Community

Burp in the Community.

Twenty years of pentesters opening Burp. Twenty years of meeting at Black Hat, arguing on Discord, writing BApps, dropping research. The tool is ours. The community is yours.

Join the Discord → Follow us on social

James Kettle's HTTP/1.1 Must Die talk at Black Hat USA 2025 — title slide on two giant screens, audience filling the room

A Burp-Suite-branded yerba mate cup with stainless steel bombilla, beside a branded suede pouch at EkoParty Buenos Aires

Two students at a hackathon proudly holding up Burp Suite t-shirts

85,000+

pentesters using Burp

250+

free Academy labs

17,000+

on Discord

100+

community events a year

In person

Where the community gathers.

Black Hat. DEF CON. OWASP AppSec. RomHack. EkoParty. The big stages where the research lands. BSides Leeds, BSides Exeter, SteelCon, HackGlasgow, StudentHack: the grassroots where the next generation of bug hunters meet Burp for the first time. HAC NYC, HAC LDN, FOST Paris: the API and AI conversations.

Wherever the AppSec community gathers, Burp is in the room. Sometimes with us on a booth, sometimes on a laptop someone else brought.

BLACK HAT USA · AUGUST 2025

HTTP/1.1 Must Die.

Backing James Kettle's eleventh Black Hat paper with a community call-to-arms. The campaign, the shirts, the room.

The Pros vs Joes CTF at BSidesLV — community at laptops in a hotel ballroom, PortSwigger sponsor sign visible

CTF · Pros vs Joes

Two HAC NYC attendees holding up the custom King-Kong-on-Statue-of-Liberty HAC NYC t-shirt design

HAC NYC · custom merch

A Burp-Suite-branded yerba mate cup with stainless steel bombilla, beside a Burp-Suite-branded suede pouch at EkoParty Buenos Aires

EKOPARTY · mate in Buenos Aires

SECURITY FEST · crew

2025 in review · 2026 ahead

// burp on tour

Black Hat USA

Las Vegas · Aug 2026

Meta BBR Conference

Taipei · May 2026

Black Hat Europe

London · Dec 2025 · 2026

FOST Paris

Paris · Dec 2025

OWASP Global AppSec USA

Washington DC · Nov 2025

EkoParty

Buenos Aires · Oct 2025

HAC LDN

London · Sep 2025

RomHack

Rome · Sep 2025

DEF CON

Las Vegas · Aug 2025 · 2026

BSides LV

Las Vegas · Aug 2025 · 2026

SteelCon

Sheffield · Jul 2025

BSides Leeds

Leeds · Jun 2025

HAC NYC

New York · May 2025

BSides Exeter

Exeter · Apr 2025

StudentHack (UoM)

Manchester · Apr 2025

HackGlasgow

Glasgow · 2025

Read the 2025 Burp on Tour recap →

The way that Burp has developed, how you listen to the community, and create free learning material, it's absolutely amazing.

— Andres Rauschecker

Online

Where the conversation lives.

Discord is where the day-to-day happens. BApp swaps, webinars, the trick that worked last night, the question you didn't want to put on a forum. The BApp Store is where it ends up codified: hundreds of extensions the community built on top of Burp.

The Burp community on Discord

Share BApps. Trade techniques. Help the next pentester unblock the bug. Where most of the day-to-day conversation lives.

// Open. Active daily. Webinars and AMAs run here.

Open Discord →

// BApp Store

Hundreds of extensions. Written by the community.

JWT Editor. Logger++. Param Miner. Autorize. Hackvertor. Active Scan++. Authentication Token Obtain and Replace. Collaborator Everywhere. Most of what makes Burp yours was built by somebody else first.

Built by Dolph Flynn, Soroush Dalili, James Kettle, Federico Dotta, Gareth Heyes, Frans Rosén, and 200+ more.

Browse the BApp Store →

Ambassadors

Introducing our Burp Ambassadors.

Five people from five countries who teach Burp, speak about Burp, build BApps, run training, run podcasts and run live-hacking events. None of them work for PortSwigger. All of them are trusted by the community already. That's why they're here.

KNUTSFORD · APRIL 2026

Five Ambassadors. Five countries. One Burp.

Alan Levy · Corey Ball · Federico Dotta · Rana Khalil · Tib3rius.

Alan Levy

// @soyelmago · Argentina · bug hunter

Pentester and bug hunter, on Burp since 2011. Speaks at conferences and brings the Argentine AppSec scene with him.

Corey Ball

// @hapi_hacker · USA · API expert

Author of Hacking APIs and writer of the hAPI Blog. If you've learned API security in the last five years, chances are some of it came from him.

Federico Dotta

// @apps3c · Italy · extensibility

Pentester on Burp since 2010. Built Brida and the tools the rest of the extender community quietly depends on.

Rana Khalil

// @rana__khalil · Qatar · educator

One of the most-watched AppSec teachers on YouTube. Her Burp Suite walkthroughs are the on-ramp for thousands of new pentesters every year.

Tib3rius

// @0xTib3rius · USA · bug hunter

Pentester and content creator, on Burp since 2011. Brings advanced web-application testing to wide audiences through livestreams and Twitch sessions.

