We just raised a $30M Series A: Read our story
Shrey Sethi
Penetration Tester at a tech services company with 1,001-5,000 employees
Real User
Top 10
Good interface, feature-rich, and consistently being updated

Pros and Cons

  • "With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp."
  • "There is not much automation in the tool."

What is our primary use case?

I am a penetration tester at my company and PortSwigger Burp is one of the products that I use in this capacity. It is a manual testing penetration tool.

What is most valuable?

There are a lot of good features and the most valuable one varies depending on what test you are performing. They are also consistently improving and releasing new features.

Two of the most valuable features are the Extender Tab and Repeater.

With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp. It's not limited to their features because we can always add or do some customization of the features.

Even if you don't know how to code, there are hundreds of third-party plugins that are available to extend the features of the product. Some of them are open-source and there are some that are provided by Burp.

The user interface is good, having been changed within the past two years.

What needs improvement?

There is not much automation in the tool.

For how long have I used the solution?

I have been using Burp Suite for between four and five years.

What do I think about the stability of the solution?

This is a very stable product. The tool is 15 years old and very mature.

What do I think about the scalability of the solution?

Scalability is not an issue because it is not centrally connected. Rather, it is a per-license, user-based tool. We have more than 20 users in the company.

How are customer service and technical support?

The documentation is very good, so I have never needed to contact technical support.

How was the initial setup?

The initial setup is very straightforward and simple.

What about the implementation team?

No staff is required for maintenance.

What's my experience with pricing, setup cost, and licensing?

At $400 or $500 per license paid annually, it is a very cheap tool.

Which other solutions did I evaluate?

In comparing features, there is no real competition for this solution. There are a couple of open-source products, but there is no real competitor for the Burp Suite.

What other advice do I have?

This is a standard tool in this industry and anybody who is doing application security testing should be aware of it. My advice for anybody who is considering it is that it is very easy to install and configure, and there is lots of documentation available.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
KM
IT Security Analyst at a tech services company with 11-50 employees
Real User
Top 20
Stable, easy to set up, and speeds up our vulnerability assessment and penetration testing

Pros and Cons

  • "I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want."
  • "I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us."

What is our primary use case?

I'm a junior cybersecurity analyst, and I'm helping the seniors to do some testing. Meanwhile, I'm also getting trained with the tool. I mostly use it for vulnerable apps assessment and some auditing. Other analysts use it for penetration testing.

We are using the latest version. We downloaded it three days ago.

What is most valuable?

I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want.

What needs improvement?

I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us. 

For how long have I used the solution?

I have been using PortSwigger Burp for six months now.

What do I think about the stability of the solution?

I have found no issues so far with its stability. I can't complain anything about it.

What do I think about the scalability of the solution?

I can't say much about that because we are going to transition to cloud management. I don't know for sure how it is going to scale up. We are still in the testing and planning stages. We currently have approximately five users, and our team is still growing.

How are customer service and technical support?

I haven't yet used their technical support.

How was the initial setup?

The initial setup is completely easy. It took a day to deploy.

What's my experience with pricing, setup cost, and licensing?

It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep.

What other advice do I have?

It is a really big solution. There are so many modules. You got to have some training to do it properly and go through a lot of documentation.

I would rate PortSwigger Burp a nine out of ten. I haven't found anything to complain about, but there is always some room for improvement.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,267 professionals have used our research since 2012.
YC
Security consultant at a manufacturing company with 10,001+ employees
Consultant
Top 20
The active scanner provides a very accurate security audit

Pros and Cons

  • "The active scanner, which does an automated search of any web vulnerabilities."
  • "As with most automated security tools, too many false positives."

What is our primary use case?

The primary use case is generally for security compliance on web applications. We provide services to our customers with Burp both on-prem and on cloud. I'm a solutions consultant and we are customers of PortSwigger Burp. 

What is most valuable?

Their flagship feature would be the active scanner, which carries out an automated look up of any web vulnerabilities reflecting over to one of the main compliance standards, like OWASP. This provides an accurate security audit for their web applications.

What needs improvement?

One downside of the solution would be their false positive checks. As with most automated security tools, there is still a high false positive issue. Hopefully they will be able to improve on that in the future. It would also be helpful if the solution had the capability of handling larger reports. Another area of improvement would be to have a customizable dashboard. It's currently restricted now to their own interface. If you want to utilize the other features available in their API documentation, then you have to write some code yourself. It would be great if their interface could be somewhat customizable.

For how long have I used the solution?

I've been using this solution for two years. 

What do I think about the stability of the solution?

The stability of the solution is generally fine.

What do I think about the scalability of the solution?

