Burp Suite Enterprise Edition is Enterprise server class solution for automated and scheduling continuous scanning solution that capable to run high volume of concurrent scanning (just need to license agent quantity to cover the instance required). The key features of this new product are:
- Server installation, accessed via a modern web interface and REST API.
- Automated scanning of web sites on demand or on a schedule, using Burp Scanner’s cutting-edge web scanning logic.
- Extreme scalability, able to scan indefinitely many web sites in parallel.
- Multi-user access, with role-based access control.
- Integration with CI/CD so you can trigger scans per commit or within your deployment pipelines.
PortSwigger worked hard to ensure a painless setup for Burp Suite Enterprise. Once initialized, auto scanning will assess security across your portfolio. Universal CI/CD platform integration through straightforward plugins makes DevSecOps a reality.
Burp Suite Enterprise Edition designed with one goal, to make PortSwigger research and technology available to every organization. PortSwiggr had achieved that with the world’s most widely-used pentesting toolkit Burp Suite Professional – now fully automated with Burp Suite Enterprise Edition.
Key Product Features
Burp Suite Enterprise Edition is designed for automated scanning at scale, and integration with software development processes. It lets you:
- Configure details of your organization’s web sites.
- Schedule scans and view the results.
- Use a scalable pool of agents to distribute work and grow according to your needs.
- Give access to your team, protected by role-based access control (RBAC).
- Integrate with your CI system via the REST API.
Burp Suite Enterprise Edition uses Burp Scanner’s cutting-edge web scanning logic to uncover dozens of different types of vulnerabilities.
Benefits of Burp Suite Enterprise Edition
- Grow as big as you want – Extreme scalability means you don’t have to worry about growth. This is web security for organizations of any size.
- Automate and schedule your scans – Scheduled, parallel scanning of assets and simple, visual reporting mean that auditing your security posture is easy.
- Restrict sensitive data – More users create more need for internal security. Role-based access control (RBAC) keeps sensitive data out of reach.
- Integrate with any CI pipeline – Whether you use Jenkins, TeamCity, or another CI platform for development, REST API integration is straightforward.
- Prioritize threats easily – Smart prioritization will save you time when detected threats begin to stack up. Quickly find the optimal path to security.
- Get the best on your side – All detected vulnerabilities come with remediation advice based on PortSwigger’s acclaimed research.
Don’t become the next headline data breach
- So much of our world is now online, that new attack surfaces get introduced almost daily. These don’t go unnoticed by offensive operators. And a data breach could destroy your good reputation. When your users trust you with their data, you’re expected to protect it. If you fail, that trust is lost.
- Burp Suite Enterprise Edition is underpinned by the same research that powers the world’s most widely-used penetration testing software. Our continuous updates mean you’ll be at the forefront of web security thinking – no matter what lurks over the horizon.
Prioritize security concerns as they arise
- Burp Suite Enterprise Edition’s huge scalability and parallel operation mean it can detect a large quantity of bugs in short order. Here, vulnerability management functions save you time. Issues are prioritized automatically to prevent you getting swamped.
- Integration with project management software like Jira makes planning a solution easy. Combined with role-based access control, this is security for teams of all sizes.
Security should never be a bottleneck for development
- In traditional development environments, security got deferred until the later stages of a build. This often left a great deal of work to be rushed through in a short amount of time before release was possible – and created a lot of friction.
- We think security is some of the most important work developers can do. As such, we champion a DevSecOps approach, where security is baked in from the outset. Burp Suite Enterprise Edition fully facilitates this – integrating with any CI/CD system.
Burp Suite Enterprise Edition comprises the following components:
- Enterprise server – This coordinates between the other components, manages scan scheduling, and performs software updates.
- Agents – These carry out scans using an embedded instance of Burp Scanner. Agents can be distributed across multiple machines, and the pool of agents can grow indefinitely large.
- Web server – This provides the interface to users, via the web UI and REST API. The web server is installed onto the same machine as the Enterprise server.
- Database – This provides persistent storage for configuration data and scan results. There is a bundled database which is suitable for evaluation purposes and many production use cases, or you can use your own external database if required.
The diagram below shows the different components of the software and the connections between them:
Number of machines
The number of machines needed to run Burp Suite Enterprise Edition very much depends on the scale of your intended usage.
You can run all of the components on a single machine, including the bundled database. This is suitable for evaluation purposes and for many production use cases. On a machine with substantial resources, this set up should be able to comfortably support up to 10 agents. The diagram below shows a single-machine deployment:
At the other extreme, you can run agents on a large number of machines, and you can use your own external database for storage. This lets you scale the number of concurrent scans to be indefinitely large, and utilize any existing database infrastructure that you have. The diagram below shows a multiple-machine deployment, with an external database and agent machines:
Each agent machine, and optionally the Enterprise server machine, can be configured to run multiple logical agents. Each logical agent can be occupied carrying out a single scan at any given time. The number of agents that will actually used is limited to the number in your license. Read more about agent counts
Note that the Enterprise server and web server components are always deployed on a single machine.
All machines on which Burp Suite Enterprise Edition components are installed must have:
- 64-bit architecture.
- A modern Windows, Linux, or MacOS operating system. It is possible to use different operating systems on different machines within the deployment.
