I mainly use Burp Suite for manual testing, using it as a proxy to do my manual pen test.
Cyber Security Engineer at a transportation company with 10,001+ employees
A must-have for those knowledgeable in application security
Pros and Cons
- "The most valuable feature is Burp Collaborator."
- "BurpSuite has some issues regarding authentication with OAT tokens that need to be improved."
What is our primary use case?
How has it helped my organization?
Burp Suite gives you a very good automated scanning tool, which gives you around sixty to seventy percent security coverage without having to use a security resource. Once the developer gets the report, they've got the PortSwigger lab to explain the vulnerability and have a POC right there, so it's very beneficial for developers.
What is most valuable?
The most valuable feature is Burp Collaborator.
What needs improvement?
BurpSuite has some issues regarding authentication with OAT tokens that need to be improved.
Buyer's Guide
PortSwigger Burp Suite Professional
December 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
For how long have I used the solution?
I've been using this solution for around seven years.
What do I think about the scalability of the solution?
The Professional version is not very scalable because you need to buy licenses for each user, but the Enterprise version takes care of that.
How are customer service and support?
The support for the Enterprise solution isn't the best (I'd rate it as three out of five), but the Professional version provides all the documentation and the PortSwigger labs, so it's much better.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I previously used OS SAP, but I switched to Burp Suite when the support for that solution stopped.
How was the initial setup?
The initial setup is very easy because Burp Suite has very good documentation. Setup took less than an hour, though it might take a less-experienced person longer to install a mobile application because of the application-level security.
What other advice do I have?
I would say Burp Suite has now surpassed SAP as a tool. The main aspect of Burp Suite is that it's like an army knife for a hacker, it's not just the automation or the scanning that it brings. For a person with 80-90% knowledge of application security, this tool is a must-have. I would rate Burp Suite nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
QA Lead at eLuminous Technologies Pvt. Ltd.
Provides good reports and a helpful learning hub, but details about the new features are not updated in the documentation
Pros and Cons
- "The product has a good learning hub."
- "The vendor must provide documentation on how to use the new API feature."
What is our primary use case?
We are an IT organization. We use the solution for the security testing of applications. It helps us identify vulnerabilities in the applications.
What is most valuable?
The product has a good learning hub. It is good for beginners who want to learn security testing. The scan reports are good. They cover most things. The reports give details about the issues and suggest solutions. It's really useful for web applications. I use Intruder for brute-force attacks.
What needs improvement?
The product has a new API feature. It provides the scan report for APIs similar to the scan report we receive when we use web URLs. The vendor must provide documentation on how to use the new API feature. I did not find any guide on how to use the feature.
For how long have I used the solution?
I have used the solution for two years.
What do I think about the stability of the solution?
I rate the product’s stability seven out of ten.
What do I think about the scalability of the solution?
The product has limitations for mobile app security testing. We are unable to perform mobile app testing for Android and iOS.
How are customer service and support?
I faced some login issues and contacted the support team, but the team could not provide a solution. I found the solution in the documentation.
How would you rate customer service and support?
Neutral
How was the initial setup?
The tool is easy to install. All the steps are given in the documentation. The installation takes less than 10 to 15 minutes.
What's my experience with pricing, setup cost, and licensing?
PortSwigger Burp Suite Professional is expensive compared to other tools. There are open-source tools available in the market. The cost of one PortSwigger license is expensive.
What other advice do I have?
I have recommended the paid version of the tool in my current organization. Integrations with other tools are moderately easy.
Overall, I rate the product a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Aug 31, 2024
Flag as inappropriateBuyer's Guide
PortSwigger Burp Suite Professional
December 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Associate Consultant at ATOS
Reliable with helpful support and documentation
Pros and Cons
- "The solution is stable."
- "Sometimes the solution can run a little slow."
What is our primary use case?
The solution is primarily used for scanning the webpage and for the incoming traffic for the application.
What is most valuable?
The solution is most valuable for finding and developing the application. If there is leakage of data or some external links, we can deal with it.
