Product roadmap

HTTP/2-specific vulnerability reporting

New feature

Burp Scanner will report some new classes of HTTP/2-specific vulnerabilities.

Burp extensions

New feature

By popular demand, customize Burp Suite Enterprise Edition using your own extensions or those from the BApp Store.

Bulk operations

New feature

Import sites from CSV files, apply scan configurations and application logins across a group of sites, and cancel/delete selected scans - all through the UI.

Dashboard improvements

Feature enhancement

We will add new dashboard widgets providing additional data and views. We will provide new ways of configuring and sharing dashboards.

Server-side template injection

Feature enhancement

Burp Scanner will detect injection into a wider range of templating engines, and will employ OAST techniques to detect blind SSTI.

Browser-powered scanning by default

New feature

Best-in-class coverage and scanning performance for challenging targets like AJAX-heavy single page apps, with browser-driven (Chromium) scanning. Enabled by default.

Single sign-on via SCIM

Feature enhancement

We will provide support for user management via SCIM (System for Cross-domain Identity Management), for integration with Okta and Azure Active Directory. SSO already available via Active Directory using SAML, and LDAP.

Issue-tracking integrations

Feature enhancement

Work is progressing on integrating additional systems for issue tracking, including GitHub and Azure DevOps.

Payloads within data formats

Feature enhancement

We will improve the placement and encoding of scan payloads within JSON and XML data structures.

Audit of asynchronous traffic

New feature

Burp Scanner will automatically audit in-scope API requests that are issued from client-side JavaScript using XHR and Fetch.

Compliance reporting

New feature

We will support reporting of scan results against compliance frameworks - such as HIPAA, PCI, etc.

Increased cloud friendly capabilities

Feature enhancement

Further developed features to allow for a fully-flexible cloud-based scanning service. This will include automatic scaling of scanning resources (agents) and hourly metered billing.

Improved scan speed

Feature enhancement

We will further optimize performance in default settings, to enable faster scans without compromising coverage.

Improved navigational coverage

Done

Burp Scanner now detects and interacts with more DOM elements that can cause JavaScript-triggered navigation, in addition to conventional links and forms.

Extended agent capabilities

Done

Ensure scans are carried out using the most suitable agents - based on network location, system resources, or other factors.

API scanning: first phase

Done

Enumerate API endpoints to scan APIs across your application portfolio; process OpenAPI (Swagger) definitions.

Cloud functionality

Done

Burp Suite Enterprise Edition now has cloud functionality available, via native deployment on both AWS and Azure platforms.

Single sign-on

Done

Configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory. Use single sign-on to remove the need to create and manage users.

Improved user experience

Done

Display scanned URLs as a tree, to make site structure easier to see. We've also improved navigation through the UI, as well as product look and feel.

Read all release notes

Integrated SCA capabilities

Done

Perform software composition analysis (SCA) of client-visible code, and report JavaScript libraries in use containing known vulnerabilities.

Recorded login sequences

Done

Authenticate to any application by recording complex login sequences with a browser plugin. Enable authenticated access for almost any target site, such as those using JavaScript-heavy logins or single sign-on.

Scan configuration libraries

Done

View and manage configurations, extend crawl and audit settings, view individual URL details, and view aggregated issue reporting.

GraphQL-based API

Done

Expose much of Burp Suite Enterprise Edition's core functionality for extensive improvements to site editing, scan settings, reporting, and agent management.

Improved SPA scanning

Done

Burp Scanner now handles navigational actions that cause DOM updates without a synchronous request to the server, allowing better handling of single-page applications.

Improved CI/CD integrations

Done

Support for site-driven scans within CI/CD plug-ins - and the ability to download end of scan reports. Set parameters for determining when a build fails.

Improved SSO functionality

Done

Enable single sign-on via Active Directory using SAML, in addition to the previously existing single sign-on functionality using LDAP.

Workflow improvements

Done

Streamline post-scan tasks by downloading detailed scan reports, automating email function for end-of-scan summary reports, and automating Jira ticket creation.

Improved user interface

Done

Extensive UI upgrades have been introduced, including navigation changes, overall look-and-feel, and more intuitive in-product workflows.

Browser-powered scanning enhancements

Done

Significant improvements to Burp Scanner - enabling enhanced performance and coverage of modern navigational patterns.