At PortSwigger, we believe AI has the power to transform penetration testing - not by replacing human testers, but by augmenting them.

With the release of Burp Suite Professional 2025.2, we’re introducing Burp AI - a suite of powerful new features designed to enhance your testing workflow, reduce noise, and give you deeper insight into vulnerabilities.

Burp AI is now built into Burp Suite Professional and includes five brand new features…

• Explore Issue: Use AI to automate follow-up analysis of vulnerabilities identified by Burp Scanner, just like a pentester would.
• Explainer: get instant, security-focused insights into unfamiliar web technologies
• AI-generated recorded login sequences: reduce the tedious setup time of manually recording a login sequence.
• False Positive Reduction - Access Control: smarter Scanning and fewer false positives, starting with access control vulnerabilities.
• AI-powered extensions with the Montoya API: enhance your existing extensions with AI, or build a brand-new extension optimised with AI.

To help you get started, we’re giving all Burp Suite Professional users 10,000 free AI credits.

Now, let’s take a look at what each of these new features can do for your workflow.

Explore Issue

Turn Burp AI into your personal assistant that doesn’t just stop at identifying a vulnerability – it digs deeper.

Explore Issue picks up where the scanner leaves off, automatically following up on findings to validate issues, demonstrate impact, and uncover hidden attack vectors. It’s like having an extra set of eyes on every alert – working tirelessly in the background.

• Automate follow-up analysis of scanner-identified issues – let Burp handle repetitive tasks so you can focus on complex analysis.
• Generate PoCs instantly – Burp will attempt real-world exploitation to save you time and boost reporting impact.
• Uncover deeper insights – discover exposed data, alternate paths, and escalation opportunities.
• Learn as you go – guided insights help junior testers ramp up quickly.
• Stay in control – full transparency into the process, complete with step-by-step logs and executive summaries.

AI-Generated Recorded Login Sequences

No more fiddling around with browser recordings. Burp AI can now generate login sequences with a single click, reducing configuration time and ensuring better scan coverage - especially for complex authentication flows.

• Save setup time – skip the browser dance. Generate login sequences instantly.
• Reduce errors – let Burp handle edge cases and hard-to-capture interactions.
• Get full coverage – this reliable login means fewer blind spots in sensitive areas.

Explainer

Confused by an unfamiliar cookie? Unsure what a strange header means? Just highlight it in Repeater and let Burp AI explain it from a security perspective.

This feature removes the friction of switching tabs and searching docs. It’s like having a security-savvy co-pilot in your tab bar.

• Stay focused – no more jumping out of Burp to Google obscure web tech.
• Understand new tech – keep up with ever-changing web stacks.
• Bridge knowledge gaps – whether you're still learning or just hate reading JavaScript, Explainer helps you spot clues.
• See what matters – Burp highlights security-relevant implications so you know what to dig into.

Reduced False Positives - Access Control

False positives drain time and energy. With Burp AI, we’ve started cutting down on the noise - starting with one of the hardest vulnerability classes to detect through automation: Broken Access Control.

Burp Scanner now uses AI to intelligently filter out irrelevant findings, boosting accuracy and freeing you up to focus on real threats.

• Smarter automation – Burp brings accuracy to a vulnerability class that’s tough to automate.
• Fewer distractions – spend less time validating dead ends.
• Improved efficiency – let the scanner do more of the heavy lifting.
• Ongoing improvements – This is just the start - we're continuing to explore ways to reduce false positives, with or without AI.

Build AI Extensions with the Montoya API

Want to create your own AI-enhanced Burp tools? Now you can. The Montoya API lets you build extensions that tap directly into Burp AI, with no need to integrate external APIs or manage your own AI account.

• Easy AI integration – focus on what your tool does - not on how it talks to an AI service.
• No extra setup – credits and access are built in, making it easier to share with your team.
• Data stays private – your data stays within Burp’s secure environment, and within the PortSwigger trust boundary.
• Empower the community – share your creations with a community of 80,000+ web security testers across the globe.

Want to plug AI extensions into your workflow?

The Burp community has already been very busy creating AI extensions with the Montoya API. You can get started by downloading these community-created extensions in the BApp Store.

This includes:

• AI-powered Hackvertor
• Shadow Repeater
• AI HTTP Analyzer
• Report LM

How do I get started with Burp AI?

Getting started with Burp AI is simple:

1. Update to Burp Suite Professional 2025.2
2. Enjoy 10,000 free AI credits on us

Not a Burp Suite Pro user yet? Request a free trial.

Trust & Security

We understand that AI in security tools raises important questions. As a long-standing and trusted vendor in the application security industry, we take your security and data seriously.

For a more technical breakdown of how we ensure security and reliability, read more about how your data is handled in our documentation.

We’re committed to building trust through transparency, ensuring that AI in Burp Suite meets the highest security standards.

To learn more about how we're approaching AI integration at PortSwigger, and why we feel the AppSec industry should reconsider its natural skepticism, check out Why it's time for AppSec to embrace AI: How PortSwigger is leading the charge from Burp Suite creator Dafydd Stuttard.

If you have any additional concerns, please reach out to us vis this survey.

Don’t want to use AI in Burp? No Problem.

All AI features in Burp are fully optional and can be toggled off at any time:

1. Go to Settings > AI
2. Tick the Disable AI features checkbox

When disabled, AI features will be grayed out and Burp won’t connect to PortSwigger’s AI infrastructure.

Join our exclusive launch events

We’re celebrating the launch of Burp AI with a series of exclusive live events on the PortSwigger Discord - featuring AppSec legends, Burp devs, and a thriving community of security professionals.

Upcoming Events:

• ‘Why AppSec Should Embrace AI’ with Burp Suite creator Dafydd Stuttard - April 2, 4pm BST / 11am EDT.
• ‘Introducing Burp AI’ - with Burp Suite developers Pete and Jay -  April 8, 4pm BST / 11am EDT
• ‘AI & Security Research: Ask Me Anything’ with James Kettle -  April 10, 4pm BST / 11am EDT
• ‘What I’ve Learned Creating AI Extensions’ with Gareth Heyes - April 17, 4pm BST / 11am EDT

Join the PortSwigger Discord to attend, and hang out with Burp Suite devs, PortSwigger Researchers, and help shape the future of AppSec.

The next generation of Burp Suite

AI is changing the game - and with Burp AI, the power of cutting-edge security testing is now in your hands.

Whether you’re hunting bugs manually, building custom tools, or scaling your assessments, Burp AI is here to help you move faster, go deeper, and test smarter. Start using Burp AI in your testing workflow today.

Don’t forget to let us know how you’re getting on with these new features by using #BurpAI or tagging @Burp_Suite on X or @PortSwigger on LinkedIn. We can’t wait to see what you do with it!