Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Architecture

The extension (loaded in Burp as Custom AI Agent) is implemented in Kotlin on the JVM using the Burp Montoya API. The architecture is intentionally layered so UI, context collection, redaction, backend execution, scanning, MCP, and audit concerns can evolve independently.

Layered Design

Initialization Sequence

BurpAiAgentExtension.initialize(MontoyaApi) performs startup in a strict order.

Design Goals

  • Modularity: separate concerns to reduce coupling.

  • Testability: keep parsing and privacy logic unit-testable.

  • Extensibility: backend/tool additions should not require core refactors.

  • Determinism: stable ordering and stable anonymization when configured.

  • Privacy-first: redaction happens before outbound backend or MCP output.

Key Modules

Package
Purpose

ui/*

Swing UI, settings panels, interaction components, AI Logger panel.

ui/design/*

Internal design system: DesignTokens (spacing/typography/theme-aware color tokens) and reusable Components. Re-themes automatically when Burp switches light/dark — no hardcoded colors.

ui/components/AccordionPanel

Collapsible section panel used to organize dense settings tabs.

ui/UiActions

Context menu wiring for request/response and issue actions.

ui/ToolCallParser

Extracts MCP tool-call payloads from AI model responses (fenced blocks, raw JSON, OpenAI-style).

ui/ChatPanel

Chat orchestration with auto tool chaining (up to 8 iterations) and trace ID propagation.

context/*

Context collection from Burp selections.

redact/*

Privacy policy and redaction engine.

prompts/bountyprompt/*

Curated prompt loader, resolver, parser, and catalog.

backends/*

Backend registry, built-in adapters, diagnostics.

supervisor/*

Backend and MCP lifecycle supervision.

mcp/*

MCP manager, catalog, limiter, and transports.

scanner/*

Passive/active scanner engines and analyzers. The AI passive scanner runs as a Montoya PassiveScanCheck (registered via api.scanner().registerPassiveScanCheck(check, ScanCheckType.PER_REQUEST) — a Burp Pro feature).

audit/*

JSONL writer, integrity hashes, AI Request Logger (activity buffer, rolling persistence, trace correlation).

alerts/*

Optional webhook notifications.

config/*

Settings model, persistence, defaults, migration.

Related Pages

PreviousTroubleshootingNextData Flow

Last updated