The solution is stable.
The scalability is good.
The solution offers helpful technical support and has excellent documentation.
What needs improvement?
Sometimes the solution can run a little slow. When we’re cracking passwords, we have issues with responsiveness.
For how long have I used the solution?
I used the solution for one year.
What do I think about the stability of the solution?
Mostly the solution is stable. Sometimes while using the password cracker, it took some time. Sometimes it gets a bit slow by adding up the number of rules. It took some time to crack the passwords of applications.
What do I think about the scalability of the solution?
It is pretty easy to scale the product.
We had ten to 12 people using the solution. It was a small environment.
How are customer service and support?
Technical support was excellent. They were very fast. They also offered good documentation which was very helpful to have on hand.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I started with Burp Suite. I’ve only used that. I haven't used anything other than that.
How was the initial setup?
For the setup, on my end, I just got access via the organization when I first started using it. I haven't set up the entire cloud, the Burp Suite cloud. I used it by using some credentials only. Therefore, I'm not that good at setting up the enrollment.
The entire setup was done on the cloud. There were only three to four people needed for deployment and maintenance. They are well experienced in those areas.
What about the implementation team?
The deployment part was entirely done by another team. We, as a team, used to test the application. We didn't know much about how the setup was arranged.
What's my experience with pricing, setup cost, and licensing?
I’m not aware of the pricing side of things. It might have been paid monthly, however, I don’t know much more than that.
What other advice do I have?
My company was parters with Portswigger.
I’m not sure which version of the solution we were using.
Everyone seems very happy with the solution. There are some learning modules as well so that we can go into the tool and understand it well. I would suggest the solution to my colleagues.
I’d rate the solution nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Test Engineer II at a financial services firm with 201-500 employees
Finds vulnerabilities but is not always cost effective
Pros and Cons
- "The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
- "One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."
What is our primary use case?
Our use cases are to identify the vulnerabilities of OAST and the other applications we are using.
What is most valuable?
The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.
Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.
What needs improvement?
One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that.
One more thing they can improve is that despite having a good architecture, it needs a lot of specification. So when you start a project, because it requires a high configuration, the instructor costs more than the project. So it's not cost efficient if it's a big project.
For how long have I used the solution?
We have different versions of PortSwigger Burp Suite. For the past few years we have been using a professional edition, which is a desktop application. Now we are moving to the Cloud so we explored the enterprise edition. Although we haven't implemented it yet we're already using it. Now we have a better idea how their scanners and spiders actually work.
We've had a license for the professional version for the past two years.
What do I think about the scalability of the solution?
In terms of scalability, I think they can increase the number of regions. And more importantly, it doesn't restrict based on the domains you are scanning. So even if tomorrow you suggest some working space, you can still scan the domains for the regions that you have. If you want to increase the number that you scan, you can buy some more. So scalability is not a big problem, but I think if you are scanning from your side, you have to get the license for some of those activities. That's domain based licensing.
Right now we have two or three people using it.
How are customer service and technical support?
PortSwigger Burp's technical support is all right. The issues are resolved very quickly so we don't have to wait for long. They also provide you with documentation. Just by going through the documentation we can solve many of our problems.
How was the initial setup?
The initial setup was straightforward. We can install it on a Linux machine. It was fast to set up.
What's my experience with pricing, setup cost, and licensing?
PortSwigger Burp costs around $7,000 and around $2,309 for licensing.
What other advice do I have?
On a scale of one to ten I would rate PortSwigger Burp a seven.
For it to be a 10 it would need to implement the above mentioned different formats for reporting and the interactive security testing.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at a insurance company with 10,001+ employees
More accurate than other solutions we are using but can sometimes be slow to perform
Pros and Cons
- "This tool is more accurate than the other solutions that we use, and reports fewer false positives."
- "There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual."
What is our primary use case?
Our primary use case for this solution is to perform application security testing.
How has it helped my organization?
I don't have specific metrics but I can say that using this tool adds value.
