearthing these issues really helps me build confidence and relationships with clients on two counts. First part is that, they want a reliable and robust tool with which we are able to unearth security issues in there. The second part of it is, I give them more confidence in their application securedness before they make a decision on going live.

I can't name customers, but I've been working with a US university education platform providing client for the last three years. Earlier we tried different tools but in the last couple of years, we stuck to the Burp Suite tool and year after year, we've been periodically doing the application security for them. The confidence has really leveraged the relationship to build the pipeline of business that I have. At the same time, the confidence that the customer in their platform going live has remained intact. That really helps me build accountability and it helps me put forward my organization as a strong security testing organization space.

What is most valuable?

I like the way the tool has been designed. Once I capture the proxy, I'm able to transfer across, all the requested information that is there. I can send across the request to the 'Repeater' feature. I put in malicious payloads and then see how the application responds to it.

More than that, the Repeater and Intruder are really awesome features on BurpSuite. For example, if I'm going to test for a SQL injection, I have certain payloads that are trying to break into the application. I make use of these predefined payloads which come as part of the tool are really useful for us to use and see how the application behaves. With the help of the BurpSuite tool, we are very well ahead to see if the application is going to break at any point in time.

So the Repeater and the Intruder, are great features that are there. More than that I think the entire community support is really fabulous. As well as of the number of plug-ins that people have written for the tool. Those have been standouts. Community support is really strong. We see a lot of plug-ins that are made available that work along with the tool.

What needs improvement?

In the earlier versions what we saw was that the REST API was something that needed to be improved upon but I think that has come in the new edition when I was reading through the release offset available. 

There is a certain amount of lead time for the tickets to get resolved. The biggest improvement that I would like to see from PortSwigger is what many people see as a need in their security testing that coudl be priortized and developed as a feature which can be useful. For example, if they're able to take these kinds of requests, group them, prioritize and show this is how the correct code path is going to be in the future, this is what we're going to focus around in building in the next six months or so. That could be something that will be really valuable for testers to have.

For how long have I used the solution?

I've been using the solution for about three years.

What do I think about the stability of the solution?

Burp Suite is quite robust. The good part is that it also comes with an automatic back-up feature in it which automatically saves all the request-responses, alerts, attacks in the systems periodically.In the event of your laptop crashing/going down on power, you still have last saved application state which has saved the recording. Once you power up again, you can launch Burp Suite and go back the last point of save of the complete recording /requests/tests in the system.

What do I think about the scalability of the solution?

With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.

As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.

Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.

How are customer service and technical support?

I found technical support to be quite responsive. I usually get an email response within three or four hours which is very good. There's plenty of documentation that has relatively good pointers as to the documentation's impact. Also, documentation is a good part of the knowledge base. They have started something that's very awesome by implementing that. They point us to areas in our tickets that have answers within the available knowledge base documentation, which is shared as part of the whole response. It's definitely a good thing.

Which solution did I use previously and why did I switch?

I've used different tools like Acunetix. 

The first tool that we started with was Acunetix. Acunetix as quite expensive, first and foremost. It's more suitable for web application scanning and penetration. PortSwigger's has a larger play beyond applications, it supports REST API and all that stuff, that kind of support is great with PortSwigger.

The kind of mechanism that's there is you can just capture the flow if the application. They usually have what is called as a flow sequence in proxy history with which all the user actions are captured. That's all that is done by the tool completely. Once that information is there, much you can control exploit requests with the tool. Whatever the tool shows, I have the opportunity to throttle and change payloads and see how the application behaves.

We used the online web scanners with Acunetix. We found it a little difficult and that was one reason why. In fact, when we got the contract with the client and we evaluated multiple tools, that's why we chose PortSwigger's BurpSuite.

How was the initial setup?

The initial setup was straightforward. It's not complex at all. Today it comes along with a job size which makes it much more affordable and easy. I don't think the installation is ever a challenge here. 

In some setups, all I do is this: if I'm setting it up for Windows, I cannot get my path through which I want to set this up. A few clicks and I'll be able to get the entire tool set up. I would say it requires some amount of knowledge to do testing. So also we are able to set up the tool against an application. Let's say there is an application that comes through for testing. Until I get to know the way I have to configure the target URLs and capture the entire traffic flow. That is easy. Now there are jar files also being made available for easier instantiation of the tool.

