Product roadmap

BChecks

New feature

You'll be able to easily extend Burp Suite Enterprise Edition's scanner with custom BChecks - just like you can in Burp Suite Professional.

Access control scan checks

New feature

Burp Scanner will check for a number of security vulnerabilities relating to access control.

Scanner auto configuration

Feature enhancement

Burp Scanner will gain the ability to configure itself based on the type of application you are scanning. This will improve scan coverage and help to avoid missed attack surface - without manual configuration.

Browser performance enhancements

Feature enhancement

Burp Suite Enterprise Edition's scanner uses a pool of embedded browsers to navigate web sites effectively while scanning. But this can be heavy on resources. We will redesign this system - leading to more efficient scans.

Audit log

New feature

When you manage enterprise-grade software, you need to be able to see what actions your users are performing. Soon you will be able to view full audit logs of user actions in Burp Suite Enterprise Edition.

Start scans from an uploaded API definition

New feature

Upload an API definition as part of the Burp Scanner launch process. Burp Scanner will use this API definition to seed its scan - enhancing its ability to scan APIs and microservices.

Service worker networking

Feature enhancement

Burp Suite Enterprise Edition's scanner will properly crawl service workers and WebSockets messages - eliminating situations where attack surface could be missed due to incomplete support in this area.

Pre-built Amazon Machine Images (AMIs)

New feature

Auto-generate a suitable EC2 instance for Burp Suite Enterprise Edition, using pre-built AMIs.

Supply-Chain Levels for Software Artifacts (SLSA) Level 2

New feature

Burp Suite Enterprise Edition will be certified to SLSA Level 2 - addressing customer requirements.

API scanning improvements

Feature enhancement

Burp Suite Enterprise Edition's scanner uses a pool of embedded browsers to navigate web sites effectively while scanning. But this can be heavy on resources. We will redesign this system - leading to more efficient scans.

More compliance report types

Feature enhancement

Automatically generate compliance reports for OWASP ASVS 4.0, NIST, and FedRAMP - in addition to existing compliance reports covering the OWASP Top 10, and PCI DSS.

CI-driven scans

Released

Integrate Burp Suite Enterprise Edition with any CI/CD platform that can run a Docker container - and get fast security feedback to your web developers.

Improved scanning of JavaScript frameworks

Released

Multiple improvements to Burp Scanner's performance when scanning web applications built using popular JavaScript frameworks. This is an area we will periodically revisit.

Support for popups in recorded login sequences

Released

Addition of support for popup page elements when using Burp Scanner's recorded login (authenticated scanning) feature.

Kubernetes deployment

Released

Burp Suite Enterprise Edition now has a Kubernetes deployment option available, using a Helm chart. This enables auto-scaling of scanning resources.

Browser-powered scanning by default

Released

Best-in-class coverage and scanning performance for challenging targets like AJAX-heavy single page apps, with browser-driven (Chromium) scanning. Enabled by default.

Server-side template injection

Released

Burp Scanner can now detect injection into a wider range of templating engines, and will employ OAST techniques to detect blind SSTI.

Payloads within data formats

Released

We have improved the placement and encoding of scan payloads within JSON and XML data structures.

Improved navigational coverage

Released

Burp Scanner now detects and interacts with more DOM elements that can cause JavaScript-triggered navigation, in addition to conventional links and forms.

Extended scanning machine capabilities

Released

Ensure scans are carried out using the most suitable scanning machines - based on network location, system resources, or other factors.

API scanning: first phase

Released

Enumerate API endpoints to scan APIs across your application portfolio; process OpenAPI (Swagger) definitions.

Improved user experience

Released

Display scanned URLs as a tree, to make site structure easier to see. We've also improved navigation through the UI, as well as product look and feel.

Single sign-on

Released

Configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory. Use single sign-on to remove the need to create and manage users.

Improved SPA scanning

Released

Burp Scanner now handles navigational actions that cause DOM updates without a synchronous request to the server, allowing better handling of single-page applications.

Read all release notes

React form handling

Released

Burp Suite Enterprise Edition can handle forms when scanning single page applications (SPAs) built on React. This improves performance when scanning input elements that lack an enclosing form tag.

Improved site setup

Released

Define your site scope more easily when setting up scans. This helps to ensure that you only scan the URLs you intend to.

Folder-level configuration

Released

Make changes at folder level, as a bulk action in the UI. Reconfigure all the sites in a particular folder - for scan configuration, scanning machine pools, extensions used, etc.

Revamped browser powered scanning

Released

We have fundamentally changed the way that Burp Scanner navigates using its built-in browser. This improves scanning of applications that make heavy use of client-side JavaScript for navigation, and lays a strong foundation for further development of the scanner.

Audit of asynchronous traffic

Released

Burp Scanner now automatically audits in-scope API requests that are issued from client-side JavaScript using XHR and Fetch.

Replay of recorded login sequences

Released

Replay and view recorded login (authenticated scanning) sequences executed during scans, to check for issues during the login process.

HTTP/2-specific vulnerability reporting

Released

Burp Scanner can now report new classes of HTTP/2-specific vulnerabilities.

Issue-tracking integrations

Released

Burp Suite Enterprise Edition now supports issue tracking integration using Slack, Trello, and GitLab.

Burp extensions

Released

By popular demand, you can now customize Burp Suite Enterprise Edition using extensions.

Integrated SCA capabilities

Released

Perform software composition analysis (SCA) of client-visible code, and report JavaScript libraries in use containing known vulnerabilities.

Recorded login sequences

Released

Authenticate to any application by recording complex login sequences with a browser plugin. Enable authenticated access for almost any target site, such as those using JavaScript-heavy logins or single sign-on.

Scan configuration libraries

Released

View and manage configurations, extend crawl and audit settings, view individual URL details, and view aggregated issue reporting.

GraphQL-based API

Released

Expose much of Burp Suite Enterprise Edition's core functionality for extensive improvements to site editing, scan settings, reporting, and scanning machine management.

GraphQL scan checks

Released

Burp Scanner can check for security vulnerabilities in APIs that use the GraphQL language. This broadens the range of APIs you are able to test automatically.

Pay as you scan (PAYS) subscriptions

Released

The Pay as you scan subscription option enables you to pay only for the scans you actually use - and is ideal for organizations just beginning their security journey.

Improved scan speed

Released

Further optimized performance in default settings - enabling faster scans without compromising coverage.

JWT scan checks

Released

Burp Scanner now checks for a number of security vulnerabilities relating to JSON Web Tokens (JWT).

Compliance reporting

Released

Report scan results against compliance frameworks - such as PCI DSS, OWASP Top 10, etc.

Single sign-on via SCIM

Released

We now provide support for user management via SCIM (System for Cross-domain Identity Management), for integration with Okta and OneLogin.

Bulk operations

Released

You can now import sites from CSV files, apply scan configurations and application logins across a group of sites, and cancel/delete selected scans - all through the UI.

Improved CI/CD integrations

Released

Support for site-driven scans within CI/CD plug-ins - and the ability to download end of scan reports. Set parameters for determining when a build fails.

Improved SSO functionality

Released

Enable single sign-on via Active Directory using SAML, in addition to the previously existing single sign-on functionality using LDAP.

Workflow improvements

Released

Streamline post-scan tasks by downloading detailed scan reports, automating email function for end-of-scan summary reports, and automating Jira ticket creation.

Improved user interface

Released

Extensive UI upgrades have been introduced, including navigation changes, overall look-and-feel, and more intuitive in-product workflows.

Browser-powered scanning enhancements

Released

Significant improvements to Burp Scanner - enabling enhanced performance and coverage of modern navigational patterns.