1. Support Center
  2. Documentation
  3. Enterprise Edition
  4. Working with Burp Suite Enterprise Edition
  5. Scan results
  6. Reporting

Reporting in Burp Suite Enterprise Edition

From time to time, you might want to report the results of a particular scan, or even report on the overall progress towards improving your security posture. Burp Suite Enterprise Edition provides several options to help you generate offline reports so that you can share scan data with other members of your organization, even if they do not have access to the application itself.

Downloading scan reports

You can download scan reports in HTML format for any scan that has either been completed, or was started and subsequently failed. To download a scan report, go to the relevant scan, click the "More Actions" button, and select "Download report".

You then have the following options for controlling what information is contained in the report.

Report type

You can select either a Summary or Detailed report. Both report types contain an overview of the scan details, such as the included URLs, scan configurations used, the duration of the scan, and so on. They also provide the following statistics:

Both reports also contain a list of issue types, along with the corresponding URLs where these issues were identified. Burp Scanner's confidence and estimated severity level are indicated for each issue.

The detailed report contains all of the same information as the summary report. However, it includes an additional section that provides more information about each issue. This includes a brief description of what the issue type means, as well as background information and some high-level remediation advice. There are also links to additional resources so that you can learn more about the issue type.

Finally, the detailed report provides evidence of where the issue was detected. For example, this could be a series of HTTP requests and responses. For DOM-based issues, the results of Burp Scanner's dynamic JavaScript analysis will also be provided.

Included severities

Regardless of whether you select a summary or detailed report, you can choose which issue severities you want to include. By default, all severities are included. However, if a large number of issues was identified, you might want to limit the report to high-severity ones, for example.

False positives

By default, issues that have been marked as false positives are excluded from scan reports. However, you can choose to include them if you want.

Automatically sending scan summary reports

As well as being able to generate scan reports on demand, you can also configure Burp Suite Enterprise Edition to automatically send scan summary reports. When creating a new site, you can add a list of email addresses to which a summary report will be sent whenever a scan finishes for that site. Alternatively, you can add recipients to an existing site from the site details page.

Adding recipients for scan summary reports

Note: To use this feature, your administrator must have configured the integration with your SMTP server.

Downloading charts

Throughout Burp Suite Enterprise Edition, there are several charts that provide an overview of various metrics related to your sites and scans. Although you can view these directly in the application, you also have the option to download them in either PNG or JPG format. This can be useful for sharing the chart in a report or presentation, for example.

Simply click on the three vertical dots in the upper-right corner of the chart that you want to download, then select your preferred image format.

Downloading a chart

Downloading the event log

For each scan, you can also download an event log in CSV format. From the relevant scan, go to "More actions" > "Download event log". This contains details of basic events that occurred during the scan and can be useful for debugging purposes.