It is not a challenge in setting up the tool at all because there's plenty of videos and documentation available around in both the PortSwigger website as well as in open forums like YouTube and all that. It's quite easy to set it up. Personally, I haven't had trouble. We haven't had any major challenges in terms of setting up the tool. Not just purely from an installation standpoint, but also from a perspective of beginning to capture traffic across the different applications that we serve. 

The installation takes about less than four to five minutes. It doesn't take more than that.

In terms of security implementation strategy, when we take control of any tests that we do, we set the proxies in place based on the settings that are there on the tool and then set up the same proxy across on a browser for which we will capture the traffic. Once we do that, our implementation strategy is to capture the entire traffic in terms of specifying a target URL, the application or the website and the test. We do a proper login and ensure that all the data captures are there. Then we see that all the requested sponsors are getting logged in properly inside the tool and we are able to capture that. So once we do that, we try to simulate all user flows that would be there on the tool. 

Based on the different tools that are there, we capture the flow and enter a fake login and then we do a scan. The scan helps to unlock issues that are there. That kind of test is to identify all the actions that we do. We particularly do what is called an active scan which is like after you use the browser, make all the user clicks, events, and all that, the tool is able to capture it in the background. It does an active scan, and it gives what are potential issues that are there. So once we are done with that, we look at all the issues that are there, and then we make it run through a boot scan based on the requests that we have captured. Typically this takes a final good amount of time which depends on the amount of traffic that you have captured through the tool.

The one good thing that I would like to highlight is that irrespective of how much traffic is captured from my application flow, the tool is quite robust. I have seen other tools that sometimes the application, or rather the tool, becomes non-responsive. I haven't seen those kinds of issues here.

Then, once we are done with the scan, we pick and choose what are the issues that are there. We look for what are the trouble spots, and what issues are being highlighted. Then we check each of those specific requests, sending them over to another team member, and try them with different payloads, putting them across in the intruder and unearthing issues. So that helps me really test the application using PortSwigger comprehensively, and, more importantly, at the end of the test, it makes it quite easy for me to generate a report which is quite nice and simple which I can forward across to the client. That is essentially the way I go about in my implementation of security testing.

What about the implementation team?

We did the implementation in-house.

What was our ROI?

In terms of ROI, I'd say it helps with client engagement. The tools in relation to ROI allow me to win back-to-back contracts for application security testing with the customers. I would even say I'd be able to break in on a first engagement itself. 

What's my experience with pricing, setup cost, and licensing?

Licensing costs are about $450/year for one use. For larger organizations, they would be able to test against multiple applications simultaneously while others might have multiple versions of applications which needs to be tested which is why there is an enterprise edition. We might have more than five to six people in the organizations doing security testing. You can give full-base access to them and control who uses your licenses.

It depends on the stream of projects, business pipeline that I get, but security is not something that done all throughout the year. We get it in cycles. We pace it in such a way that from our different customers that we work with, we actually have one project running throughout the year. I might do a project for Client X during the month of let's say January to February. Then for another client, I might have something lined up for April to May. So with a single license, I am able to maximize the usage very well.

What other advice do I have?

The tool comes in three type. First, there is the  Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps.

Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for independent teams like ours who make use of tools based on tech, etc. The good part about the professional edition is that it comes with a term license which is cost-effective. You pay for an annual charge and use it for a year's time and then you can extend it on an as-needed basis.

Apart from these, we also have an Enterprise Edition which has features like scan schedulers unlimited scalability to test across multiple websites in parallel, supporting multiple user access with role based access control and easy integration with CI tools.

The very best way this tool can be used through is to understand the application, identify the various roles that are there in the application. Then capture the user flows, with Port Swigger's BurpSuite, and understand what the requests are making use of the different features in BurpSuite. 

