PortSwigger Burp Review

Finds vulnerabilities but is not always cost effective

What is our primary use case?

Our use cases are to identify the vulnerabilities of OAST and the other applications we are using. 

What is most valuable?

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

What needs improvement?

One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.

One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.

For how long have I used the solution?

We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.

We've had a license for the professional version for the past two years.

What do I think about the scalability of the solution?

In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.

Right now we have two or three people using it.

How are customer service and technical support?

PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.

How was the initial setup?

The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.

What's my experience with pricing, setup cost, and licensing?

PortSwigger Burp costs around $7,000 and around $2,309 for licensing.

What other advice do I have?

On a scale of one to ten I would rate PortSwigger Burp a seven.

For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.

Which deployment model are you using for this solution?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More PortSwigger Burp reviews from users
...who work at a Financial Services Firm
...who compared it with OWASP Zap
Learn what your peers think about PortSwigger Burp. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
456,966 professionals have used our research since 2012.
Add a Comment