Burp Scanner Features & Pricing

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

See our complete list of top penetration testing tools.

The Bottom Line

PortSwigger Web Security’s Burp is a top-rated web vulnerability scanner used in many organizations and is found in most penetration testing toolkits, though its strength is more on the scanning side than on penetration. A free version is limited in functionality, so those interested in the complete package for enterprise-wide scalability and automation should be prepared to pay well. Security professionals needing only a good automated vulnerability scanner for code testing can make do with the much cheaper Professional version.

For more on the Burp Suite, see Getting Started with the Burp Suite: A Pentesting Tutorial

Type of tool: Web vulnerability scanner

Key features: PortSwigger Web Security offers the Burp web vulnerability scanner in three flavors:

  • The Enterprise Edition comes with an automated Web vulnerability scanner, scheduling of scans, scalability across the enterprise, and CI integration as well as a series of manual tools.
  • The Professional version doesn’t have scheduling, enterprise scalability or CI integration.
  • The Community Edition consists of a series of manual tools and is aimed at researchers and hobbyists. The free version has essential manual tools for carrying out scanning. activities.

Burp bills itself as the world’s most widely used web vulnerability scanner. Major retailers, banks and governments use it to protect applications. It can check for SQL injection, cross-site scripting (XSS) and other vulnerabilities (including those listed in the OWASP top 10). In addition to scanning, it is also used for compliance and security audit purposes.

Burp is a Java-based web vulnerability scanner, enabling IT to scan applications to gain an enterprise-wide view of the most significant vulnerabilities. Drill-down capabilities allow for a closer look at individual applications, URLs and parameters to view issues in more detail. Web vulnerabilities are classified by type and severity.

Burp pioneered the use of out-of-band techniques (OAST) to supplement regular scanning. Burp Collaborator detects server-side vulnerabilities that may not be noticeable when only the application’s external behavior is viewed. Burp functions as an HTTP proxy server so all HTTP/S traffic from the browser passes through it.

“Burp is my go-to tool for testing web applications,” said the CEO of a security firm.

Differentiator: Automation of scanning and repetitive functions, enterprise scalability.

What it can’t do: It is a vulnerability scanner with some penetration tools that attack the exploits it uncovers.

Cost: The Enterprise Edition costs $3,999 per year. The Professional version costs $399, and there is also a free edition.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis