Stay free if you only need manual web security testing toolkit and intercepting proxy and basic repeater/intruder. Upgrade if you need continuous automated scanning at scale and burp ai features for enterprise scanning. Most solo builders can start free.
Why it matters: Not available in Burp Suite Community Edition — requires a paid Professional or Enterprise license to access any AI features
Available from: Burp Suite Professional
Why it matters: AI credit metering means heavy users may need to purchase additional credits beyond the 10,000 included per year
Available from: Burp Suite Professional
Why it matters: Features are tied to the desktop client, so they cannot be invoked from headless CI/CD pipelines the same way as Burp's REST API scanning
Available from: Burp Suite Professional
Why it matters: Quality of AI output depends on the underlying request data — encrypted, encoded, or heavily obfuscated traffic limits Explainer usefulness
Available from: Burp Suite Professional
Why it matters: Newer feature set compared to Burp's mature scanning engine — some workflows still require manual extensions or BApp Store tooling
Available from: Burp Suite Professional
Burp AI is included with Burp Suite Professional, which costs $475 per user per year, and with Burp Suite Enterprise Edition. There is no separate subscription for Burp AI itself. Each Professional license comes with 10,000 free AI credits annually, and additional credits can be purchased if you exceed that quota. The free Community Edition of Burp Suite does not include any AI capabilities.
No. PortSwigger states explicitly on its product page that customer data processed by Burp AI is not used to train AI models, which is a critical consideration for penetration testers handling confidential client information under NDA. AI requests are processed through PortSwigger's infrastructure rather than being sent directly to third-party providers without oversight. This privacy posture is one of the main reasons enterprise AppSec teams choose Burp AI over generic LLM-based pentest helpers.
AI credits are PortSwigger's metering unit for Burp AI features — each action like running Explainer on a request or launching Explore Issue on a finding deducts credits from your balance. Every Burp Suite Professional license includes 10,000 free credits per year, which is enough for moderate daily use during testing engagements. If you run out, additional credit packs can be purchased separately. Credits do not roll over indefinitely, so plan engagement budgets accordingly.
The main difference is integration depth: Burp AI runs inside Burp Suite with direct access to the request/response context, scan issues, and project state, so you don't have to copy-paste data between tools. It also offers Explore Issue, an agent that actively probes the target to validate findings, which a general-purpose chatbot cannot do safely. Manual ChatGPT/Claude use is cheaper and more flexible but introduces data-leakage risk since prompts may be retained by the provider, whereas PortSwigger commits to not training on customer data.
No, and PortSwigger does not market it as a replacement. Burp AI is designed as an assistant for human testers — it accelerates triage, explains findings, and validates issues, but a qualified pentester is still needed to scope the engagement, chain vulnerabilities, perform business-logic testing, and write the final report. Based on our analysis of 870+ AI tools, no current offensive security AI product autonomously delivers production-grade pentest reports, and Burp AI is best viewed as a productivity multiplier rather than a replacement.
Start with the free plan — upgrade when you need more.
Get Started Free →Still not sure? Read our full verdict →
Last verified March 2026