What is most valuable?
There are several features that I like about this solution. The most valuable feature is that it has support for add-ons where we can add extra little scripts to the tool to perform more automated testing.
I like using the Repeater feature to perform proxy testing, and the Repeaters have dashboards now. The add-ons are compatible with the dashboards, as well.
What needs improvement?
There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual. This would help us to better understand the product, and we would not need to buy a separate book.
In the next release, I want to see it more interactive and have more multitasking with some faster features. Sometimes scanning takes a long time, so they need to add more tricks to reduce the time spent in security testing.
For how long have I used the solution?
More than one year.
What do I think about the stability of the solution?
Stability-wise it is good.
What do I think about the scalability of the solution?
It is possible to work on multiple projects at the same time. I have tried five or six, and it is working fine. I would agree that the scalability is very good, and we have not found a limit yet.
We have approximately thirty users for this solution and they are the testers. As our team grows, we'll need to buy more licenses.
How are customer service and technical support?
We have used technical support three times, and each time received an email within twenty-four hours. They first try to understand the problem, and then after this, they provide step by step instructions for what to do. It's pretty easy.
Which solution did I use previously and why did I switch?
We have always used Burp Suite because it is a well-known tool.
How was the initial setup?
This solution is very easy to install and understand.
For a single user, it will take thirty to forty-five minutes. For our organization, it took between eight and nine hours.
What about the implementation team?
We handled the implementation and deployment ourselves.
What was our ROI?
We have seen ROI with this product.
What's my experience with pricing, setup cost, and licensing?
The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.
Which other solutions did I evaluate?
We considered using OWASP Zed Attack Proxy, which is open source. We decided to use this alongside the current solution, and also with IBM Security AppScan.
This tool is more accurate than the other solutions that we use and reports fewer false positives.
What other advice do I have?
They are steadily improving things and adding features to this product. It was only three months ago when they added the dashboard support. Before that, they only had passive and active scanning to perform the testing part. It now has a complete website of scanning features which were previously not there.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager at a consultancy with 10,001+ employees
A stable and user-friendly solution that can be used for manual penetration testing
Pros and Cons
- "PortSwigger Burp Suite Professional is one of the best user-friendly solutions for getting the proxy set up."
- "The technical support team's response time is mostly delayed and should be improved."
What is our primary use case?
We use PortSwigger Burp Suite Professional for manual penetration testing.
What is most valuable?
PortSwigger Burp Suite Professional is one of the best user-friendly solutions for getting the proxy set up.
What needs improvement?
The technical support team's response time is mostly delayed and should be improved.
For how long have I used the solution?
I have been using PortSwigger Burp Suite Professional for six to seven years.
What do I think about the stability of the solution?
PortSwigger Burp Suite Professional is a stable solution.
What do I think about the scalability of the solution?
Around 500 to 600 users are using the solution in our organization.
How was the initial setup?
The solution’s initial setup is quite easy.
What was our ROI?
PortSwigger Burp Suite Professional is worth its price.
What's my experience with pricing, setup cost, and licensing?
PortSwigger Burp Suite Professional is an expensive solution.
What other advice do I have?
Users should get the professional version for the solution because the community and the free edition do not have many things to offer. They should explore as much as possible, go for the web code application, and do the manual penetration testing.
PortSwigger Burp Suite Professional allows us to do everything from setting the proxy to getting our own browser. Some features were not there in Burp Suite earlier. We had to attach Chrome to the Burp Suite to the proxy, but now they have given everything in a single bundle.
Overall, I rate PortSwigger Burp Suite Professional ten out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Quality Analyst at Hiup Solution
Easy to use with a good interface and high accuracy
Pros and Cons
- "It offers very good accuracy. You can trust the results."
- "The solution is not easy to set it up. You need a lot of knowledge."
What is our primary use case?
I'm primarily using it for testing of the company's website.
What is most valuable?
The interface is good.
It is easy to use.
I am certified with the product and have a good understanding of it.
