We use Burp Suite Professional for testing websites and checking some servers, primarily scanning IP addresses and checking which ports are open.
Cyber security manager at a tech services company with 11-50 employees
Schedules regular website scans for enhanced security checks
Pros and Cons
- "The most valuable feature of Burp Suite Professional is its ability to schedule tasks for scanning websites, which helps in performing regular checks of IP addresses."
- "The technical support from PortSwigger is excellent, managing response time and quality efficiently without any issues."
- "It would be beneficial to have privileged access management as a part of Burp Suite Professional."
- "It would be beneficial to have privileged access management as a part of Burp Suite Professional."
What is our primary use case?
How has it helped my organization?
Burp Suite Professional saves time by allowing us to set up scans and then review the results later.
What is most valuable?
The most valuable feature of Burp Suite Professional is its ability to schedule tasks for scanning websites, which helps in performing regular checks of IP addresses.
What needs improvement?
It would be beneficial to have privileged access management as a part of Burp Suite Professional.
Buyer's Guide
PortSwigger Burp Suite Professional
December 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
For how long have I used the solution?
We have been using Burp Suite Professional for approximately one year.
What do I think about the stability of the solution?
Burp Suite Professional is stable as we keep it up to date, and it does not have issues.
What do I think about the scalability of the solution?
Burp Suite Professional can be scaled effectively.
How are customer service and support?
The technical support from PortSwigger is excellent, managing response time and quality efficiently without any issues.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have experience with Nessus, which is slightly cheaper. It is used for scanning externally, whereas Burp Suite is better for internal scanning.
How was the initial setup?
The initial setup of Burp Suite Professional was simple and completed by myself. It took about one hour, while the configuration took approximately three hours.
What about the implementation team?
The setup and implementation of Burp Suite Professional were handled by myself without requiring third-party consultants.
What's my experience with pricing, setup cost, and licensing?
The pricing for Burp Suite Professional is not very high, however, it could be more flexible for clients.
Which other solutions did I evaluate?
I use Nessus for some tasks because it is a bit cheaper and better for external scanning.
What other advice do I have?
I would recommend Burp Suite Professional to other users as it is a beneficial tool.
I'd rate the solution nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Nov 17, 2024
Flag as inappropriateSenior Manager at Airtel
A stable security solution that has good visibility
Pros and Cons
- "I am impressed with the tool's detailed analysis for penetration testing. AppScan can give only visibility, but it can't do the PT part. But the PortSwigger Burp Application can do both, and it gives much more visibility on the PT rating."
- "I need the solution to be more user-friendly. The solution needs to be user-friendly."
What is our primary use case?
We use the solution to do VAPT.
What is most valuable?
I am impressed with the tool's detailed analysis for penetration testing. AppScan can give only visibility, but it can't do the PT part. But the PortSwigger Burp Application can do both, and it gives much more visibility on the PT rating.
What needs improvement?
I need the solution to be more user-friendly. The solution needs to be user-friendly.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
It is a stable solution. I rate the stability an eight out of ten.
What do I think about the scalability of the solution?
It is a scalable solution but needs to be more user-friendly. I rate the scalability an eight out of ten.
How was the initial setup?
The initial setup was easy. The deployment takes around a week.
I rate the setup an eight out of ten.
What's my experience with pricing, setup cost, and licensing?
I rate the pricing a four out of ten.
What other advice do I have?
I rate the solution an eight out of ten overall.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Buyer's Guide
PortSwigger Burp Suite Professional
December 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,053 professionals have used our research since 2012.
President & Owner at Aydayev's Investment Business Group
Plenty of plugins, effective deep package analyzing, and reliable
Pros and Cons
- "I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis."
- "There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment."
What is our primary use case?
I was working in internet banking in the Middle East and we used Zap for light testing and we used Burp Suite for more deep protocol and package review of the security.
What is most valuable?
I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis. You are able to do many different types of scans, such as SQL injection. There are a lot of deep packages analyzing functions that make this solution have more usability.
What needs improvement?
There needs to be better documentation provided. Currently, we need to buy books, or we need to review online some use cases from other professionals who have been using the solution to find out their experience. It is not easy to find out how to properly do a security assessment. The user interface is pretty basic and if you want to do more advanced operations you need to know more technical details, which are not publicly available. You need to get in touch with different engineers or somebody that publishes their experience in a book to be able to get the knowledge in how to use this solution to its fullest.
