# First Run Checklist

Use this checklist after installation before starting a real assessment.

## Essential Setup

* [ ] **Extension loaded**: `AI Agent` tab is visible.
* [ ] **Burp AI prerequisite checked** — if you plan to use the built-in **Burp AI** backend, open Burp's **Settings → Burp AI** and confirm *Use AI for extensions* is **ON** (Burp Pro only). Without this, the backend stays `Offline` and cannot be selected. See [Burp AI (Built-in)](https://burp-ai-agent.six2dez.com/backends/burp-ai).
* [ ] **Backend selected**: backend set in **AI Backend** tab.
* [ ] **Backend configured**: command/URL/model/auth values are valid (or leave blank when using Burp AI built-in).
* [ ] **Backend healthy**: top status indicator shows active state.
* [ ] **Context menus available**: request right-click menu shows Custom AI Agent actions.

## MCP Server (Recommended)

* [ ] **MCP ON**: top-bar MCP toggle enabled.
* [ ] **Token recorded**: token available for external clients when needed.
* [ ] **Port free**: configured port (default `9876`) is not occupied.

## Privacy & Security

{% hint style="info" %}
Default privacy mode is `BALANCED` (cookies stripped, tokens redacted, hosts preserved). Switch to `STRICT` for sensitive targets on cloud backends, or `OFF` only for local-model testing.
{% endhint %}

* [ ] **Privacy mode set** intentionally (`STRICT`/`BALANCED`/`OFF`).
* [ ] **Context preview dialog** confirmed at least once: right-click a proxy item, choose an AI action, and verify the modal shows privacy mode + prompt + redacted JSON before sending.
* [ ] **Audit logging** enabled if compliance traceability is needed.
* [ ] **Determinism** enabled if reproducibility is required.
* [ ] **Salt** rotated for new sensitive engagements.

## Scanners (Optional)

* [ ] **Passive scanner** configured with **Scope Only** ON.
* [ ] **Active scanner** only enabled when traffic is authorized.
* [ ] **Scope configured** in Burp Target before active checks.

## Verification Test

1. Browse through Burp Proxy.
2. Right-click a request in **Proxy -> HTTP History**.
3. Select **Extensions -> Custom AI Agent -> Find vulnerabilities**.
4. Verify a chat session opens and response streams.

If any step fails, use [Troubleshooting](https://burp-ai-agent.six2dez.com/reference/troubleshooting).

<figure><img src="https://741304880-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaQ3pR328GUzNEoYZ2fgc%2Fuploads%2FUKbbEQ0oqbEnG4WZUn3Q%2Fimage.png?alt=media&#x26;token=8c310c9a-42da-4d3e-a4c1-e39a3a00a63a" alt="Context menu showing Custom AI Agent actions during first-run verification"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://burp-ai-agent.six2dez.com/getting-started/first-run-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.