Post this the teams look at and analyze all the requests being sent. Observe the requests, use various roles with the tool using a repeater and intruder, analyze what's breaking through in the application. As you can quickly analyze with the intruder out here how the application's really behaving, how the payload is being sent across the tool. Then you get a quick sense of what's available which could be checked through for false positives and then arrive at the final output along with it.

This is how I would like to handle the implementation of the solution.

I would rate this solution 10 out of 10.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
VishalDhamke
Lead Security Architect at SITA
Real User
Top 5Leaderboard
Best for manual penetration testing, a great user interface, and offers good scanning capabilities

Pros and Cons

  • "The solution has a great user interface."
  • "It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."

What is our primary use case?

It's an individual tool that security professionals use for their manual pen-testing. We use it for capturing the traffic, intercepting the traffic between the browser and the application. We try to manipulate the applications, the traffic so that whatever input that is accepted by the application is sanitized and validated. We try to analyze the application for input validation. All inputs are handled correctly.

Another use case is having a scanner module built-in where you can browse the entire application. The scanner can continuously scan the application for vulnerabilities based on OWASP Top 10 standards. Likewise, you can come to know what vulnerabilities are in the application. Later, you can go through the vulnerabilities one by one and triage them.  

There are many different modules in Burp Suite. We have a comparator module where you can compare the request and response. You have the Repeater module where you can repeat the sequences. They can be used for other test use cases such as doing disciplinary attacks or brute force attacks on the applications. 

Basically, there are a wide variety of use cases and applications.

How has it helped my organization?

Request handling capacity, it do not handle huge chuck of requests as it freezes.

And obviously as all tool does Burp also gives some false positive results, vetting has to be done thoroughly.

What is most valuable?

The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure. 

The scanner is excellent. The scanner is one of the good features. If you compare it to more expensive tools like WebInspect or IBM AppScan, you'll realize that, at a very low cost, Burp Suite can provide good results.

The is a good amount of documentation available online. The solution is stable.

The initial setup isn't too complex.

The solution offers some great extensions through a BApp store. Users can implement extensions and upload them to the BApp store.

The solution has a great user interface.

Its strong user community is always helpful when it comes to any problem regarding the tool.

What needs improvement?

Although it provides great writeup for the identified vulnerabilities but reporting needs to improve with various reporting templates based on standards like OWASP, SANS Top 25, etc. The tools needs to expand its scope for mobile application security testing, where native mobile apps can be tested and can provide interface to integrate with mobile device platform or mobile simulator's. Burp suite has great ability to integrate with Jenkins, Jira, Teamcity into CI/CD pipeline and should provide better ways of integration with other such similar platforms.

For how long have I used the solution?

I've been using the solution for more than eight years now - right from their open-source free version through to their professional version.

What do I think about the stability of the solution?

The stability is quite good. We have no complaints. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

What do I think about the scalability of the solution?

Obviously, Burp Suite is a DAST tool and good asset for pentester's. However, we need to see how best it can be utilized for automation so that DAST can be automated. Dynamic application testing can be automated and can integrate Burp into CI/CD pipeline using Jenkins. That said, we need to make it use it in a more efficient way. There should be some methods or some guidance from Burp on how best we can use it for automation.

How are customer service and technical support?

We've never interacted with tech support. That's mostly due to the fact that there is already a lot of material that is available online. With all of the details readily available, we don't need to interact with tech support.

How was the initial setup?

The initial setup isn't too difficult. It's JAR based. I would say it's an analog file. It just requires minimum requirements like Java and a license. After that, you are good to go.

What's my experience with pricing, setup cost, and licensing?

Burp Suite provides different licenses. They have open-source free-to-use licenses, which can be used by anyone. Then, they have a standalone license that, as a security professional, you can use. They have their Enterprise version as well. I use the professional version.

Initially, when we were using Burp Suite, I hardly remember the version we started at. 

The actual costs vary from country to country, however, I would say it's cheaper if you compare it to other DAST solutions and tools.

Compared to other web applications assessment tools Burp suite is a solid tool for web based penetration testing for a reasonable price.

What other advice do I have?

We are just customers and end-users.

I'd advise other organizations that this solution is a pretty good tool for manual penetration testing. It has good features like the Scanner and Sequencer, Repeater, and there are extensions. Burp extensions are available where they can customize Burp behavior using their own or third-party code. Those features will be really useful for Burp users. It's also obviously a very cost-effective option.