The usability is very good.
It offers very good accuracy. You can trust the results.
It's good software that is great for a beginner to use.
It can scale.
The product is stable and reliable.
What needs improvement?
It works for me. I don't see any missing features.
The solution is not easy to set it up. You need a lot of knowledge. I'd like to see more documentation. They need to provide more videos and more information about the solution. The website isn't as helpful as it could be. They need to provide more information and maybe provide courses to help people get the most out of it.
For smaller organizations, the solution is expensive.
For how long have I used the solution?
I've been using the solution for two years.
What do I think about the stability of the solution?
I'd rate the stability eight out of ten. It is pretty stable. There are no bugs or glitches, and it doesn't crash or freeze.
What do I think about the scalability of the solution?
The solution is very scalable. I'd rate the ability to extend ten out of ten.
Three people are using the solution.
How are customer service and support?
I do not have any experience with technical support. I had a colleague who would deal with support.
Which solution did I use previously and why did I switch?
I used to use OWASP Zap. It is a free solution. I moved to Burp as the accuracy rate was higher. We wanted something that provided correct information about errors.
How was the initial setup?
The initial setup was a bit difficult. For a beginner, it's tough to set up. I'd rate the solution three out of ten in terms of ease of setup. There isn't proper documentation to help you through the process.
I cannot recall how long the deployment took. I watched a lot of videos and just went ahead with eh setup myself.
The product doesn't require any maintenance.
What about the implementation team?
I handled the initial setup myself. I did not have any outside assistance.
What was our ROI?
I have witnessed an ROI. It is worth the money.
What's my experience with pricing, setup cost, and licensing?
It is a bit expensive for smaller companies. If you're using it in a small company or for your own purposes, it's costly. I'd rate the cost three out of ten in terms of affordability.
I'm not sure of the exact cost of the solution as I don't directly deal with licensing.
What other advice do I have?
I'm a customer. I'm using the professional version. It is the latest version. They always update it and provide me with the latest upgrades.
I'd recommend the solution to others. It's very accurate and easy to use.
I would rate the solution. Ten out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Chief Info Sec Engineer at Sri Lanka CERT
An easy to install solution for vulnerability assessment
Pros and Cons
- "We use the solution for vulnerability assessment in respect of the application and the sites."
- "We wish that the Spider feature would appear in the same shape that it does in previous versions."
What is our primary use case?
We are using the latest version and are in the process of upgrading it.
What is most valuable?
We use the solution for vulnerability assessment in respect of the application and the sites. We use the intruder part, which is essentially the Proxy part, to check whether any brute-force attacks can be undertaken.
What needs improvement?
We wish that the Spider feature would appear in the same shape that it does in previous versions.
I believe we have developmental tools such Accuratix. It would be nice if the report that was accepted upon scanning would highlight all the weaknesses from the perspective of my application.
For how long have I used the solution?
We have been using PortSwigger Burp Suite Professional for the last three years.
What do I think about the stability of the solution?
We have had no issues with the stability.
What do I think about the scalability of the solution?
As we only have a couple of licenses, we have not encountered any issues concerning the scalability.
How are customer service and technical support?
The technical support is all right.
This said, we have requested support on a couple of occasions, specifically one concerning training relating to the new features and add-ons coming onto the application, and this is still outstanding.
How was the initial setup?
The initial setup is not very complex. Rather, it is easy and straightforward.
What's my experience with pricing, setup cost, and licensing?
For a country such as Sri Lanka, the pricing is not reasonable.
What other advice do I have?
There are around 10 people using the solution in our organization.
I don't have any advice off the cuff. When it comes to the web crawling features, it does not need to be in the same shape as before, but it would be nice if it allowed us to index associated things in the manner that we did so in the past.
I rate PortSwigger Burp Suite Professional as a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Fuzz Testing ToolsPopular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
Qualys Web Application Scanning
Tenable.io Web Application Scanning
Contrast Security Assess
Digital.ai Application Security
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?