Installation

Prerequisites

Burp Suite Community or Professional (2023.12+ recommended).
Java 21 for building from source.

Recent Burp versions include bundled Java runtime for extension execution. Separate Java is mainly needed for local builds.

JDK 25 Compatibility: TLS certificate generation for the MCP server uses JDK's built-in keytool command, which works on all JDK versions (8-25+) and all platforms (macOS, Linux, Windows) without additional dependencies.

Install Path

In Burp, open Extensions -> BApp Store and search for Custom AI Agent.
Click Install.

The BApp Store build registers only the 8 extension-native AI MCP tools (status, issue_create, ai_analyze, ai_passive_scan, ai_findings_recent, redact_preview, ai_audit_query, ai_backends_list). For the full set of 59 MCP tools, download the full build from GitHub Releases.

Clone repository:

git clone https://github.com/six2dez/burp-ai-agent.git
cd burp-ai-agent

Build a fat JAR. The default build is the full artifact (all 59 MCP tools, for GitHub releases); pass -PstoreBuild=true for the store artifact (only the 8 extension-native AI MCP tools, for the BApp Store):

# Full build (default) -> build/libs/Custom-AI-Agent-full-<version>.jar
./gradlew clean shadowJar

# Store build (BApp Store) -> build/libs/Custom-AI-Agent-<version>.jar
./gradlew clean shadowJar -PstoreBuild=true

Output paths:

build/libs/Custom-AI-Agent-full-<version>.jar   # full build (default)
build/libs/Custom-AI-Agent-<version>.jar        # store build (-PstoreBuild=true)

A generated compile-time flag (BuildFlags.STORE_BUILD) gates which MCP tools register.

(Optional) Generate an SBOM alongside the JAR:

./gradlew cyclonedxBom --no-configuration-cache
# Output: build/reports/sbom/bom.json

Verify JAR Integrity (SHA-256)

Every GitHub release ships a *.jar.sha256 checksum file next to the JAR and a CycloneDX bom.json software bill of materials. Verify the JAR before loading it:

shasum -a 256 Custom-AI-Agent-<version>.jar
# Compare against the contents of Custom-AI-Agent-<version>.jar.sha256

If the two values differ, do not load the JAR — re-download from the official release page.

Load into Burp Suite

Open Extensions -> Installed -> Add.
Select extension type Java.
Choose the JAR file.
Complete load wizard.

Verify Installation

Expected indicators:

extension loads without startup errors,
the extension appears as Custom AI Agent in Extensions -> Installed, and its AI Agent tab appears in Burp main navigation.

The extension registers its display name as Custom AI Agent to distinguish it from Burp's built-in Burp AI provider; that is the name shown in Burp's Extensions list, the Suite tab, and the BApp Store listing.

Burp with AI Agent tab visible after extension load

Runtime Directory

On first start, ~/.burp-ai-agent/ is created:

~/.burp-ai-agent/
├── audit.jsonl
├── bundles/
├── contexts/
├── backends/
├── cache/            # created on demand by PersistentPromptCache (per project)
├── certs/
│   └── mcp-keystore.p12
├── logs/             # created on demand by the opt-in rolling AI Request Logger
└── AGENTS/
    ├── default          # plain text file whose content names the active profile (no extension)
    ├── pentester.md
    ├── bughunter.md
    └── auditor.md

The directory keeps the legacy burp-ai-agent name on disk to preserve upgrades for existing users; the product itself is now called Custom AI Agent. See Configuration Directory for a per-entry reference.

Custom additions:

profiles: ~/.burp-ai-agent/AGENTS/*.md (Agent Profiles)
backend plugins: ~/.burp-ai-agent/backends/ (Adding a Backend)

Troubleshooting

Extension load failure: inspect Burp Errors/Output tabs and Java version.
Tab missing: ensure extension is enabled.
Permission errors: ensure write access to ~/.burp-ai-agent/.

Next Steps

Continue with Quick Start.

PreviousOverview NextQuick Start

Last updated 5 days ago