For how long have I used the solution?
I have been using this solution for approximately four years.
What do I think about the stability of the solution?
This is a stable solution when comparing it to competitors.
Which solution did I use previously and why did I switch?
I have used Zap and it is lightweight compare to this solution's functions.
How was the initial setup?
The setup is a bit complex.
What's my experience with pricing, setup cost, and licensing?
This solution requires a license. It is expensive but you receive a lot of functionality for the price.
What other advice do I have?
My advice to others is if you have one small web server and static pages, you can easily use Zap. However, if it is a more complex environment, with a payment system, with a lot of content, and has many defined user rules, it is better to use Burp Suite.
I rate PortSwigger Burp Suite Professional a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber security Lead at PCS
A solution for scanning and to automate API security assessments
Pros and Cons
- "It helps in API testing, where manual intervention was previously necessary for each payload."
- "Scanning needs to be improved in enterprise and professional versions."
What is our primary use case?
We use the solution for scanning and manual penetration testing. We have a verification and security assessment as a dynamic security assessment for manual application testing.
How has it helped my organization?
The solution helps to automate API security assessments. It incorporates features of both black hat and red team engagements. We streamline bug bounty hunts. It helps in API testing, where manual intervention was previously necessary for each payload. With the new deck feature, Burp Suite enables automation accessible in the external tab. This feature allows testers to select specific targets, such as login or registration pages, and apply different attack vectors. It enhances efficiency, saving time and resources, which is beneficial when dealing with larger-scale web applications or numerous APIs.
What is most valuable?
Manual assessment in the tool is great.
What needs improvement?
Scanning needs to be improved in enterprise and professional versions. The enterprise version has challenges related to scheduled scans. If a scan fails after two days without notification during offline periods, that time is lost. Sometimes, it took up to 24 hours to realize that certain tests had failed for various reasons. There's significant room for improvement in automating scans.
For how long have I used the solution?
I have been using PortSwigger Burp Suite Professional for more than 10 years.
What do I think about the stability of the solution?
The product is a good tool for application assessment.
I rate the solution’s stability an eight-point five out of ten.
What do I think about the scalability of the solution?
The automation features in Burp Suite For vulnerability assessment and penetration testing may not be as extensive as other tools like NetSparker. Other tools may offer more comprehensive capabilities, especially in areas such as source code. Features like capture and OTP testing might be more robustly supported in other tools. There may be limitations in automation with Burp Suite Professional. NetSparker could be more suitable for tasks like two-factor authentication testing.
Four to five are using this solution.
The professional version is not very scalable, whereas the enterprise version is scalable. I can run multiple scans.
How are customer service and support?
Technical support is good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We have used Netsparker and WebInspect. WebInspect is very difficult to operate.
How was the initial setup?
The initial setup takes more than a week. The professional version is a plug-and-play.
There is a Java package that you can easily use without installing it.
What's my experience with pricing, setup cost, and licensing?
The product is cheap compared to other products.
I rate the product’s pricing a seven out of ten, where one is expensive and ten is cheap.
What other advice do I have?
We have an infrastructure and DevOps team of eight to ten people for solution maintenance.
Reporting is good and very light. The response is fine.
I recommend the solution for dynamic assessment.
Overall, I rate the solution a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO/General Manager at Lian
Works as a vulnerability scanner and checks websites and web applications
Pros and Cons
- "The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price."
- "The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support."
What is our primary use case?
We are the resellers and not the customers. Usually, our customers use the solution's vulnerability scanner to check problems with their websites and web applications. While I cannot disclose specific customer names due to our NDA agreements, they normally use the solution to address issues with their web services.
What is most valuable?
The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price.
What needs improvement?
The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support.
For how long have I used the solution?
We have been working with the solution for about three years.
What do I think about the stability of the solution?
The tool is stable. We haven’t received any complaints so far.
What do I think about the scalability of the solution?
I rate the scalability of the solution as six out of ten.
Which solution did I use previously and why did I switch?
Nessus is a more expensive solution than Burp Suite, which offers a broader range of services, including network and website scanning features. You can’t compare them.
