Professional

AI security, privacy and data handling

  • Last updated: March 31, 2025

  • Read time: 4 Minutes

AI features in Burp Suite extensions are disabled by default, giving you complete control over whether an extension can access AI. This page explains how we protect your data and ensure AI-powered interactions remain secure.

Note

For more information on Burp's AI features and how they work, see Burp AI.

Data security and access

How is my data secured, and who can access it?

All AI-related data is handled in accordance with PortSwigger's Security & Compliance framework, which includes:

  • ISO 27001 certification - Rigorous information security management.

  • Robust encryption - Data is encrypted in transit and at rest using industry-standard cryptographic methods.

  • Access controls - AI request and response data is stored in a restricted audit trail, accessible only by authorized PortSwigger personnel for security and compliance purposes.

Is my data used to train AI models?

No. Data processed through Burp's AI infrastructure is not used to train AI models.

Do AI providers store or retain my data?

No. Burp's AI providers do not store any of the data they process. Requests are handled in real time and immediately returned to Burp. There is no risk that this information could be surfaced to a third party.

Does PortSwigger store or retain my data?

AI request data is processed securely and stored by PortSwigger as part of an encrypted audit trail. No unauthorized personnel can access this stored data.

How is my data processed when I make AI requests in Burp?

Burp uses a secure process to communicate with AI services:

  • Burp securely transmits the request data to PortSwigger's AI infrastructure.

  • PortSwigger's AI infrastructure makes a request to a trusted AI provider. The data remains within our trust boundary and is not stored by the provider.

  • The AI provider processes the request and returns a response to the AI infrastructure, where it is securely stored in an encrypted audit trail.

  • PortSwigger's AI infrastructure passes the response back for Burp to use.

Can I review or delete AI data processed by Burp?

Currently, this option is not available. However, all stored data is encrypted and access-controlled to ensure security. We continuously review our policies to align with user needs.

More information

For full details on our security policies, compliance certifications, and how we protect customer data, see the PortSwigger Trust Center.

AI configuration

Can I fully disable Burp's AI features?

Yes. To disable all AI features in Burp:

  1. Go to Settings > AI.

  2. Select the Disable AI features checkbox.

When this checkbox is selected, Burp cannot access PortSwigger's secure AI infrastructure. Any AI-related features are grayed out, and cannot be selected.

Does Burp automatically communicate with AI providers?

No. Burp does not communicate with any AI provider or system until you actively use one of its AI features, such as generating explanations or exploring vulnerabilities. AI interactions are entirely user-initiated and controlled.

Which AI provider or model is used in Burp's AI features?

Currently, we use models from OpenAI and Anthropic in our features. We are actively testing our service with these models and may explore additional options in the future.

Where are Burp's AI providers hosted?

All of the AI models that Burp Suite can communicate with are hosted in the USA.

Can I choose a specific AI provider or model to use?

Currently, this option is unavailable.

Do I need a specific network configuration to use Burp's AI features?

To use AI features in Burp Suite, your network must allow HTTPS traffic on port 443 to https://ai.portswigger.net. If your organization has strict firewall rules, ensure this domain is allowlisted to enable AI functionality.

Can AI output be configured to align with company or client-specific compliance needs?

Currently, this option is unavailable.

Security and privacy in AI-powered extensions

Can I disable AI features for an individual extension?

Yes. AI features are disabled by default for all extensions, and you can disable AI for an extension at any time.

To disable AI for an extension:

  1. Go to Extensions > Installed.

  2. Uncheck Enable AI for the relevant extension.

How can I tell if an extension uses AI?

AI-powered extensions display a checkbox in the Enable AI column on the Extensions > Installed page. This checkbox is not displayed for non-AI extensions.

What data does PortSwigger collect when I use an AI-powered extension?

PortSwigger does not collect data from AI-powered extensions by default. Any data processed depends entirely on the extension's implementation.

We recommend reviewing the extension's code and documentation to understand:

  • What data is sent externally (for example, full HTTP requests, specific payloads, or extracted content).

  • How the extension handles sensitive information (for example, whether it masks or filters data).

If you are working with sensitive data, make sure that any extension aligns with your security and compliance requirements before use.

Does PortSwigger guarantee the behavior of AI-powered extensions?

We review extensions in the BApp Store to ensure they meet our quality and compatibility standards, but we cannot guarantee their behavior.

The decisions made by an AI model depend on how the extension author has implemented it, including:

  • What data is sent.

  • How prompts are structured.

  • How responses are used.

We strongly recommend that you review the extension's functionality to understand the data it processes and make sure that it aligns with your security and compliance requirements.

If you are testing in regulated or legally sensitive environments, consider additional safeguards to verify the AI's output before acting.

Was this article helpful?