Burp Suite Enterprise Edition configuration tips for scanning success

Burp Suite Enterprise Edition is the dynamic web vulnerability scanner that can help you to secure your whole portfolio. To help you achieve that, this article contains some advice on how to optimize your dynamic scanning for a range of requirements.

Increase scanning performance

Ensure Burp Scanner has access to the resources it needs

By its nature, dynamic (DAST) scanning can be resource-intensive. Sometimes, new users mistakenly try to run scans on under-specced machines - or with the wrong setup - which can impede, or even halt Burp Scanner's progress. To avoid this, we recommend that you:

Tip: Burp Suite Enterprise Edition's built-in scan configurations can also assist in reducing scan durations. This is something to try adjusting, if you're seeing longer than expected scan times.

Optimize signal to noise ratio

Minimize false positives by adjusting your scan configurations

While dynamic (DAST) scanning generally produces low amounts of false positives, Burp Scanner can (as with any automated tool) occasionally flag issues that turn out to be false. If you want to further improve your signal to noise ratio, you may find the following useful:

Extend scan coverage

Fine-tune Burp Scanner for its target application

Web applications vary greatly in their design and complexity. Fortunately, Burp Scanner includes a range of settings allowing you to prepare it for almost any situation - including complex login sequences and heavily stateful functionality. To extend Burp Scanner's coverage, you may find the following useful:

We're here to help

We hope that this article has been useful. Of course, if you're experiencing a problem that can't be solved using any of the suggestions here, then we'll be happy to help. Please contact PortSwigger Technical Support (if possible, including copies of the logs mentioned in our troubleshooting guide), to help us support you.