PortSwigger Burp Suite Professional can be used on the cloud or on-premise.
Cyber Security Specialist at a university with 10,001+ employees
Simple to use, informative centralized dashboard, and responsive support
Pros and Cons
- "The most valuable feature of PortSwigger Burp Suite Professional is the dashboard. It is very informative and you can receive all the information you need in one place. It's clear, well-defined, and organized. Anybody without any cybersecurity can use it."
- "PortSwigger Burp Suite Professional could improve the static code review."
What is our primary use case?
What is most valuable?
The most valuable feature of PortSwigger Burp Suite Professional is the dashboard. It is very informative and you can receive all the information you need in one place. It's clear, well-defined, and organized. Anybody without any cybersecurity can use it.
What needs improvement?
PortSwigger Burp Suite Professional could improve the static code review.
In an upcoming release, PortSwigger Burp Suite Professional can give some possible remedies for any issues it has discovered after a scan of an application. At this time it provides vulnerabilities, having the possible remedies would be a benefit. It would be useful for the developers, to fix the issue immediately.
For how long have I used the solution?
I have been using PortSwigger Burp Suite Professional for approximately five years.
Buyer's Guide
PortSwigger Burp Suite Professional
December 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability of PortSwigger Burp Suite Professional is good.
What do I think about the scalability of the solution?
The scalability of PortSwigger Burp Suite Professional is good, it can integrate with other platforms.
In my previous company, I worked for we had 50 people using this solution and in my current company we have approximately 500 people using it.
How are customer service and support?
We can easily reach out to PortSwigger Burp Suite Professional support by phone, email, chat option, and a ticketing option, which is very good.
I rate the support from PortSwigger Burp Suite Professional a five out of five.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup of PortSwigger Burp Suite Professional is very simple.
Which other solutions did I evaluate?
Before choosing PortSwigger Burp Suite Professional I compared other tools, such as IBM AppScan. I found that PortSwigger Burp Suite Professional was more into web application security. The solution is very helpful, easy to use, and install. They have a free version and anybody can start within minutes.
What solution is best depends on the client size and their requirements. If the client has a large enough budget, or if they're looking for an overall feature, I would recommend PortSwigger Burp Suite Professional as the primary go-to tool. However, if they're having any specific requirements, then they will have to think about using IBM AppScan.
What other advice do I have?
I would recommend the solution to technical professionals and non-technical persons. It is easy to use.
I rate PortSwigger Burp Suite Professional a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security consultant at a manufacturing company with 10,001+ employees
The active scanner provides a very accurate security audit
Pros and Cons
- "The active scanner, which does an automated search of any web vulnerabilities."
- "As with most automated security tools, too many false positives."
What is our primary use case?
The primary use case is generally for security compliance on web applications. We provide services to our customers with Burp both on-prem and on cloud. I'm a solutions consultant and we are customers of PortSwigger Burp.
What is most valuable?
Their flagship feature would be the active scanner, which carries out an automated look up of any web vulnerabilities reflecting over to one of the main compliance standards, like OWASP. This provides an accurate security audit for their web applications.
What needs improvement?
One downside of the solution would be their false positive checks. As with most automated security tools, there is still a high false positive issue. Hopefully they will be able to improve on that in the future. It would also be helpful if the solution had the capability of handling larger reports. Another area of improvement would be to have a customizable dashboard. It's currently restricted now to their own interface. If you want to utilize the other features available in their API documentation, then you have to write some code yourself. It would be great if their interface could be somewhat customizable.
For how long have I used the solution?
I've been using this solution for two years.
What do I think about the stability of the solution?
The stability of the solution is generally fine.
What do I think about the scalability of the solution?
The solution is easily scalable, depending on licensing of course. For example, on the cloud set up, you can easily scale the agents and such. But in terms of bandwidth, maybe when it comes to their reporting feature, there are some limitations with the detail that can be downloaded from the report. I've found that the system can crash if you try to download a report with many details.
How was the initial setup?
In my opinion the initial setup is pretty straightforward. The workflow is easy to understand and they have a lot of documentation on how to perform many of the key tasks.
What's my experience with pricing, setup cost, and licensing?
I believe the price is good where it's at right now. They have a very competitive price point although recently they've been incrementally increasing in price. It's still competitive.
What other advice do I have?
I would definitely recommend PortSwigger as a primary tool for auditing any open vulnerabilities of anything related to web applications.
I would rate this product an eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
PortSwigger Burp Suite Professional
December 2024
Learn what your peers think about PortSwigger Burp Suite Professional. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Director at a consultancy with 10,001+ employees
Offers good application security features and is reasonably priced
Pros and Cons
- "The most valuable feature is the application security. It also has a reasonable price."
- "The Burp Collaborator needs improvement. There also needs to be improved integration."
What is most valuable?
The most valuable feature is the application security. It also has a reasonable price.
It has an end product and a repeater. Other solutions don't offer options like these.
What needs improvement?
The Burp Collaborator needs improvement. There also needs to be improved integration.
For how long have I used the solution?
I have been using PortSwigger Burp for the past six years.
What do I think about the stability of the solution?