I would rate the solution at a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,695 professionals have used our research since 2012.
AA
Founder and Director at a financial services firm with 1-10 employees
Real User
Top 20
Great reporting with good crawling capability and offers a simple setup

Pros and Cons

  • "The solution has a pretty simple setup."
  • "The pricing of the solution is quite high."

What is our primary use case?

We primarily use the solution for security testing - specifically for web-application security. 

What is most valuable?

The crawling capability is excellent.

The product has very good reporting capabilities. They give you multiple reporting options.

The solution has a variety of different extensions that you can use.

The solution has a pretty simple setup.

What needs improvement?

The pricing of the solution is quite high. It would be ideal for the customers if they could lower the costs involved in their subscription.

We have new tools in R language programming platforms that are coming up. The solution needs to ensure its compatible with that language.

For how long have I used the solution?

I've been using the solution for about two years at this point.

What do I think about the stability of the solution?

We use this solution every day. I don't have any issues with the solution. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable.

What do I think about the scalability of the solution?

I'm a consultant. I tend to use the tool for my clients. I only have one license on my computer. I don't need to scale the product.

The solution is scalable, however. There's a different version for that aspect. You have Community, Professional, and Enterprise editions. Each has different capabilities.

How are customer service and technical support?

The solution offers good support services. There's also the product team that can assist. Overall, I've been happy with the level of service I've received.

Which solution did I use previously and why did I switch?

I've worked with other solutions, such as Acutenix. As a consultant, I always have two to three tools for running and validating for testing. There is no plus or minus to each tool, really. The process itself would be more like using multiple tools to find out whether it appears in all the tools or not.

How was the initial setup?

The initial setup is not overly complex. It's easy and straightforward. A company shouldn't have any issues with the implementation process.

The deployment takes a maximum of an hour, actually. If you have to configure some prerequisites, it is one hour tops. There are advanced setups, however, how advanced the implementation depends on the client environment. If a company has an advanced setup, it could take some time. 

Ultimately, the solution is installed directly onto my laptop.

The maintenance process is pretty minimal. The yearly subscription keeps everything updated. They will notify you if there is an upgrade that needs to be addressed.

What's my experience with pricing, setup cost, and licensing?

The pricing of the solution is quite high. Costs are based on their subscription model. The pricing affects whether a client will engage with me and the solution or not. It could be a deal-breaker. Budgets are often tight.

What other advice do I have?

The solution has an annual subscription model, and therefore you'll have to keep updating the new version. It's part of the package. They release a new version and that is covered under your subscription.

I'm a consultant. I buy tools from multiple vendors. I provide development assessment services for my clients.

This is one more product in the suite of tools or applications, which are used for testing. Anyone at any sized company could use this solution.

I'd recommend this solution. It's one more tool to have in your bag.

I would rate the solution at a ten out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Consultant
NC
IT Manager at a manufacturing company with 10,001+ employees
Real User
Top 5Leaderboard
A very user-friendly solution with good technical support, but it needs more advanced reporting.

Pros and Cons

  • "The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately."
  • "The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative."

What is our primary use case?

We use the solution for scanning our in-house external facing website.

How has it helped my organization?

It has been provide user direct access to users scan their websites and find vulnerability in good price. Burp is one of the most extensively used tool in org to do other security based investigations. We are trying to mitigate risk using vulnerabilities identified by Burp.

What is most valuable?

The solution is very user-friendly.

The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately. 

What needs improvement?

The biggest drawback is reporting. It's not so good. I can download reports, but they're not so informative. 

For example, they are providing very good information about vulnerabilities, but when you are scanning the whole pathway, we want to see information like percentages, how much is finishing, and how much it is not, etc. If the scan fails, they should tell us when or how it stopped, if it failed, why it has failed, and how to avoid something like this from happening again. They need something more in-depth and more technical. 

I would like to have some more features, which I can play around with. It's not so flexible.

For how long have I used the solution?

I've been using the solution for more than 1 year.

