Data Flow

This page describes how data moves from Burp context to AI output, scanner findings, and MCP responses.

Standard Chat Flow (Context Menu to AI Response)

Operational notes:

1. Context is collected from the selected Burp item(s).

2. Redaction is applied before any outbound AI call.

3. Manual context size controls are applied for context-menu actions.

4. Audit logging (when enabled) records prompt and stream events.

BountyPrompt Flow (Request/Response Actions)

Passive Scanner Flow

The AI passive scanner is registered as a Montoya PassiveScanCheck (via api.scanner().registerPassiveScanCheck(check, ScanCheckType.PER_REQUEST)), so Burp Scanner drives it per request. It is a Burp Pro feature; on Community the registration fails silently and is logged.

Batch Analysis & Persistent Cache Flow

Cross-Scanner Knowledge Base Flow

Active Scanner Flow

MCP Tool Flow

Auto Tool Chaining Flow

When the AI needs to call MCP tools to answer a user question, tool calls are executed automatically in a loop:

All entries in a tool chain share the same trace ID (chat-turn-{UUID}), making it easy to follow the complete chain in the AI Request Logger.

Trace ID Propagation

Trace IDs are generated at the entry point and propagated through the entire call chain. Scanner jobs generate scanner-job-{UUID}, batch passive analyses share scanner-batch-{UUID} across all requests in the batch, and adaptive payload generation uses adaptive-payload-{VULN_CLASS} so the same identifier is reused for repeated generations of the same class. See Audit Logging → Trace ID Correlation for the full list.