Product roadmap

Access control scan checks

New feature

Burp Scanner will check for a number of security vulnerabilities relating to access control.

Pre-built Amazon Machine Images (AMIs)

New feature

Auto-generate a suitable EC2 instance for Burp Suite Enterprise Edition, using pre-built AMIs.

Supply-Chain Levels for Software Artifacts (SLSA) Level 2

New feature

Burp Suite Enterprise Edition will be certified to SLSA Level 2 - addressing customer requirements.

Folder-level configuration

Feature enhancement

Make config changes at folder level, as a bulk action in the UI. Reconfigure all the sites in a particular folder - for scan configuration, scanning machine pools, extensions used, etc.

CI/CD inversion of control

New feature

Run Burp Suite Enterprise Edition from within any CI/CD environment, by starting a scanning machine in a container.

GraphQL scan checks

New feature

Burp Scanner will check for a number of security vulnerabilities relating to APIs that use the GraphQL language.

Seed scans from an uploaded API definition

New feature

Upload an API definition as part of the Burp Scanner launch process. Burp Scanner will use this API definition to seed its scan - enhancing its ability to scan APIs and microservices.

Improved site setup

Feature enhancement

Set up sites more easily in Burp Suite Enterprise Edition, with a range of feature improvements.

Hourly metered billing

New feature

Following on from Burp Suite Enterprise Edition's Kubernetes deployment, which features automatic scaling of scan resources, we will introduce hourly metered billing.

React form handling

Feature enhancement

Scan single page applications (SPAs) built using React more easily. Specifically, this will improve Burp Scanner's handling of input elements that do not have an enclosing form tag.

Improved coverage of JavaScript frameworks

Feature enhancement

Fine-tuning of Burp Scanner, to optimize its performance when scanning single page applications (SPAs) built using Angular, Vue.js, and other frameworks.

Support for popups in recorded login sequences

Done

Addition of support for popup page elements when using Burp Scanner's recorded login (authenticated scanning) feature.

Kubernetes deployment

Done

Burp Suite Enterprise Edition now has a Kubernetes deployment option available, using a Helm chart. This enables auto-scaling of scanning resources.

Browser-powered scanning by default

Done

Best-in-class coverage and scanning performance for challenging targets like AJAX-heavy single page apps, with browser-driven (Chromium) scanning. Enabled by default.

Server-side template injection

Done

Burp Scanner can now detect injection into a wider range of templating engines, and will employ OAST techniques to detect blind SSTI.

Payloads within data formats

Done

We have improved the placement and encoding of scan payloads within JSON and XML data structures.

Improved navigational coverage

Done

Burp Scanner now detects and interacts with more DOM elements that can cause JavaScript-triggered navigation, in addition to conventional links and forms.

Extended scanning machine capabilities

Done

Ensure scans are carried out using the most suitable scanning machines - based on network location, system resources, or other factors.

API scanning: first phase

Done

Enumerate API endpoints to scan APIs across your application portfolio; process OpenAPI (Swagger) definitions.

Improved user experience

Done

Display scanned URLs as a tree, to make site structure easier to see. We've also improved navigation through the UI, as well as product look and feel.

Single sign-on

Done

Configure an LDAP connection between Burp Suite Enterprise Edition and your Active Directory. Use single sign-on to remove the need to create and manage users.

Read all release notes

Revamped browser powered scanning

Done

We have fundamentally changed the way that Burp Scanner navigates using its built-in browser. This improves scanning of applications that make heavy use of client-side JavaScript for navigation, and lays a strong foundation for further development of the scanner.

Audit of asynchronous traffic

Done

Burp Scanner now automatically audits in-scope API requests that are issued from client-side JavaScript using XHR and Fetch.

Replay of recorded login sequences

Done

Replay and view recorded login (authenticated scanning) sequences executed during scans, to check for issues during the login process.

HTTP/2-specific vulnerability reporting

Done

Burp Scanner can now report new classes of HTTP/2-specific vulnerabilities.

Issue-tracking integrations

Done

Burp Suite Enterprise Edition now supports issue tracking integration using Slack, Trello, and GitLab.

Burp extensions

Done

By popular demand, you can now customize Burp Suite Enterprise Edition using extensions.

Integrated SCA capabilities

Done

Perform software composition analysis (SCA) of client-visible code, and report JavaScript libraries in use containing known vulnerabilities.

Recorded login sequences

Done

Authenticate to any application by recording complex login sequences with a browser plugin. Enable authenticated access for almost any target site, such as those using JavaScript-heavy logins or single sign-on.

Scan configuration libraries

Done

View and manage configurations, extend crawl and audit settings, view individual URL details, and view aggregated issue reporting.

GraphQL-based API

Done

Expose much of Burp Suite Enterprise Edition's core functionality for extensive improvements to site editing, scan settings, reporting, and scanning machine management.

Improved scan speed

Done

Further optimized performance in default settings - enabling faster scans without compromising coverage.

JWT scan checks

Done

Burp Scanner now checks for a number of security vulnerabilities relating to JSON Web Tokens (JWT).

Compliance reporting

Done

Report scan results against compliance frameworks - such as PCI DSS, OWASP Top 10, etc.

Single sign-on via SCIM

Done

We now provide support for user management via SCIM (System for Cross-domain Identity Management), for integration with Okta and OneLogin.

Bulk operations

Done

You can now import sites from CSV files, apply scan configurations and application logins across a group of sites, and cancel/delete selected scans - all through the UI.

Improved CI/CD integrations

Done

Support for site-driven scans within CI/CD plug-ins - and the ability to download end of scan reports. Set parameters for determining when a build fails.

Improved SSO functionality

Done

Enable single sign-on via Active Directory using SAML, in addition to the previously existing single sign-on functionality using LDAP.

Workflow improvements

Done

Streamline post-scan tasks by downloading detailed scan reports, automating email function for end-of-scan summary reports, and automating Jira ticket creation.

Improved user interface

Done

Extensive UI upgrades have been introduced, including navigation changes, overall look-and-feel, and more intuitive in-product workflows.

Browser-powered scanning enhancements

Done

Significant improvements to Burp Scanner - enabling enhanced performance and coverage of modern navigational patterns.

Improved SPA scanning

Done

Burp Scanner now handles navigational actions that cause DOM updates without a synchronous request to the server, allowing better handling of single-page applications.