This release introduces the beta of Burp's new agentic pentesting solution: an AI-driven capability for Burp Suite Professional that pursues the testing goals you set using Burp's own tools.
Introducing the agentic beta
Our new agentic beta enables you to embrace agentic AI without giving up control over your work. With direct access to Burp's trusted tooling and skills from PortSwigger's Research team, it pursues the testing goals you set, choosing the right actions for each step and adapting as it learns about your target.
Rather than working out an approach and building its own tooling from scratch, it uses the same proven Burp tools every time it runs. This produces consistent, repeatable results, and saves the time and tokens it would otherwise spend figuring out how to test.
To access it, click Agentic Beta in the top-right corner of Burp.
Signing in
The first time you open the agentic beta, you're prompted to sign in to your PortSwigger account. This is required. Signing in verifies your account and access to the beta, helps us to securely route your requests to PortSwigger's AI service, and keeps your usage tied to your account.
Make sure you sign in with the PortSwigger account that your Burp Suite Professional license is registered to. If you sign in with a different account, the agentic beta won't be available.
Controlling autonomy
You have control of the agentic beta's autonomy level at all times, from checking with you before every action to running autonomously. Each task runs in one of three modes that determine how much it can do without asking you first:
- Manual mode follows autonomy permissions that you set for each individual tool.
- Smart mode works independently but pauses for your approval on actions it deems to be potentially high-impact or risky.
- Autonomous mode runs without asking, with the exception of a few high-impact actions that always require approval.
Testing you can trust
You set the boundaries the agentic beta works within: its scope, and the permissions for each tool. These are enforced by Burp's tooling rather than left to the AI's discretion, so the agentic beta can't give itself access you haven't granted. In Smart mode it also uses its own judgment to decide when to pause and check with you, but it still can't act beyond the permissions you've set.
You can follow and verify everything it does. As it works, it explains each step and the reasoning behind it in the conversation, and requests and responses it sends are captured in Burp's Logger. Together these give you a complete record you can review as you go, or use to demonstrate exactly what happened in a report or to a third party.
Working in tasks
When using the agentic beta, your work is organized into tasks. A task is a conversation focused on one area of testing, which can split into parallel sub-tasks if needed. You can run more than one task at a time, send follow-up prompts to dig into a result or point it at something new, and stop a task at any point. As it works, its activity appears in the Burp tools you already use: traffic in the Logger, scans on the Dashboard, and confirmed vulnerabilities in the Issues panel and site map.
Skills from PortSwigger Research
The agentic beta can draw on skills, which are focused testing techniques written by PortSwigger's Research team that extend what it knows how to do. It invokes them automatically when it decides they're relevant to the situation. Skills are published and updated automatically, so you don't need to update Burp to take advantage of new techniques. Skills are enabled by default, but you can disable them if you need to.
Reviewing findings
Potential vulnerabilities that the agentic beta finds are recorded as issues in Burp, and work the same way as those raised by Burp Scanner or during your manual testing. Each issue includes the requests and responses used to find it, so you can reproduce it, confirm it's exploitable, and report it with confidence.
More information
For more information on using the agentic beta, click Agentic Beta in Burp and select Settings > Documentation.
Share your feedback
We'd really value your feedback on the agentic beta. Click here to share your thoughts on what's working, what isn't, and what you'd want to see next.
Burp's embedded browser is now Burp Browser
Burp's embedded browser previously presented as "Chromium" on your system. It's now branded as Burp Browser, to make it more identifiable. If you've previously added the browser to an allow list, for example in your endpoint security, antivirus, or firewall configuration, you may need to update the entry to reflect the new name.