How was the initial setup?
The initial setup was easy. One doesn't need much knowledge to operate it. The solution can be deployed within ten minutes.
What's my experience with pricing, setup cost, and licensing?
The pricing of the solution is cost-effective and is best suited for small and medium-sized businesses.
What other advice do I have?
I recommend the solution for small and medium-sized businesses. It’s not suited for large enterprises. Everything depends on the cost. A customer with a high budget should go for solutions like Nessus. However, a more cost-effective solution like Burp Suite is recommended if they have a limited budget. My final recommendation is to use the solution that suits your needs. Overall, I rate the solution a five out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Application Security Consultant at a tech services company with 10,001+ employees
Useful advanced tools, integrates well, and quick implementation
Pros and Cons
- "The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools."
- "PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try."
What is our primary use case?
We use PortSwigger Burp Suite Professional for security. I'm a security tester and I need it for my daily activities, I require it.
How has it helped my organization?
PortSwigger Burp Suite Professional has improved the organization by providing the security standards of the applications across the organization.
We can test the weakness or loopholes in the application an attacker can use. We have an internal team that conducts the pen-testing from a hacker's point of view and try to close the issue before it is opened to the internet.
What is most valuable?
The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools.
What needs improvement?
PortSwigger Burp Suite Professional can improve by having more features in the free version for beginners to try.
For how long have I used the solution?
I have been using PortSwigger Burp Suite Professional for approximately two years.
What do I think about the stability of the solution?
The reliability of PortSwigger Burp Suite Professional is good. It doesn't hang very much, and it doesn't get stuck anywhere, it is reliable.
What do I think about the scalability of the solution?
PortSwigger Burp Suite Professional is scalable. You can add in-scope items, and remove any items that are not on the scope.
We have approximately 30 people using the solution in my organization. We have managers, consultants, and senior consultants using it. If our testers increase the number of users will increase and then we will increase our usage of this solution.
How are customer service and support?
I have not needed to use the support from PortSwigger Burp Suite Professional.
Which solution did I use previously and why did I switch?
I was previously using OWASP Zap.
How was the initial setup?
The initial setup of PortSwigger Burp Suite Professional was simple. It can be done in approximately three minutes.
I rate the initial setup of PortSwigger Burp Suite Professional a five out of five.
What about the implementation team?
I did the implementation of PortSwigger Burp Suite Professional myself.
If there is a software update it is fairly simple to upgrade. There is a lot of reference material online.
What's my experience with pricing, setup cost, and licensing?
There are multiple versions available of PortSwigger Burp Suite, such as enterprise, commercial, professional, and beginners.
Which other solutions did I evaluate?
My company has paid for the license for the solution. The price of the solution could be less expensive.
What other advice do I have?
This is one of the best solutions in the market. I would advise others to try this solution out.
I rate PortSwigger Burp Suite Professional a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Quality Manager at Net Solutions
A cheap solution that is helpful for session management
Pros and Cons
- "The solution is quite helpful for session management and configuration."
- "In the Professional version, we cannot link it with the CI/CD process."
What is our primary use case?
We use it for application security testing purposes. We scan our solutions and then look for issues in them. Upon finding the issues, we send them to the development team who fixes them. However, we use Burp Suite only for a specific client, hence we only have one license and limited use.
What is most valuable?
The solution is quite helpful for session management and configuration.
What needs improvement?
In the Professional version, we cannot link it with the CI/CD process. This feature is included in the enterprise version. Also, it doesn’t have a dashboard to preview the number of issues that were found. A dashboard showing previous issues and their status will be better. These all are enterprise features which are extremely expensive.
For how long have I used the solution?
I have been using Burp Suite for two years.
What do I think about the stability of the solution?
It is a stable product.
What do I think about the scalability of the solution?
It is a scalable solution. We currently have only one to two people using Burp Suite for specific clients.
How are customer service and support?
The customer support is good, however, I haven’t used other tools. It is difficult to compare it and other solutions might provide better support.
Which solution did I use previously and why did I switch?
I personally don’t use a lot of tools except AWS for general clients.
Burp Suite is quite easy to use when compared to AWS. However AWS has an open source tool, therefore any developer can use it. Burp Suite is a paid solution and needs a professional license to operate.
