Jennifer manages an eight-strong security team, working within a major financial services organisation. The team’s skills are generalist in nature, and they perform a variety of audit-based work within the company. They do a small amount of hands-on web application testing, but Jennifer outsources most of this work to technical specialist consultants.

The team has recently found that Burp Scanner strongly complements their own basic testing skills. Using Burp Scanner, the team are able to take on more of the hands-on testing themselves. They can now find and fix a lot of common vulnerabilities earlier in the development lifecycle. Jennifer still uses external specialists for more difficult tests, but the scope of the outsourced work is smaller than it was previously.

Within a few weeks of using Burp Scanner, Jennifer’s consulting costs have fallen by around 15%. Her team is happy to be doing more hands-on testing, and developing their technical capabilities.

Martin heads up an independent consultancy employing 15 penetration testers. Around half their work involves web application testing.

The consultants employ manual testing techniques, supported by an automated scanner to give them some back-up, especially on larger applications. Previously, the company has licensed a major commercial scanner, which met their needs adequately.

Martin and two of his team tried out Burp Scanner, and found that it is actually more effective at finding bugs than the other scanner. They also found it easier to use, and much more tailored to penetration testers, giving them direct control over, and feedback about, the scanning process.

Now the entire team is using Burp all the time. Martin didn’t renew the license for the other scanner, saving the company tens of thousands of dollars per year.

Robert is a highly experienced penetration tester, who has worked in the industry for nearly a decade. In the last few years, he has performed contract work for numerous companies, as well as working full-time for a couple of periods.

Robert prefers to maintain his own set of testing tools, mostly free and open source ones. He regards the big commercial products as too expensive and untrustworthy.

Following a friend’s recommendation, Robert gave Burp a try, and finds that it provides a very effective back-up to his manual methodology. He frequently uses Burp Intruder for automating custom attacks, such as fuzzing unusual input validation and exploiting vulnerabilities to harvest useful data from an application. He has recently found that Burp Scanner is able to identify numerous input-based bugs faster than he can find them manually, leaving him to focus his efforts on issues that require human intelligence to discover.

Robert thinks Burp is cheap, and he is happy to pay the subscription himself. He always recommends Burp to colleagues who haven’t yet discovered its benefits.