Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Burp AI (Built-in)

The Burp AI backend is an in-process backend that runs through Burp Suite Professional's built-in AI capability. It requires no external URL, API key, or CLI and produces the lowest-latency response path among all backends because no HTTP or child process boundary is crossed.

This backend is only available on Burp Suite Professional with AI credits and the Use AI for extensions option enabled. It is not available on Burp Suite Community.

Prerequisites

  1. Burp Suite Professional with an active AI subscription (AI credits).

  2. In Burp: Settings → Burp AI → Use AI for extensions must be set to ON.

When Use AI for extensions is off, the extension's supervisor refuses to start a Burp AI session and you'll see AI: Offline in the top bar even when the backend is selected. Switching it on takes effect immediately without restarting Burp.

This gate is scoped to the Burp AI backend only. The supervisor refuses to start a session and the scanners refuse to enqueue work only when the selected Preferred Backend is burp-ai and Burp's Use AI for extensions toggle is off. Every other backend — Ollama, LM Studio, OpenAI-compatible, NVIDIA NIM, Perplexity, and the Gemini / Claude / Codex / Copilot / OpenCode CLI agents — keeps working whether that toggle is on, off, or you're on Burp Community (where the toggle does not exist).

The AI-calling MCP tools (ai_analyze, ai_passive_scan, and friends) honour the same api.ai().isEnabled() check before issuing a request, so they respect Burp's Use AI for extensions setting when the Burp AI backend is selected. Independent third-party backends still answer those tools even when Burp's built-in AI is off.

Selecting Burp AI

  1. Open Custom AI Agent → Settings → AI Backend.

  2. In Preferred Backend choose Burp AI (built-in).

  3. Optionally click Test connection. A healthy backend reports Healthy; if Burp AI is disabled in Burp settings the health check returns Unavailable: Burp AI is not enabled. Enable 'Use AI' in Burp Suite settings.

There is no URL, model, token, or custom command — configuration lives entirely inside Burp's own AI settings.

Capabilities

Capability
Value

Streaming

No — Burp returns a full response from api.ai().prompt().execute(...) in one call.

JSON mode

Enforced via the prompt: when jsonMode=true the extension appends "IMPORTANT: Respond ONLY with valid JSON." to the user message.

System role

Yes. Agent profiles are delivered as Message.systemMessage(...) and precede the conversation history.

Auto-start

Not applicable (no process to launch).

Temperature

0.0 when Determinism Mode is on, otherwise 0.3.

Privacy Posture

Burp AI keeps requests inside Burp's own AI route. The plugin does not open additional outbound connections when this backend is selected — the prompt, context, and conversation history all flow through the Montoya api.ai() channel. Privacy-mode redaction is still applied to the payload before handoff, so cookies, tokens, and (in STRICT mode) hostnames are stripped just as with any other backend.

See Privacy Modes for what gets redacted.

Limitations

  • Not available on Burp Community.

  • Streaming UI indicators in the chat panel appear as a single chunk because the backend returns the full response at once.

  • There is no per-backend timeout setting; request timing is governed by Burp Pro's own AI limits.

  • The extension's HTTP retry/circuit breaker does not wrap this backend — retries fall back to whatever Burp Pro does internally.

  • Tool-chain execution still runs through the MCP catalog like any other backend, but the response text is produced in a single call rather than streamed.

Troubleshooting

  • AI: Offline in the top bar with Burp Pro running — open Burp Settings → Burp AI and toggle Use AI for extensions on. The plugin polls api.ai().isEnabled() on every health cycle and will pick the change up automatically.

  • AI credits exhausted — Burp Pro surfaces quota errors directly; the plugin relays them as an ERROR entry in the AI Request Logger.

  • api.ai().isEnabled() throws on custom builds — on older Montoya API versions the ai() surface may be missing; the backend falls back to Unavailable and disappears from the Preferred Backend dropdown automatically.

Related Pages

PreviousOverviewNextOllama (Local)

Last updated