Master Burp AI with our step-by-step tutorial, detailed feature walkthrough, and expert tips.
Explore the key features that make Burp AI powerful for cybersecurity workflows.
Burp AI is included with Burp Suite Professional, which costs $475 per user per year, and with Burp Suite Enterprise Edition. There is no separate subscription for Burp AI itself. Each Professional license comes with 10,000 free AI credits annually, and additional credits can be purchased if you exceed that quota. The free Community Edition of Burp Suite does not include any AI capabilities.
No. PortSwigger states explicitly on its product page that customer data processed by Burp AI is not used to train AI models, which is a critical consideration for penetration testers handling confidential client information under NDA. AI requests are processed through PortSwigger's infrastructure rather than being sent directly to third-party providers without oversight. This privacy posture is one of the main reasons enterprise AppSec teams choose Burp AI over generic LLM-based pentest helpers.
AI credits are PortSwigger's metering unit for Burp AI features — each action like running Explainer on a request or launching Explore Issue on a finding deducts credits from your balance. Every Burp Suite Professional license includes 10,000 free credits per year, which is enough for moderate daily use during testing engagements. If you run out, additional credit packs can be purchased separately. Credits do not roll over indefinitely, so plan engagement budgets accordingly.
The main difference is integration depth: Burp AI runs inside Burp Suite with direct access to the request/response context, scan issues, and project state, so you don't have to copy-paste data between tools. It also offers Explore Issue, an agent that actively probes the target to validate findings, which a general-purpose chatbot cannot do safely. Manual ChatGPT/Claude use is cheaper and more flexible but introduces data-leakage risk since prompts may be retained by the provider, whereas PortSwigger commits to not training on customer data.
No, and PortSwigger does not market it as a replacement. Burp AI is designed as an assistant for human testers — it accelerates triage, explains findings, and validates issues, but a qualified pentester is still needed to scope the engagement, chain vulnerabilities, perform business-logic testing, and write the final report. Based on our analysis of 870+ AI tools, no current offensive security AI product autonomously delivers production-grade pentest reports, and Burp AI is best viewed as a productivity multiplier rather than a replacement.
Now that you know how to use Burp AI, it's time to put this knowledge into practice.
Sign up and follow the tutorial steps
Check pros, cons, and user feedback
See how it stacks against alternatives
Follow our tutorial and master this powerful cybersecurity tool in minutes.
Tutorial updated March 2026