It's not so stable. Some of the security aspects aren't so stable.
What do I think about the scalability of the solution?
Burp is scalable.
We have around 150 users using Burp at my company. We use it daily.
How are customer service and technical support?
I haven't needed to contact their technical support.
How was the initial setup?
The initial setup is simple. It only takes two to three minutes.
What about the implementation team?
We are consultants so we do the implementation ourselves.
It only requires one person for the implementation and maintenance.
What's my experience with pricing, setup cost, and licensing?
It costs 39,000 including taxes per year.
What other advice do I have?
I would recommend this solution to somebody considering Burp.
I would rate it an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
A low cost security solution that identifies issues quickly but could offer better integration
Pros and Cons
- "The Spider is the most useful feature. It helps to analyze the entire web application, and it finds all the passes and offers an automated identification of security issues."
- "The number of false positives need to be reduced on the solution."
What is our primary use case?
The primary use case is security for the development lifecycle. We use the application for security testing.
How has it helped my organization?
The solution helps to identify security issues quickly.
What is most valuable?
The Spider is the most useful feature. It helps to analyze the entire web application and it finds all the passes and offers an automated identification of security issues.
What needs improvement?
The number of false positives needs to be reduced on the solution.
I'm not sure whether some features need to be added because the product has a specific toolset, and if I do need some additional features, currently I get them in different security products. The solution, however, could better integrate with various other tools.
For how long have I used the solution?
I've been using the solution for three years.
What do I think about the stability of the solution?
The solution is very stable.
What do I think about the scalability of the solution?
The solution is not designed to be scalable. You have an individual license, and I use it individually.
How are customer service and technical support?
I have not needed to use the solution's technical support.
Which solution did I use previously and why did I switch?
Before Burp I was manually proxying the data myself. I have experience making my own tools for security assessment. Burp is pretty convenient, and it's one of the most popular tools, which is why I began using it.
I also use Wireshark, which is pretty effective too.
How was the initial setup?
The initial setup was straightforward.
What about the implementation team?
We implemented the solution ourselves.
What's my experience with pricing, setup cost, and licensing?
Licensing is paid on a yearly basis. The yearly cost is about $300.
What other advice do I have?
For application security testing, I would suggest Burp. It's probably the leader in this area. It's just like analog tools such as OWASP ZAP, which is open-source. OWASP ZAP is still not as effective as Burp is.
The solution helps to find different security issues, and it helps identify many, many security issues quickly, and that's what makes it such a useful tool.
I would rate the solution seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Penetration Testing Advisor at a tech services company with 1,001-5,000 employees
The real power of the product lies in the modules that aid in manual testing.
What is most valuable?
- Intruder - allows inserting predefined or custom payloads at chosen locations inside requests and analyzing results using custom filters;
- Repeater - allows reissuing requests to manually verify reported issues, changing parameters or issuing a specific sequence of requests to test for logic flaws;
- Extender - allows installing additional modules from the BApp store, created by the community in Java, Python or Ruby;
How has it helped my organization?
It provides unique features that help me quickly identify and exploit security vulnerabilities in web applications.
What needs improvement?
Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.
For how long have I used the solution?
I have been using it for two years.
What do I think about the stability of the solution?
Spidering large websites can use a lot of memory and might result in a crash on systems with lower RAM.
What do I think about the scalability of the solution?
It's better to add only one website per project for the same reason as above.
How are customer service and technical support?
I didn't use technical support.
Which solution did I use previously and why did I switch?
I used many solutions but I found the best value, features and documentation in Burp.
How was the initial setup?
Starting Burp only involves running a .jar file. The latest version also comes with a executable installer. Setting up a project can be more complex, involving configuring the proxy, scope and different spidering/scanning options.
What's my experience with pricing, setup cost, and licensing?
I believe it has one of the lowest prices for commercial products ($~350 per user per year).
Which other solutions did I evaluate?
Before choosing this product, I evaluated free products - Arachni, OWASP ZAP, w3af, Vega - and commercial products - Acunetix, Qualys Web Application Scanner.
What other advice do I have?
If you expect a product in which you input your website and click a scan button, Burp is not for you. Burp Suite Pro can perform an automatic scan, but the real power of the product lies in the modules that aid in manual testing. A few weeks are usually needed to read the documentation and ramp-up on all the features, for someone without previous experience.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Systems Security Officer at a financial services firm with 1,001-5,000 employees
It helps capturing and modifying HTTP packets and variables, and observing the application’s response.
What is most valuable?
- HTTP proxy for packet capture
- Repeater
- Intruder
- Spider
- Decoder
- Comparer
How has it helped my organization?
Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.
What needs improvement?
The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc. However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP respond when a vulnerability does not actually exist.
For how long have I used the solution?
I have been using it for five years.
What do I think about the stability of the solution?
It is a tool used mostly for manual tasks, it is stable enough for that purpose.
What do I think about the scalability of the solution?
If you attempt to map a large website using the Spider component, it can take a long time, and the tool may crash.
How are customer service and technical support?
I have not used technical support, but online documentation and Help have always been sufficient.
Which solution did I use previously and why did I switch?
I have used Charles Proxy, CAT, and Fiddler as well, but found Burp easier to use.