The solution is easily scalable, depending on licensing of course. For example, on the cloud set up, you can easily scale the agents and such. But in terms of bandwidth, maybe when it comes to their reporting feature, there are some limitations with the detail that can be downloaded from the report. I've found that the system can crash if you try to download a report with many details.

How was the initial setup?

In my opinion the initial setup is pretty straightforward. The workflow is easy to understand and they have a lot of documentation on how to perform many of the key tasks.

What's my experience with pricing, setup cost, and licensing?

I believe the price is good where it's at right now. They have a very competitive price point although recently they've been incrementally increasing in price. It's still competitive. 

What other advice do I have?

I would definitely recommend PortSwigger as a primary tool for auditing any open vulnerabilities of anything related to web applications. 

I would rate this product an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nagaraj Sheshachalam
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
Real User
Top 5Leaderboard
Is fast, stable, and budget-friendly, but the dashboard needs improvement

Pros and Cons

  • "PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running."
  • "The reporting needs to be improved; it is very bad."

What is our primary use case?

We use PortSwigger Burp Suite Professional for security testing and for doing vulnerability scanning mechanisms.

How has it helped my organization?

It has partially improved the organization requirement however, The scanning mechanism is pretty slow and takes long duration to scan. Moreover, The server hangs up while scanning. 

What is most valuable?

This solution provides a very good mechanism for fixing interval time. For example, we can create a schedule, and the schedule runs on time. PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running.

It is quite fast and easy to install as well.

It is also a budget-friendly tool.

What needs improvement?

The reporting needs to be improved; it is very bad.

The dashboard feature or the front-end of the tool does not look good and is not very creative or user-friendly. It looks complicated when we log in to the tool. It looks boring and outdated.

For how long have I used the solution?

I've been using this solution within the last 12 months.

What do I think about the stability of the solution?

Stability-wise, improvements have been made, and it is reliable.

How are customer service and technical support?

Technical support is not so easy to get a hold of. We had to learn most of the things through the documentation. However, the documentation is not readily available online. We have to create new calls for it, and we have to email them. So, if you have a problem, then it can take some time to resolve it.

Which solution did I use previously and why did I switch?

No dint use. 

How was the initial setup?

The initial setup was straightforward and took about one to two weeks.

What's my experience with pricing, setup cost, and licensing?

It's a budget-based tool, and it's a pretty decent budget tool for the mid-version of the application. It's a lower priced tool that we can rely on with good standard mechanisms. We have a yearly license.

Which other solutions did I evaluate?

Client provided product

What other advice do I have?

If you're looking for a budget-friendly tool, I would recommend PortSwigger Burp Suite Professional.

On a scale from one to ten, I would rate this tool at seven.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
NC
IT Manager at a manufacturing company with 10,001+ employees
Real User
Top 5Leaderboard
Scans any number of apps, database updates automatically; issues with high volume of scanning

Pros and Cons

  • "You can scan any number of applications and it updates its database."
  • "If we're running a huge number of scans regularly, it slows down the tool."

What is our primary use case?

There are three versions and we are using all three - community, professional and enterprise. We use the community and professional versions on premises and the enterprise version is on cloud. I'm an IT Manager. 

What is most valuable?

Burp has several good features; it's cheaper than other solutions and you can scan any number of applications and it updates its database. With the professional version, it creates a lot of applications which you can incorporate with your scanning and enable deep diving in the specific section. 

What needs improvement?

We've faced lots of challenges, including slowing down of the tool, and a lot of error messages, sometimes because of the interface. If we're running a huge number of scans regularly, I think that also slows down the tool so I'm not sure if it is good for lots of scans. I hope they will work on the amount of scans they can handle. There have been improvements in the interface and the reporting structure, but they need to do more. They have a long way to go. For now, if we use the interface directly, we need to use an integration with our web application. We're after value for money. 

For how long have I used the solution?

I've been using this solution for about 18 months. 

What do I think about the stability of the solution?

Stability depends upon the amount of scans you are running. Sometimes there are problems with the stability and it could be improved. 

What do I think about the scalability of the solution?

Scalability depends upon which of the Burp versions you're using. If you're using Pro it's not scalable because it's dedicated to one person. But when it comes to Enterprise, yes it is scalable, it's easy. 

How are customer service and technical support?

Support depends on how much you're paying. We get good support from them which we need because there are lots of issues occurring frequently. The pro version has less problems but it only takes one scan at a time, so it's good but restricting. The technical support is trying to solve the issues of stability we are having right now.

What other advice do I have?

I would recommend this solution depending on the requirements of the company. 