Read the programme announcement →

Burp Champions

Champions doing the work, in public.

A growing global network of Champions: ethical hackers, CISOs, researchers, educators. They teach Burp, run workshops, host CTFs, write the labs people learn from. Selected by application, supported by us. Here's a few of them, in their own words.

The 'I'm a Burp Champion!' announcement graphic that new Champions share when they accept the programme

"I won't hide it — Burp Suite has been my daily companion during penetration tests and CTFs, and now I can officially represent this community in Poland and beyond."
Michał Błaszczak · CISO, Vercom S.A. · Poland

"Burp Suite has genuinely been one of the most constant tools in my workflow… It's hard to think of a point in my security journey where it wasn't open on my screen."
Otsmane Ahmed · Cybersecurity Researcher

"Being part of this program is a fantastic opportunity to give back to the community, provide direct feedback to the PortSwigger team, and help others sharpen their pentesting skills."
John P. · Penetration Tester · Truist / Synack

// What Champions do

Workshops in the wild Godwine Houngavou hosted an OS command injection workshop at HTB Meetup Bénin.

Content + writeups Juan Felipe O. (KPMG, NASA HoF) shares technical writeups and research.

CTFs + internal demos Kat Belle Alejandro hosts CTFs and demos Burp to her workplace's Security Champions programme.

Local communities Ansh Padam delivers workshops through the National Cyber & Forensics Alliance.

Become a Burp Champion.

30-second application. Contribute in your own way, when it works for you.

Apply now →

PortSwigger Research

The research everyone reads.

PortSwigger Research has published eleven Black Hat papers in a row. The Top 10 Web Hacking Techniques, started by Jeremiah Grossman back in 2006 and picked up by us in 2017, sets the tempo for everyone else's research year. Open nominations, community vote, awarded on stage.

// PortSwigger Research

Eleven consecutive Black Hat papers. And counting.

// DEF CON main stage · 2025

Cutting-edge research is what keeps Burp ahead. Every disclosure becomes a technique you can run today, on a tool your peers have been auditing in public for two decades.

2025 HTTP/1.1 Must Die Single-packet attack at scale, the desync endgame

2024 HTTP/2 request smuggling An entire vulnerability class hiding in plain sight

2023 Single-packet attack Race conditions resolved in a single TCP packet

2022 Browser-powered desync attacks Turning the browser into the desync weapon

2019 HTTP request smuggling, reborn The technique that opened the modern desync era

James Kettle

Gareth Heyes

Zakhar Fedotkin

Read all of PortSwigger Research →

// Top 10 web hacking techniques

The community-voted annual.

Nineteen editions in. Every January, the security community nominates the year's best web hacking research; a community vote shortlists fifteen. This year's panel was Soroush Dalili, STÖK, LiveOverflow, Nicolas Grégoire and James Kettle. They picked and ordered the final ten. Award ceremony at DEF CON.

editions since 2006

// 2025 — top three

Successful Errors: new code injection and SSTI techniques

Vladislav Korchagin · error-based blind SSTI plus a polyglot detection toolkit

ORM Leaking More Than You Joined For

Alex Brown, elttam · ORM leaks as a generic methodology for dumping the database

Novel SSRF via HTTP Redirect Loops

@shubs · “that's magic.” Making blind SSRF visible.

Read the 2025 Top 10 →

Learn · Certify

Learn here. Be recognised here.

The Web Security Academy has been free since 2019, and it's where most people learn web security for the first time. Hundreds of thousands of them, every year. The Burp Suite Certified Practitioner credential turns up on AppSec resumes from Bishop Fox to Microsoft to the engineer three desks down.

The free training the AppSec world trains on.

Over 250 labs across XSS, SQLi, SSRF, authentication, access control, request smuggling, prototype pollution, race conditions, GraphQL and JWT. All built by the same Research team that publishes the Black Hat papers. Free. No login required to read. The lab platform is the only thing behind sign-in, because the labs are interactive.

250+

free labs

2019

free since

Open the Academy →

BSCP merchandise — embroidered cap, branded t-shirt, and badge sticker

Earn the badge. Carry it on LinkedIn.

The Burp Suite Certified Practitioner exam tests real Burp workflow under a clock. Hands-on labs, not multiple choice. People fail it. Then come back. That's the point. The exam doesn't let through people who can't actually use the tool.

Hands-on · lab-based, not multiple choice
On the clock · workflow under time pressure
Re-takeable · fail-then-return culture

See the certification →

"To find a place that had all of that information in one location, with a consistently high quality of labs, especially being free, it's a no-brainer. Why wouldn't you dive right into it?!" // Johnny Villarreal · Academy alumnus

"I find that having Burp Suite Pro is really helpful for some of the Academy labs, so as I'm learning more skills by doing the labs I'm also learning how to use Burp Suite better as well." // Kamil Vavra · Academy alumnus

// Burp in the Community

Find your people.

Whether that's the Discord on a Tuesday night, the Black Hat floor in August, the lab you finish at 2am, or the BApp you publish next year. Burp is the tool. The community is the room. Pick a door.

Join the Discord → Follow us on social