PortSwigger's industry-standard web application testing proxy — Pro is the bug-bounty hunter's default tool.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux/macOS (Community)
wget https://portswigger.net/burp/releases/community/latest -O burp.sh && chmod +x burp.sh && ./burp.sh
Docker
docker run -p 8080:8080 portswigger/burp-suite-community
macOS (brew)
brew install --cask burp-suite
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Configure browser proxy
Browser → 127.0.0.1:8080; install Burp CA cert
CLI (Enterprise)
burpsuite_pro --headless --target=https://target.com
Replay request
Right-click in Proxy → Send to Repeater
Run scan (Pro)
Dashboard → New scan → Crawl + Audit
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Pro vs Community: Community has no scanner, no Intruder rate, no save/load. For real work, Pro is mandatory ($475/yr).
- Memory: bump
-Xmx4Ginburp.vmoptionsfor large engagements (default 1G crashes on 5000+ proxy entries). - Project File mode (Pro): saves state to disk continuously. Use for week-long engagements.
- Throttle Intruder: thread count 5-10 for production targets, never default 100.
- Use
collaborator-proxy+ private Collaborator server for blind SSRF / OOB testing without leaking targets to PortSwigger. - Caido is now mature enough as Burp alternative — lighter, Rust-based, faster start-up; consider for grunt work.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default scope captures EVERYTHING. Set scope tightly before clicking around target — otherwise unrelated traffic pollutes your project.
- CA cert installation: Firefox needs separate trust store from system CA. Most missed-traffic complaints are this.
- Burp’s Active Scanner can DELETE accounts via destructive payloads. Use Audit Light or Active scanning excluded paths only on prod.
- Extension Bapp store has unmaintained extensions — verify before installing.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Caido — modern Rust-based alternative; great UX, lighter weight.
- OWASP ZAP — free; less polished but full-featured.
- mitmproxy — Python, scriptable; CLI-first.
India context and engagement notes
For CERT-In empanelled VAPT: PortSwigger’s Active Scan results + manual evidence is the canonical output format Indian auditors expect. Pair with manually crafted Repeater proofs for each finding.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.