# Overview

{% embed url="<https://github.com/six2dez/burp-ai-agent>" %}

**AI integration for Burp Suite.**

Custom AI Agent is an extension for Burp Suite that integrates AI capabilities into your security workflow. It offers:

* **Pluggable Backends**: Use the built-in Burp AI backend (Burp Pro with *Use AI for extensions* enabled), local models (Ollama, LM Studio), NVIDIA NIM, generic OpenAI-compatible providers, or cloud CLI providers (Gemini, Claude, Codex, Copilot, OpenCode). Add custom backends via drop-in JARs.
* **Privacy-First Design**: Configurable redaction modes (Strict/Balanced/Off) default to **Balanced**; cookies, auth headers, inline Bearer/Basic/JWT tokens, and sensitive URL query parameters are stripped before data leaves Burp. A preview dialog shows the exact payload before any auto-captured context is sent.
* **MCP Server**: An embedded Model Context Protocol (MCP) server with 53+ tools for Burp history, Repeater, Scanner, scope, and issue workflows.
* **AI Scanners**: Passive and Active scanners that analyze traffic automatically across 62 vulnerability classes.
* **Curated BountyPrompt Actions**: Optional, tag-aware context menu actions loaded from JSON prompt files.
* **Custom Prompt Library**: Save free-form prompts tagged per context (HTTP request or scanner issue), managed from Settings, surfaced in a right-click **Custom prompts** submenu, with an ad-hoc editor for one-offs.
* **Audit Logging**: JSONL-based logging with per-event SHA-256 payload hashes for compliance and reproducibility.
* **AI Request Logger**: Real-time activity log with trace ID correlation, preset filters, rolling JSONL persistence, and full metadata for prompts, responses, MCP calls, retries, and scanner operations.
* **Auto Tool Chaining**: Automatic multi-step MCP tool execution where the AI autonomously chains up to 8 tool calls to complete complex tasks.

<figure><img src="https://741304880-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaQ3pR328GUzNEoYZ2fgc%2Fuploads%2FKpBjrbXN3FAPd3YaDV3x%2Fimage.png?alt=media&#x26;token=fd3a146d-d85e-4dd3-97f5-58a6cd31333b" alt="Custom AI Agent main tab with chat and settings"><figcaption></figcaption></figure>

## Key Features

| Feature                            | Description                                                                                                                                 |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| **10 Built-in Backends**           | Burp AI (built-in), Ollama, LM Studio, NVIDIA NIM, Generic OpenAI-compatible, Gemini CLI, Claude CLI, Codex CLI, Copilot CLI, OpenCode CLI. |
| **53+ MCP Tools**                  | History, Repeater, Intruder, Scanner, Scope, Site Map, Collaborator, Utilities, and more.                                                   |
| **Auto Tool Chaining**             | AI autonomously chains up to 8 MCP tool calls per interaction to complete multi-step tasks.                                                 |
| **AI Request Logger**              | Real-time activity log with trace ID correlation, preset filters, and optional rolling JSONL persistence.                                   |
| **62 Vulnerability Classes**       | From SQLi and XSS to cache poisoning, JWT attacks, and API security issues.                                                                 |
| **3 Scan Modes**                   | `BUG_BOUNTY`, `PENTEST`, and `FULL` for different engagement styles.                                                                        |
| **3 Privacy Modes**                | `STRICT` (zero trust), `BALANCED` (pragmatic, default), and `OFF` (raw data, local-only).                                                   |
| **9 Prompt Templates**             | Editable templates for request and issue context menu actions.                                                                              |
| **Custom Prompt Library**          | User-defined free-form prompts per context (HTTP request / scanner issue), with ordered menu and audit-tracked launch metadata.             |
| **8 Curated BountyPrompt Actions** | Detection, recon, and advisory prompts with selective context tags.                                                                         |
| **Token-Aware Controls**           | Passive scanner and manual context caps, dedup windows, and prompt-result caching to reduce model spend.                                    |
| **Burp Pro Integration**           | Native `ScanCheck`, Collaborator OAST, and scanner issue actions.                                                                           |

## Use Cases

1. **AI-Assisted Analysis**: Analyze requests, explain JS, draft PoCs, and generate issue narratives directly from Burp context.
2. **Local Privacy**: Run local models for low-leakage workflows and keep strict redaction controls when using cloud providers.
3. **MCP Workflows**: Connect external MCP clients to Burp and run supervised tool-driven workflows.
4. **Automated Scanning**: Keep passive and active AI scanners running while you focus on manual testing.
5. **Defensible Operations**: Preserve auditable, reproducible prompt bundles with deterministic redaction options.

## Getting Started

* [**Installation**](https://burp-ai-agent.six2dez.com/getting-started/installation): Set up the extension JAR.
* [**Quick Start**](https://burp-ai-agent.six2dez.com/getting-started/quick-start): Run your first AI analysis.
* [**First Run Checklist**](https://burp-ai-agent.six2dez.com/getting-started/first-run-checklist): Validate environment and backend health.
* [**Backends**](https://burp-ai-agent.six2dez.com/backends/overview): Configure Ollama, Gemini, Claude, Codex, and OpenCode.

## Documentation

* [**User Guide**](https://burp-ai-agent.six2dez.com/user-guide/ui-tour): UI areas, context menus, sessions, and templates.
* [**BountyPrompt Actions**](https://burp-ai-agent.six2dez.com/user-guide/bountyprompt-actions): Configure and use curated BountyPrompt submenu actions.
* [**Scanners**](https://burp-ai-agent.six2dez.com/scanners/passive): Passive and Active AI scanning.
* [**MCP Reference**](https://burp-ai-agent.six2dez.com/mcp-server/overview): Connect external agents safely.
* [**Privacy**](https://burp-ai-agent.six2dez.com/privacy-and-logging/privacy-modes): Redaction behavior and data protection boundaries.
* [**Token & Cost Management**](https://burp-ai-agent.six2dez.com/user-guide/token-management): Usage telemetry and spend control.
* [**Examples**](https://burp-ai-agent.six2dez.com/examples/typical-workflows): Typical workflows and sample prompts.
* [**Reference**](https://burp-ai-agent.six2dez.com/reference/settings-reference): Full settings, glossary, and troubleshooting.
* [**Developer**](https://burp-ai-agent.six2dez.com/developer/architecture): Architecture, data flow, and extension internals.

## Operational Guarantees

* Your settings persist across restarts and are migrated safely between versions.
* Passive and active scanners enforce queue/size limits to avoid runaway resource usage.
* Privacy policies are applied before prompt data leaves Burp.
* MCP tools are safety-gated with safe/unsafe controls and per-tool toggles.
* Session history and context size controls help limit token/cost growth.
* Audit logging provides tamper-evident JSONL records for reproducibility workflows.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://burp-ai-agent.six2dez.com/readme.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.