What do I think about the stability of the solution?

The solution sometimes has stability problems when they have fixed or released some new package. Instability has happened to us two or three times. It was difficult because we had to implement this disaster recovery plan at that point in time. It wasn't a disaster, but the whole system does stop because of that.

What do I think about the scalability of the solution?

Easily scalable when it comes to Enterprise version. but Enterprise version itself is not as effective as pro.

How are customer service and technical support?

The technical support team is very good. They are quick at responding and they help us to resolve issues within the organization.

In the past, we had issues around connectivity while we were doing some scanning. The scanning kept getting killed somehow. The quality of the job was poor. The scan was not completed successfully, so we needed technical support to assist. It was hard to identify what the issue was and how to fix it, but they did.

Which solution did I use previously and why did I switch?


How was the initial setup?

The installation is not difficult. We only needed one person to handle the implementation. Setting up the agents may be tricky, but if a person is knowledgable, it shouldn't be an issue.

What about the implementation team?

Inhouse one

Which other solutions did I evaluate?

When we had an issue with scanning, we did look into exploring other options like OWASP Zap, Acunetix, etc. We stayed with Burp because we had it set up in our system, and then they had our scanning issue fixed.

What other advice do I have?

We use the on-premises deployment model.

I would rate the solution seven out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
VinothKumar5
Senior Technical Architect at Hexaware Technologies Limited
Real User
Effective automatic scanning, Academy portal for learning, and reliable

Pros and Cons

  • "The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
  • "There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."

What is our primary use case?

The solution is for web security testing and the primary use is to eliminate the false positives.

How has it helped my organization?

This solution has helped our company in many ways. PortSwigger Acadamy has given us the knowledge to be able to do deeper tests. The effectiveness of the tests is directly proportional to your knowledge about security testing. Even if you do not have this knowledge at the beginning you still you can perform some kind of testing. If you do not know how to choose your payload then it is going to suggest the built-in payloads to which you can perform those test attacks.

You do not need to be an expert to use the solution, an intermediate skilled person can use it and over time they can become an expert. Sometimes it is difficult to find skilled employees to start working in this field for your company but with PortSwigger the new employee does not have to be an expert because they are able to grow quite quickly in their knowledge.

What is most valuable?

The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.

What needs improvement?

There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI.

In a future release, if there could be some kind of autonomous function, or user behavior prediction that would be beneficial.

For how long have I used the solution?

I have been using this solution for approximately three years.

What do I think about the stability of the solution?

The solution has not had any crashes or any problems. It is reliable.

What do I think about the scalability of the solution?

The solution is scalable. There are types of operations we can do and it has good peak performance.

How are customer service and technical support?

PortSwigger has something called Academy where you can go to learn about many things related to security testing.

How was the initial setup?

The installation is very easy.

What's my experience with pricing, setup cost, and licensing?

The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable.

Which other solutions did I evaluate?

I have evaluated Zap.

What other advice do I have?

My advice to others just starting out with security testing is to evaluate Zap, which is open-source, to allow them to get an understanding of the processes. Then once they have an understanding they should look into PortSwigger Burp Suite Professional. This solution would win in comparison with its features and would be a very good choice after they have some experience.

I rate PortSwigger Burp Suite Professional an eight out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Saminda Jayawardene
Compliance Manager at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
Evaluate and ensure the security of web-based applications

Pros and Cons

  • "In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
  • "A lot of our interns find it difficult to get used to PortSwigger Burp's environment."

What is our primary use case?

We're a software development company. We specialize in ensuring application security for our customers. For each and every application we release, we issue a certificate explaining that the application is up to date and that all security testing has been successfully completed. In that certificate, we also mention that PortSwigger is one of the tools that we used to test the application.

Presently, we have three users. In the future, regarding product testing, I am thinking of hiring another two people, which will make us a team of five. Currently, we're releasing a lot of applications. 

Primarily we have three users, but keep in mind, we only have a single environment, which we need to improve and expand. 

What is most valuable?

The traffic interception capabilities are great. Spidering also produced some good results for us.

What needs improvement?

