PortSwigger Burp Suite Professional Overview

PortSwigger Burp Suite Professional is the #1 ranked solution in our list of top Fuzz Testing Tools. It is most often compared to OWASP Zap: PortSwigger Burp Suite Professional vs OWASP Zap

What is PortSwigger Burp Suite Professional?

Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.

PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.

PortSwigger Burp Suite Professional is also known as Burp.

PortSwigger Burp Suite Professional Buyer's Guide

Download the PortSwigger Burp Suite Professional Buyer's Guide including reviews and more. Updated: July 2021

PortSwigger Burp Suite Professional Customers

Google, Amazon, NASA, FedEx, P&G, Salesforce

PortSwigger Burp Suite Professional Video

Pricing Advice

What users are saying about PortSwigger Burp Suite Professional pricing:
  • "Licensing costs are about $450/year for one use. For larger organizations, they're able to test against multiple applications while simultaneously others might have multiple versions of applications which needs to be tested which is why we have the enterprise edition."
  • "The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable."
  • "There are different licenses available that include a free version."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Vijayanathan Naganathan
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
Real User
Top 20
Great design, excellent features like Intruder, Repeater, Decoder with plenty of plug-ins from community forums.

What is our primary use case?

Clients come to me for an assessment of their web applications to see the risks that they are facing with their applications. They want to ensure that their application is free of being manipulated and also secure, so they reach out to us to do vulnerability assessment and application penetration testing. We make use of PortSwigger's BurpSuite tool carry this out. We look at it more from an application standpoint, what common vulnerabilities there are like the top 10 OWASP vulnerabilities like Injection(OS/SQL/CMD), broken authentication, session management, cross site request forgery… more »

Pros and Cons

  • "Once I capture the proxy, I'm able to transfer across. All the requested information is there. I can send across the request to what we call a repeater, where I get to ready the payload that I send to the application. Put in malicious content and then see if it's responding to it."
  • "The biggest improvement that I would like to see from PortSwigger that today many people see as an issue in their testing. There might be a feature which might be desired."

What other advice do I have?

The tool comes in three type. First, there is the Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps. Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for…
VishalDhamke
Lead Security Architect at SITA
Real User
Top 5Leaderboard
Best for manual penetration testing, a great user interface, and offers good scanning capabilities

What is our primary use case?

It's an individual tool that security professionals use for their manual pen-testing. We use it for capturing the traffic, intercepting the traffic between the browser and the application. We try to manipulate the applications, the traffic so that whatever input that is accepted by the application is sanitized and validated. We try to analyze the application for input validation. All inputs are handled correctly. Another use case is having a scanner module built-in where you can browse the entire application. The scanner can continuously scan the application for vulnerabilities based on OWASP… more »

Pros and Cons

  • "The solution has a great user interface."
  • "It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."

What other advice do I have?

We are just customers and end-users. I'd advise other organizations that this solution is a pretty good tool for manual penetration testing. It has good features like the Scanner and Sequencer, Repeater, and there are extensions. Burp extensions are available where they can customize Burp behavior using their own or third-party code. Those features will be really useful for Burp users. It's also obviously a very cost-effective option. I would rate the solution at a nine out of ten.
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
523,535 professionals have used our research since 2012.
AA
Founder and Director at a financial services firm with 1-10 employees
Real User
Top 20
Great reporting with good crawling capability and offers a simple setup

What is our primary use case?

We primarily use the solution for security testing - specifically for web-application security.

Pros and Cons

  • "The solution has a pretty simple setup."
  • "The pricing of the solution is quite high."

What other advice do I have?

The solution has an annual subscription model, and therefore you'll have to keep updating the new version. It's part of the package. They release a new version and that is covered under your subscription. I'm a consultant. I buy tools from multiple vendors. I provide development assessment services for my clients. This is one more product in the suite of tools or applications, which are used for testing. Anyone at any sized company could use this solution. I'd recommend this solution. It's one more tool to have in your bag. I would rate the solution at a ten out of ten.
NC
IT Manager at a manufacturing company with 10,001+ employees
Real User
Top 5Leaderboard
A very user-friendly solution with good technical support, but it needs more advanced reporting.