For automated scanning, there are stronger alternatives to Burp, such as Acunetix, IBM AppScan, Nexpose, Qualys, etc.
How was the initial setup?
There is no setup needed. It is a Java app that does not need to be installed.
What's my experience with pricing, setup cost, and licensing?
The free version is one of the best proxy tools for manual testing. For automated testing, it provides the best value for money in the market.
Which other solutions did I evaluate?
I evaluated Charles Proxy, Fiddler, and Context App Tool (CAT), which are great HTTP proxies. I like CAT and Burp as the best free ones.
What other advice do I have?
To effectively use Burp, you will need someone with enough technical hands on skills in ethical hacking and penetration testing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Cyber Security Analyst at a tech services company with 501-1,000 employees
Used to intercept requests and scan applications
Pros and Cons
- "The most valuable feature of PortSwigger Burp Suite Professional is the Burp Intruder tool."
- "The solution’s pricing could be improved."
What is our primary use case?
I use the solution to intercept requests and scan applications.
What is most valuable?
The most valuable feature of PortSwigger Burp Suite Professional is the Burp Intruder tool.
What needs improvement?
The solution’s pricing could be improved.
For how long have I used the solution?
I have been using PortSwigger Burp Suite Professional for around two to three years.
What do I think about the stability of the solution?
We have not faced any issues with the solution’s stability.
What do I think about the scalability of the solution?
Over 500 people are using the solution in our organization.
How was the initial setup?
The solution’s initial setup is easy.
What's my experience with pricing, setup cost, and licensing?
PortSwigger Burp Suite Professional is an expensive solution.
What other advice do I have?
I would recommend the solution to other users. Using PortSwigger Burp Suite Professional for the first time is not easy, but you can use it easily after using a demo version. The solution's Intruder tool has helped improve our security testing efficiency. The solution's Repeater tool has helped us with testing for web vulnerabilities.
Overall, I rate the solution a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Mar 24, 2024
Flag as inappropriateFounder and Director at a financial services firm with 1-10 employees
Great reporting with good crawling capability and offers a simple setup
Pros and Cons
- "The solution has a pretty simple setup."
- "The pricing of the solution is quite high."
What is our primary use case?
We primarily use the solution for security testing - specifically for web-application security.
What is most valuable?
The crawling capability is excellent.
The product has very good reporting capabilities. They give you multiple reporting options.
The solution has a variety of different extensions that you can use.
The solution has a pretty simple setup.
What needs improvement?
The pricing of the solution is quite high. It would be ideal for the customers if they could lower the costs involved in their subscription.
We have new tools in R language programming platforms that are coming up. The solution needs to ensure its compatible with that language.
For how long have I used the solution?
I've been using the solution for about two years at this point.
What do I think about the stability of the solution?
We use this solution every day. I don't have any issues with the solution. There aren't bugs or glitches. It doesn't crash or freeze. It's reliable.
What do I think about the scalability of the solution?
I'm a consultant. I tend to use the tool for my clients. I only have one license on my computer. I don't need to scale the product.
The solution is scalable, however. There's a different version for that aspect. You have Community, Professional, and Enterprise editions. Each has different capabilities.
How are customer service and technical support?
The solution offers good support services. There's also the product team that can assist. Overall, I've been happy with the level of service I've received.
Which solution did I use previously and why did I switch?
I've worked with other solutions, such as Acutenix. As a consultant, I always have two to three tools for running and validating for testing. There is no plus or minus to each tool, really. The process itself would be more like using multiple tools to find out whether it appears in all the tools or not.
How was the initial setup?
The initial setup is not overly complex. It's easy and straightforward. A company shouldn't have any issues with the implementation process.
The deployment takes a maximum of an hour, actually. If you have to configure some prerequisites, it is one hour tops. There are advanced setups, however, how advanced the implementation depends on the client environment. If a company has an advanced setup, it could take some time.
Ultimately, the solution is installed directly onto my laptop.
The maintenance process is pretty minimal. The yearly subscription keeps everything updated. They will notify you if there is an upgrade that needs to be addressed.
What's my experience with pricing, setup cost, and licensing?
The pricing of the solution is quite high. Costs are based on their subscription model. The pricing affects whether a client will engage with me and the solution or not. It could be a deal-breaker. Budgets are often tight.
What other advice do I have?
The solution has an annual subscription model, and therefore you'll have to keep updating the new version. It's part of the package. They release a new version and that is covered under your subscription.
I'm a consultant. I buy tools from multiple vendors. I provide development assessment services for my clients.
This is one more product in the suite of tools or applications, which are used for testing. Anyone at any sized company could use this solution.
I'd recommend this solution. It's one more tool to have in your bag.
I would rate the solution at a ten out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Consultant
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Fuzz Testing ToolsPopular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
Qualys Web Application Scanning
Tenable.io Web Application Scanning
Contrast Security Assess
Digital.ai Application Security
Buyer's Guide
Download our free PortSwigger Burp Suite Professional Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is OWASP Zap better than PortSwigger Burp Suite Pro?
- What is the biggest difference between OWASP Zap and PortSwigger Burp?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?