I would rate this solution a seven out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Eldar Aydayev
President & Owner at Aydayev's Investment Business Group
Real User
Top 5Leaderboard
Plenty of plugins, effective deep package analyzing, and reliable

Pros and Cons

  • "I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis."
  • "There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment."

What is our primary use case?

I was working in internet banking in the Middle East and we used Zap for light testing and we used Burp Suite for more deep protocol and package review of the security.

What is most valuable?

I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis. You are able to do many different types of scans, such as SQL injection. There are a lot of deep packages analyzing functions that make this solution have more usability.

What needs improvement?

There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment. The user interface is pretty basic and if you want to do more advanced operations you need to know more technical details, which are not publicly available. You need to get in touch with different engineers or somebody that publishes their experience in a book to be able to get the knowledge in how to use this solution to its fullest.

For how long have I used the solution?

I have been using this solution for approximately four years.

What do I think about the stability of the solution?

This is a stable solution when comparing it to competitors.

Which solution did I use previously and why did I switch?

I have used Zap and it is lightweight compare to this solution's functions. 

How was the initial setup?

The setup is a bit complex.

What's my experience with pricing, setup cost, and licensing?

This solution requires a license. It is expensive but you receive a lot of functionality for the price.

What other advice do I have?

My advice to others is if you have one small web server and static pages, you can easily use Zap. However, if it is a more complex environment, with a payment system, with a lot of content, and has many defined user rules, it is better to use Burp Suite.

I rate PortSwigger Burp Suite Professional a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
AG
Cyber Security Analyst at a tech services company with 11-50 employees
Real User
Top 20
Good reporting, useful features, and great scalability

Pros and Cons

  • "The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs."
  • "One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome."

What is our primary use case?

We are an auditing company. We use this solution for auditing purposes for the infrastructure of our customers.

What is most valuable?

The reporting part is the most valuable. It also has very good features. We use almost all of the features for different kinds of customers and needs. 

What needs improvement?

One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome.

For how long have I used the solution?

I have been using this solution for more than a year.

What do I think about the stability of the solution?

It is stable. We didn't have any issues.

What do I think about the scalability of the solution?

Its scalability is great. We have almost five users who are using the product, and they're happy with this product. 

How are customer service and technical support?

We've got very good support from their team.

Which solution did I use previously and why did I switch?

We previously used some open-source applications, but later on, we found out that, unfortunately, they are not good products. We had to use the applications of all other products separately in our environment, but PortSwigger can do all things itself. That's why we switched to PortSwigger.

How was the initial setup?

The initial setup was very simple.

What about the implementation team?

I implemented it on my own.

What's my experience with pricing, setup cost, and licensing?

It has a yearly license. I am satisfied with its price.

Which other solutions did I evaluate?

We did consider one more product and had a discussion about the product features. We found PortSwigger to be the best match for our business.

What other advice do I have?

It is a very good product. You must try it once.

I would rate PortSwigger Burp a nine out of ten. I am satisfied with this product. It is a great experience.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
NA
Chief Info Sec Engineer at Sri Lanka CERT
Real User
Top 20
An easy to install solution for vulnerability assessment

Pros and Cons

  • "We use the solution for vulnerability assessment in respect of the application and the sites."
  • "We wish that the Spider feature would appear in the same shape that it does in previous versions."

What is our primary use case?

We are using the latest version and are in the process of upgrading it. 

What is most valuable?

We use the solution for vulnerability assessment in respect of the application and the sites. We use the intruder part, which is essentially the Proxy part, to check whether any brute-force attacks can be undertaken. 

What needs improvement?

We wish that the Spider feature would appear in the same shape that it does in previous versions. 

I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted upon scanning would highlight all the weaknesses from the perspective of my application. 

For how long have I used the solution?

We have been using PortSwigger Burp Suite Professional for the last three years.

What do I think about the stability of the solution?

We have had no issues with the stability. 

What do I think about the scalability of the solution?

As we only have a couple of licenses, we have not encountered any issues concerning the scalability. 

How are customer service and technical support?

The technical support is all right. 

This said, we have requested support on a couple of occasions, specifically one concerning training relating to the new features and add-ons coming onto the application, and this is still outstanding. 

How was the initial setup?

The initial setup is not very complex. Rather, it is easy and straightforward. 

What's my experience with pricing, setup cost, and licensing?

For a country such as Sri Lanka, the pricing is not reasonable. 

What other advice do I have?

There are around 10 people using the solution in our organization.

I don't have any advice off the cuff. When it comes to the web crawling features, it does not need to be in the same shape as before, but it would be nice if it allowed us to index associated things in the manner that we did so in the past. 

I rate PortSwigger Burp Suite Professional as a nine out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros sharing their opinions.