How was the initial setup?
Burp Suite is easy to set up and takes only five to ten minutes. The installation can be done by one person only. The maintenance isn’t very hard to do.
What's my experience with pricing, setup cost, and licensing?
It is a cheap solution, but it may not be cheaper than other solutions.
What other advice do I have?
I would advise others to also try other tools. As I have only used Burp Suite as an application security solution, I cannot comment on other tools. However, between JAP and Burp Suite, I would surely recommend Burp Suite. Overall, I would rate it an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Offers efficient crawling functionality and good stability
Pros and Cons
- "The Repeater and the BApp extensions are particularly useful. Certain extensions, such as the Active Scan extensions and the Autoracer extension, are very good."
- "I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. The crawling techniques used in the current version are not as efficient as those used in earlier versions."
What is most valuable?
The Repeater and the BApp extensions are particularly useful. Certain extensions, such as the Active Scan extensions and the Autoracer extension, are very good.
The crawling functionality has improved, but I would say that in the past, the spider mechanism was more efficient than the current crawling method.
Generally, I don't rely solely on the Burp Scanner, but I utilize BApp extensions to achieve better results than the standard scanner. Mostly, I always rely on external extensions, specifically those that provide better results.
What needs improvement?
I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version.
The crawling techniques used in the current version are not as efficient as those used in earlier versions.
For how long have I used the solution?
We have been using it for seven to eight years now. We have Burp Suite Professional and Burp Suite Enterprise Edition listed in our database.
We use the latest 2023 version.
What do I think about the stability of the solution?
I would rate the stability an eight out of ten. If people know how to perfectly use it, it is a stable solution. For freshers, it is tough.
What do I think about the scalability of the solution?
I would rate the scalability a six out of ten. The primary reason is the high number of false positives compared to actual positives.
Additionally, understanding the scan configuration can be challenging for newcomers. While experienced users can effectively scale their scanning techniques, those with limited experience may find it difficult to understand the process and identify the root causes of errors.
Moreover, configuring proxy settings can be complex, leading to difficulties for some users. Overall, there are significant areas for improvement in terms of scalability, particularly in enhancing user understanding and reducing false positives. However, compared to other application security tools, Burp Suite still performs well.
There are around three end users using this solution in our company.
How are customer service and support?
I haven't had the opportunity to interact with their technical team directly. However, the blogs are very informative and provide a wealth of solutions. In most cases, I've been able to resolve issues myself based on the information provided in their documentation.
For the documentation or web security resources, I would rate it seven out of ten. Burp Suite effectively addresses user concerns and provides clear explanations. The technical blogs are also well-written and address concerns.
Which solution did I use previously and why did I switch?
I have experience with Burp Suite Professional and Zap Framework. I've used them for a variety of application security testing tasks, including vulnerability scanning, penetration testing, and threat modeling.
I haven't had the need to explore other tools. I've been using Burp Suite since the beginning of my career, and it has consistently met my requirements. I've used other tools in lab settings, but Burp Suite remains my preference.
How was the initial setup?
I would rate my experience with the initial setup of Burp Suite Professional an eight out of ten, with one being difficult and ten being easy.
What about the implementation team?
The deployment was quite quick, only about ten minutes. It requires minimal staff. Anyone can install it on their own requiring administrator privileges. It can be installed on any system and with any version.
However, the only caveat is that we need to obtain the license from the procurement team. So, it's easy to set up.
What's my experience with pricing, setup cost, and licensing?
I would rate the pricing a one out of ten, with one being cheap and ten being expensive. The pricing is very reasonable and minimal.
What other advice do I have?
First and foremost, I would suggest others thoroughly understand the fundamentals of Burp Suite and how to utilize its extensions effectively.
Additionally, I would recommend learning about proxy settings and various authentication mechanisms.
Lastly, I would emphasize the importance of carefully reviewing and configuring scan configurations to minimize false positives and ensure optimal scan performance.
Considering its capabilities and performance compared to other tools, I would give Burp Suite Professional an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Fuzz Testing ToolsPopular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
Qualys Web Application Scanning
Tenable.io Web Application Scanning
Contrast Security Assess
Digital.ai Application Security
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?