The bridge between Burp Suite and modern AI.
Burp AI Agent is an extension for Burp Suite that integrates AI into your security workflow. Use local models or cloud providers, connect external AI agents via MCP, and let passive/active scanners find vulnerabilities while you focus on manual testing.
- 7 AI Backends — Ollama, LM Studio, Generic OpenAI-compatible, Gemini CLI, Claude CLI, Codex CLI, OpenCode CLI.
- 53+ MCP Tools — Let Claude Desktop (or any MCP client) drive Burp autonomously.
- 62 Vulnerability Classes — Passive and Active AI scanners across injection, auth, crypto, and more.
- 3 Privacy Modes — STRICT / BALANCED / OFF. Redact sensitive data before it leaves Burp.
- Audit Logging — JSONL with SHA-256 integrity hashing for compliance.
Download the latest JAR from Releases, or build from source (Java 21):
git clone https://github.com/six2dez/burp-ai-agent.git cd burp-ai-agent JAVA_HOME=/path/to/jdk-21 ./gradlew clean shadowJar # Output: build/libs/Burp-AI-Agent-<version>.jar
- Open Burp Suite (Community or Professional).
- Go to Extensions > Installed > Add.
- Select Java as extension type and choose the
.jarfile.
The extension auto-installs the bundled profiles into ~/.burp-ai-agent/AGENTS/ on first run.
Drop additional *.md files in that directory to add custom profiles.
Open the AI Agent tab and go to Settings. Pick a backend:
| Backend | Type | Setup |
|---|---|---|
| Ollama | Local HTTP | Install Ollama, run ollama serve, pull a model (ollama pull llama3.1). |
| LM Studio | Local HTTP | Install LM Studio, load a model, start the server. |
| Generic OpenAI-compatible | HTTP | Provide a base URL and model for any OpenAI-compatible provider. |
| Gemini CLI | Cloud CLI | Install gemini, run gemini auth login. |
| Claude CLI | Cloud CLI | Install claude, set ANTHROPIC_API_KEY or run claude login. |
| Codex CLI | Cloud CLI | Install codex, set OPENAI_API_KEY. |
| OpenCode CLI | Cloud CLI | Install opencode, configure provider credentials. |
- Browse a target through Burp Proxy.
- Right-click any request in Proxy > HTTP History.
- Select Extensions > Burp AI Agent > Analyze this request.
- A chat session opens with the AI analysis.
Enable the MCP server in Settings > MCP Server and add this to your Claude Desktop config:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"burp-ai-agent": {
"command": "npx",
"args": [
"-y",
"supergateway",
"--sse",
"http://127.0.0.1:9876/sse"
]
}
}
}Requires Node.js 18+. If you enable External Access, the MCP client must send
Authorization: Bearer <token>on every request.
Full documentation is available at burp-ai-agent.six2dez.com .
- Installation
- Quick Start
- UI Tour
- Agent Profiles
- Passive Scanner
- Active Scanner
- MCP Overview
- Privacy Modes
- Settings Reference
- Troubleshooting
- Burp Suite Community or Professional (2023.12+)
- Java 21 (bundled with modern Burp for runtime; required separately for building from source)
- At least one AI backend configured (see table above)
This project is licensed under the MIT License.
Usage of Burp AI Agent for attacking targets without prior consent is illegal. It is the user's responsibility to obey all applicable laws. The developers assume no liability for misuse or damage caused by this tool. Use responsibly.
Issues and pull requests are welcome. See CONTRIBUTING.md for development setup and guidelines, or the Developer docs for architecture details.