A lot of our interns find it difficult to get used to PortSwigger Burp's environment. The environment should be improved a little bit. Once you get used to it, it's fine, but it should be more simplified for newcomers. This would save us from constantly having to brief our interns. 

What do I think about the stability of the solution?

The stability is good; so far, we haven't come across any bugs.

What do I think about the scalability of the solution?

We use some different tools for web application testing, like Nmap and others. If PortSwigger Burp could actually scale up for web application scanning, that would be really good. This way, instead of using different tools, we could easily rely on one tool for all testing.

How are customer service and technical support?

We haven't had any reason yet to contact technical support. Aside from support, they should hold consistent webinars and offer updates, briefings, and panel discussions. This would greatly enhance our knowledge.

Otherwise, the technical support is good enough. We haven't required their assistance yet, but soon we'll be needing assistance and information surrounding the latest improvements and updates.

How was the initial setup?

The initial setup can be complex. It needs to be deployed in between the traffic. They should include some case-scenarios to help, like a scenario-based briefing, that would really help and add a lot of value for the initial application tester. 

What's my experience with pricing, setup cost, and licensing?

It's a very unique way of pricing. It varies depending on the type of testing you are performing. Manual testing is expensive, but as we don't have another option, it seems to be fair.

What other advice do I have?

I would definitely recommend PortSwigger Burp. I've actually recommended it to some of my colleagues, students, and interns. I'm really comfortable and happy with it; besides, there are no other products to compare it to. 

On a scale from one to ten, I would give this solution a rating of eight.

If they included example scenarios and hosted educational webinars, I would give this solution a rating of ten.

In my area of expertise, I feel like it has almost everything I could possibly require at this moment. Generally, I don't come across situations like that, so I am very happy with it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SivaPrakash
Senior Test Engineer II at a financial services firm with 201-500 employees
Real User
Top 5Leaderboard
Finds vulnerabilities but is not always cost effective

Pros and Cons

  • "The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
  • "One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."

What is our primary use case?

Our use cases are to identify the vulnerabilities of OAST and the other applications we are using. 

What is most valuable?

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

What needs improvement?

One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.

For how long have I used the solution?

We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.

We've had a license for the professional version for the past two years.

What do I think about the scalability of the solution?

In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.

Right now we have two or three people using it.

How are customer service and technical support?

PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.

How was the initial setup?

The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.

What's my experience with pricing, setup cost, and licensing?

PortSwigger Burp costs around $7,000 and around $2,309 for licensing.

What other advice do I have?

On a scale of one to ten I would rate PortSwigger Burp a seven.

For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MM
Cyber Security Specialist at a university with 10,001+ employees
Real User
Top 10Leaderboard
Intruder and automatic scanning features help secure our internal applications pre-production

Pros and Cons

  • "The most valuable features are Burp Intruder and Burp Scanner."
  • "There should be a heads up display like the one available in OWASP Zap."

What is our primary use case?

This is a solution for which I provide services to our customers and I also use it personally.

As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases.

I have this solution deployed as one user on a single machine, which is used by a designated security tester.

What is most valuable?

The most valuable features are Burp Intruder and Burp Scanner.

The automatic scanning feature is helpful.

What needs improvement?

The interface for the automatic scan can be improved because it is easy for technical users, but the business users have trouble with it. There is documentation but the interface should be more user-friendly.

There should be a heads up display like the one available in OWASP Zap. I think that it would be a very good addition.

For how long have I used the solution?

I have worked with PortSwigger Burp for about ten years.

What do I think about the stability of the solution?

This solution is stable and we have had no major problems.

What do I think about the scalability of the solution?

We have had no issues with scalability, although we are using a standalone installation with only a single user. We may expand usage in the future.

Which solution did I use previously and why did I switch?

We also have OWASP Zap and we continue to use these two tools.

Zap has a heads up display within its own browser, which is a very good feature. Zap is also completely free, whereas Burp has a free version but it also has licenses available.

For the most part, we use open-source solutions, which are free of charge.

How was the initial setup?

The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.

What's my experience with pricing, setup cost, and licensing?

There are different licenses available that include a free version.

What other advice do I have?

We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there.

This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros sharing their opinions.