Behind the Scenes of Burp AI: How we built it, and what's next

Why now?

Artificial intelligence is rapidly transforming industries, and security testing is no exception. At PortSwigger, we’ve always been driven by innovation, but we don’t chase trends for the sake of it. Instead, we focus on delivering real value to security professionals. AI represents a massive opportunity to enhance the way our users work, so we set out to meaningfully integrate it into Burp Suite.

For more details on how we're approaching AI assistance and why we believe now is the time for the AppSec industry to challenge its natural hesitancy towards AI, check out the following blog post from Burp Suite creator and PortSwigger CEO, Dafydd Stuttard: Why it's time for AppSec to embrace AI: How PortSwigger is leading the charge.

A Year in the Making

Our journey toward Burp AI didn’t start overnight. We laid the groundwork with extensive research, iterative development, and a strong focus on understanding how AI could truly benefit penetration testers.

• December 2023: We got a small team together to investigate how we could focus on AI-driven improvements, exploring how this technology could enhance security workflows.
• January 2024: Teams across PortSwigger tried internal AI weeks, dedicated research periods aimed at pushing forward new ideas. At the same time we started to focus on building AI infrastructure. This included:
  • Developing systems to manage AI models effectively
  • Establishing scalable credit-based infrastructure for AI usage
  • Ensuring our AI solutions could integrate seamlessly into Burp Suite
• Throughout 2024: We continuously refined our AI-powered features, focusing on workflow enhancements, automation, and efficiency gains. Our aim was never to build gimmicks but to create tools that genuinely help security professionals do their jobs better and faster.

Taking Burp AI to Trial

In November 2024, we launched a private trial with 30 testers across multiple segments. This was a significant milestone—not just for our users but for us as well. We set out to validate key assumptions, including:

• Real Value: Were the AI-powered features we built genuinely helping users?
• Risk Perception: What concerns did users have about integrating AI into their workflow?
• Scalability: How could we optimize Burp AI for broader adoption while ensuring reliability?

The feedback was invaluable. We learned what worked, where improvements were needed, and how we could further refine our approach.

From Trial to Production

The transition from trial to production wasn’t just about finalizing features—it was about incorporating everything we had learned to ensure Burp AI met the high standards our users expect.

• December 2024 – January 2025: We took the feedback, iterated on our features, and made critical refinements before rolling out AI-powered capabilities more broadly.
• We focused on ensuring trust remains at the core of what we built. Security professionals rely on Burp Suite, and we had to ensure our AI-powered features reinforce that trust rather than undermined it.
• Data privacy was another key consideration, and we’ve documented our approach transparently.
• No gimmicks, real value: Our features needed to solve real problems, and early testers confirmed that what we built significantly improved efficiency.
• Ease of use matters: Time savings and simplicity were two of the most consistent themes in the feedback, reinforcing our commitment to intuitive design.

What's Next?

We’re just getting started. We have already announced AI-Powered Extensibility, allowing security professionals to seamlessly integrate AI into their workflows using the Montoya API. This enables automation of tedious tasks, enhances security testing, and provides deeper insights into web application vulnerabilities.

Update 31 March 2025: We've now released a number of built-in AI-powered features. For details, see Welcome to the next generation of Burp Suite: elevate your testing with Burp AI.

By leveraging PortSwigger’s trusted platform, users can focus on developing innovative solutions without managing complex AI infrastructures. Additionally, Gareth Heyes’ Hackvertor & Shadow Repeater extensions demonstrates the power of AI-driven extensibility, offering new ways to create and apply transformations within Burp Suite.

• Our goal is to expand AI capabilities across all Burp Suite products, ensuring that both Burp Suite Professional and Burp Suite Enterprise Edition users can benefit from the same enhancements.
• We’re keen to continue learning from our users. If you’re interested in shaping the future of AI in Burp Suite, we’d love to hear from you. Reach out to trials@portswigger.net to join future trials and discussions.

Burp AI is the result of months of dedicated work, and we can’t wait to see how it helps security professionals.

Stay tuned for more updates on the dedicated #burp-ai channel on the PortSwigger Discord - join here.

As always, we welcome your feedback!

Katie Warren