Burp Suite MCP Server

1

Add it to Claude Code

Run this in a terminal.

Run in terminal
claude mcp add -e "BURP_REST_API_BASE=${BURP_REST_API_BASE}" -e "BURP_REST_API_KEY=${BURP_REST_API_KEY}" -e "BURP_REST_API_VERSION=${BURP_REST_API_VERSION}" burp-mcp -- uv run python /path/to/burp-mcp/main.py
Required:BURP_REST_API_BASEBURP_REST_API_KEYBURP_REST_API_VERSION
README.md

Exposes Burp Suite's REST API to AI assistants for security scanning.

Burp Suite MCP Server

An MCP (Model Context Protocol) server that exposes Burp Suite's REST API as tools for AI assistants. Use Cursor or other MCP clients to trigger vulnerability scans, check progress, and query Burp's security knowledge base.

Prerequisites

  • Burp Suite Professional (or Burp Suite DAST) with the REST API enabled
  • Python 3.11+
  • Burp running locally with REST API bound to a reachable address (e.g. http://127.0.0.1:1337)

Setup

1. Enable Burp REST API

  1. Open Burp Suite → SettingsSuiteREST API
  2. Check Service running
  3. Set the URL/port (e.g. port 1337)
  4. Create an API key and copy it

2. Install the MCP server

uv sync   # or: pip install -e .

3. Configure environment

Copy .env.example to .env and fill in your values:

cp .env.example .env

Edit .env:

BURP_REST_API_BASE=http://127.0.0.1:1337
BURP_REST_API_KEY=your-api-key-here
BURP_REST_API_VERSION=v0.1

Cursor MCP Configuration

Add to your Cursor MCP config (e.g. ~/.cursor/mcp.json or project .cursor/mcp.json):

{
  "mcpServers": {
    "burp-suite": {
      "command": "uv",
      "args": ["run", "python", "/path/to/burp-mcp/main.py"],
      "cwd": "/path/to/burp-mcp"
    }
  }
}

Or with python directly:

{
  "mcpServers": {
    "burp-suite": {
      "command": "python",
      "args": ["/path/to/burp-mcp/main.py"]
    }
  }
}

Tools

Tool Description
burp_suite_security_issue_definitions Get Burp's security issue definitions (name, description, remediation, references)
scan_urls_for_vulnerabilities Start a scan for given URLs. Returns a task_id for tracking. Optional scope param
check_security_scan_progress Get scan status and findings by task_id. Filter by severity: low, info, medium, high, or all
get_scan_summary High-level summary: total issues by severity
list_active_scans List running/pending scans (may not be supported by all Burp API versions)
cancel_scan Cancel a scan by task_id (may not be supported by all Burp API versions)
check_burp_connectivity Test connectivity to Burp API; validates config
wait_for_scan_completion Poll until scan completes or times out (for CI/CD)

Usage Examples

Scan a URL:

"Scan https://example.com for vulnerabilities"

Check scan progress:

"Check scan progress for task_id 123"

Get high-severity issues only:

"Check scan 123 and show only high severity issues"

Security knowledge:

"What security issues does Burp know about?"

Command-line usage

Run scans from scripts or the terminal:

uv run python examples/ci-scan.py https://your-target.com
# or
./examples/ci-scan.sh https://your-target.com

Burp REST API Endpoints Used

Endpoint Method Description
/knowledge_base/issue_definitions GET Security issue definitions
/scan POST Start scan (body: {"urls": [...]})
/scan GET List scans (may not be supported)
/scan/{task_id} GET Scan progress and results
/scan/{task_id} DELETE Cancel scan (may not be supported)

Interactive API docs: [BURP_REST_API_BASE]/[API_KEY]

License

MIT

Tools (8)

burp_suite_security_issue_definitionsGet Burp's security issue definitions including name, description, remediation, and references.
scan_urls_for_vulnerabilitiesStart a scan for given URLs and return a task_id for tracking.
check_security_scan_progressGet scan status and findings by task_id, filterable by severity.
get_scan_summaryGet a high-level summary of total issues by severity.
list_active_scansList running or pending scans.
cancel_scanCancel a scan by task_id.
check_burp_connectivityTest connectivity to Burp API and validate configuration.
wait_for_scan_completionPoll until a scan completes or times out.

Environment Variables

BURP_REST_API_BASErequiredThe base URL for the Burp Suite REST API
BURP_REST_API_KEYrequiredThe API key for authenticating with Burp Suite
BURP_REST_API_VERSIONrequiredThe version of the Burp REST API to use

Configuration

claude_desktop_config.json
{"mcpServers": {"burp-suite": {"command": "python", "args": ["/path/to/burp-mcp/main.py"]}}}

Try it

Scan https://example.com for vulnerabilities
Check scan progress for task_id 123
Check scan 123 and show only high severity issues
What security issues does Burp know about?

Frequently Asked Questions

What are the key features of Burp Suite MCP Server?

Trigger automated vulnerability scans directly from AI chat. Monitor scan progress and retrieve findings by task ID. Query Burp Suite's built-in security knowledge base. Filter scan results by severity levels. Validate connectivity to Burp Suite REST API.

What can I use Burp Suite MCP Server for?

Automating security regression testing in CI/CD pipelines. Quickly checking for specific vulnerabilities during manual pentesting. Retrieving remediation advice for discovered security issues. Managing multiple concurrent security scans via natural language.

How do I install Burp Suite MCP Server?

Install Burp Suite MCP Server by running: uv sync

What MCP clients work with Burp Suite MCP Server?

Burp Suite MCP Server works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Burp Suite MCP Server docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all monitoring servers →

Related MCP Servers

Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars
Wireshark MCP
Give your AI assistant a packet analyzer.
monitoring55 stars
RenderDoc MCP
Analyze GPU frame captures for graphics debugging and performance analysis.
monitoring42 stars
EasyShell
AI-Native Server Operations Platform
monitoring37 stars
Reqable MCP Server
Exposes local Reqable network capture traffic to MCP clients
monitoring26 stars