What is our primary use case?

We use the solution for scanning our in-house external facing website.

Pros and Cons

  • "The way they do the research and they keep their profile up to date is great. They identify vulnerabilities and update them immediately."
  • "The biggest drawback is reporting. It's not so good. I can download them, but they're not so informative."

What other advice do I have?

We use the on-premises deployment model. I would rate the solution seven out of ten.
VinothKumar5
Senior Technical Architect at Hexaware Technologies Limited
Real User
Top 20
Effective automatic scanning, Academy portal for learning, and reliable

What is our primary use case?

The solution is for web security testing and the primary use is to eliminate the false positives.

Pros and Cons

  • "The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
  • "There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."

What other advice do I have?

My advice to others just starting out with security testing is to evaluate Zap, which is open-source, to allow them to get an understanding of the processes. Then once they have an understanding they should look into PortSwigger Burp Suite Professional. This solution would win in comparison with its features and would be a very good choice after they have some experience. I rate PortSwigger Burp Suite Professional an eight out of ten.
Saminda Jayawardene
Compliance Manager at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
Evaluate and ensure the security of web-based applications

What is our primary use case?

We're a software development company. We specialize in ensuring application security for our customers. For each and every application we release, we issue a certificate explaining that the application is up to date and that all security testing has been successfully completed. In that certificate, we also mention that PortSwigger is one of the tools that we used to test the application. Presently, we have three users. In the future, regarding product testing, I am thinking of hiring another two people, which will make us a team of five. Currently, we're releasing a lot of applications… more »

Pros and Cons

  • "In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
  • "A lot of our interns find it difficult to get used to PortSwigger Burp's environment."

What other advice do I have?

I would definitely recommend PortSwigger Burp. I've actually recommended it to some of my colleagues, students, and interns. I'm really comfortable and happy with it; besides, there are no other products to compare it to. On a scale from one to ten, I would give this solution a rating of eight. If they included example scenarios and hosted educational webinars, I would give this solution a rating of ten. In my area of expertise, I feel like it has almost everything I could possibly require at this moment. Generally, I don't come across situations like that, so I am very happy with it.
SivaPrakash
Senior Test Engineer II at a financial services firm with 201-500 employees
Real User
Top 5Leaderboard
Finds vulnerabilities but is not always cost effective

What is our primary use case?

Our use cases are to identify the vulnerabilities of OAST and the other applications we are using.

Pros and Cons

  • "The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
  • "One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."

What other advice do I have?

On a scale of one to ten I would rate PortSwigger Burp a seven. For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.
MM
Cyber Security Specialist at a university with 10,001+ employees
Real User
Intruder and automatic scanning features help secure our internal applications pre-production

What is our primary use case?

This is a solution for which I provide services to our customers and I also use it personally. As part of our organization, we build internal applications. Before they are put into production, we run a suite of security tests to ensure that our applications are not vulnerable to any known issues. We use PortSwigger Burp for testing, as well as OSASP Zap. We do similar tests in multiple tools to make sure that we cover the entire set of use cases. I have this solution deployed as one user on a single machine, which is used by a designated security tester.

Pros and Cons

  • "The most valuable features are Burp Intruder and Burp Scanner."
  • "There should be a heads up display like the one available in OWASP Zap."

What other advice do I have?

We do have problems with some of the add-ons that we install from the marketplace. They may not be available or out of support, so when you want to install them, they are not there. This is a very nice tool and anybody can use it, from beginner to expert level. There are some simple and straightforward settings with documentation that is very clear. If you follow the steps you can easily get up to speed within five minutes for a single user. I would rate this solution an eight out of ten.
See 14 more PortSwigger Burp Suite Professional Reviews
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros sharing their opinions.