Overview

GitHub - six2dez/burp-ai-agent: Burp Suite extension that adds built-in MCP tooling, AI-assisted analysis, privacy controls, passive and active scanning and moreGitHub

AI integration for Burp Suite.

Custom AI Agent is an extension for Burp Suite that integrates AI capabilities into your security workflow. It offers:

• Pluggable Backends: Use the built-in Burp AI backend (Burp Pro with Use AI for extensions enabled), local models (Ollama, LM Studio), NVIDIA NIM, Perplexity, generic OpenAI-compatible providers, or cloud CLI providers (Gemini, Claude, Codex, Copilot, OpenCode). Add custom backends via drop-in JARs. Only the Burp AI backend depends on Burp Pro's Use AI for extensions toggle; every other backend runs independently and works on Burp Community too.

• Privacy-First Design: Configurable redaction modes (Strict/Balanced/Off) default to Balanced; cookies, auth headers, inline Bearer/Basic/JWT tokens, and sensitive URL query parameters are stripped before data leaves Burp. A preview dialog shows the exact payload before any auto-captured context is sent.

• MCP Server: An embedded Model Context Protocol (MCP) server with 53+ tools for Burp history, Repeater, Scanner, scope, and issue workflows.

• AI Scanners: Passive and Active scanners that analyze traffic automatically across 62 vulnerability classes.

• Curated BountyPrompt Actions: Optional, tag-aware context menu actions loaded from JSON prompt files.

• Custom Prompt Library: Save free-form prompts tagged per context (HTTP request or scanner issue), managed from Settings, surfaced in a right-click Custom prompts submenu, with an ad-hoc editor for one-offs.

• Audit Logging: JSONL-based logging with per-event SHA-256 payload hashes for compliance and reproducibility.

• AI Request Logger: Real-time activity log with trace ID correlation, preset filters, rolling JSONL persistence, and full metadata for prompts, responses, MCP calls, retries, and scanner operations.

• Auto Tool Chaining: Automatic multi-step MCP tool execution where the AI autonomously chains up to 8 tool calls to complete complex tasks.

Key Features

Use Cases

1. AI-Assisted Analysis: Analyze requests, explain JS, draft PoCs, and generate issue narratives directly from Burp context.

2. Local Privacy: Run local models for low-leakage workflows and keep strict redaction controls when using cloud providers.

3. MCP Workflows: Connect external MCP clients to Burp and run supervised tool-driven workflows.

4. Automated Scanning: Keep passive and active AI scanners running while you focus on manual testing.

5. Defensible Operations: Preserve auditable, reproducible prompt bundles with deterministic redaction options.

Getting Started

• Installation: Set up the extension JAR.

• Quick Start: Run your first AI analysis.

• First Run Checklist: Validate environment and backend health.

• Backends: Configure Ollama, Gemini, Claude, Codex, and OpenCode.

Documentation

• User Guide: UI areas, context menus, sessions, and templates.

• BountyPrompt Actions: Configure and use curated BountyPrompt submenu actions.

• Scanners: Passive and Active AI scanning.

• MCP Reference: Connect external agents safely.

• Privacy: Redaction behavior and data protection boundaries.

• Token & Cost Management: Usage telemetry and spend control.

• Examples: Typical workflows and sample prompts.

• Reference: Full settings, glossary, and troubleshooting.

• Developer: Architecture, data flow, and extension internals.

Operational Guarantees

• Your settings persist across restarts and are migrated safely between versions.

• Passive and active scanners enforce queue/size limits to avoid runaway resource usage.

• Privacy policies are applied before prompt data leaves Burp.

• MCP tools are safety-gated with safe/unsafe controls and per-tool toggles.

• Session history and context size controls help limit token/cost growth.

• Audit logging provides tamper-evident JSONL records for reproducibility workflows.