The amount of system resources required for machines running Burp Suite Enterprise Edition is highly dependent on a variety of factors, including the nature and extent of the applications being scanned, the numbers of issues that are reported, and the number of active users of the web UI and REST API. The following table provides an indicative guide to the machine specifications that are recommended to ensure satisfactory performance. When provisioning machines, be aware that specifications might need to change later based on the experience of your actual usage.
|Enterprise server machine||Agent machine|
|Base installation||10Gb of free disk space
16Gb of RAM
4 CPU cores
|10Gb of free disk space
2Gb of RAM
2 CPU cores
|Per logical agent||20Gb of free disk space
4Gb of RAM
4 CPU cores
|20Gb of free disk space
4Gb of RAM
4 CPU cores
|Bundled database||Additional disk space is required
if the bundled database is used.
Please note the following points regarding free disk space requirements:
- The free space required is not only for the up-front installation. Disk space is used for storage of ephemeral data during scans and product updates.
- The disk location (configured during the installation process) must reside on locally attached storage, and not be a networked file system.
Burp Suite Enterprise Edition uses an SQL database to store data about configured sites and scans, the results of scans, and other configuration information. You can use one of the following options:
- A bundled database that can be installed on the same machine as the Enterprise server. This option can be used to support any scale of deployment provided you have sufficient disk space available (see below).
- Your own external database. Supported database types are: MariaDB, Microsoft SQL server, MySQL, Oracle, and PostgreSQL. This option lets you utilize any existing database infrastructure that you have, including database backups, and is more appropriate for larger deployments.
The quantity of data that might be accumulated by Burp Suite Enterprise Edition depends hugely on the scale and nature of your usage, and particularly on the number of scans that are performed and the number of issues that are reported by those scans. The following table is an indicative guide to the quantity of data that is likely to be accumulated in different situations:
|Number of scans||Data storage|
Most modern machines should be able to use the web UI without any problems.
Browsers that are specifically supported and tested are current versions of Chrome, Edge, Firefox, Internet Explorer, and Safari.
The recommended minimum screen size is 1080 pixels in the shorter dimension. Smaller screens than this can still use the web UI, but with a degraded experience.
A mouse pointer is required to access some features, which appear on contextual controls on mouse hover. The remainder of the UI and the majority of features will still function correctly without a mouse pointer.
Network and firewall configuration
The diagram below shows the required network topology and access. This includes machines that are optional and won’t appear in some deployments (external agents and database):
A dedicated DMZ network is recommended to host the machines on which Burp Suite Enterprise Edition is deployed, but this is not mandatory.
In particular, note the requirements below for network access. It might be necessary to configure your firewall to allow the necessary access.
- Users and API clients need to access the web server on a port that you can select (by default, 8080).
- The Enterprise server needs to access portswigger.net on port 443, to carry out license activation and software updates. Note that this access is needed for ongoing usage of the software, not only during initial installation. You can configure a network proxy if this is needed to reach the public web.
- If you install agents on any external machines, these need to access the Enterprise server machine on port 8072.
- If you use the bundled database, then any external agent machines will need to access the Enterprise server machine on port 9092.
- If you use an external database, then the Enterprise server and any external agents will need to access the database service on the configured host and port.
- Agents will need to access the sites that are to be scanned (on ports 80, 443, etc. as required).
- To gain the full benefit of Burp Suite’s out-of-band vulnerability detection technology, agents will need to access burpcollaborator.net on port 443.
Integrate with your CI system
Use the following steps to integrate Burp Suite Enterprise Edition with your CI system via the REST API:
- First, you need to create a dedicated user for the integration to use. Go to the team page, and the users tab, and click “New user”.
- Give the user a suitable name that identifies the integration.
- Select the login type to be “API key”.
- Add the user to a suitable group that has the “Scan initiator” role.
- Click “Save”.
- When prompted, copy the user’s API key. Keep a record of the API key and handle it sensitively.
- Download a suitable Burp CI integration for your system. If a Burp CI plugin is available for your CI platform, install the plugin. Otherwise, install the generic CI driver.
- Configure the integration with the API key.
- Configure suitable builds in your CI system to make use of the integration.
Feel free to contact E-SPIN for your project or end to end requirement and solution consultancy, for the modern DevSecOps, CI/CD systems or integration this DAST with other application security testing (AST) technologies, from static application security testing (SAST), origin analysis / software composition analysis (SCA), mobile application security testing (Mobile AST), export and further vulnerability exploitable testing or penetration testing, secure code review at developer IDE, unit code coverages and so on.
Product Latest Release and Build History
Enterprise Edition 2020.4.1 Release 2020-May-18
This release provides several minor bug fixes. Most notably:
- We have fixed a bug that was causing license key issues for Linux users when upgrading from 2020.2 to 2020.4.
Note: Unfortunately, if your first installation of Burp Suite Enterprise Edition was version 2020.4, this issue will also occur when you upgrade to 2020.4.1. If you are affected, please contact our Customer Support team for assistance. This will no longer be an issue in future releases.
- The scan progress is now displayed properly on the sites tree, as well as on the home and folder-level dashboards.
Enterprise Edition 2020.4 Release 2020-Apr-28
This release provides a beta version of our brand new GraphQL-based API, which exposes most of the core functionality of Burp Suite Enterprise Edition. Among other things, you can use the new API to:
- Create and edit sites
- Schedule one-off and regular scans
- Create and edit custom scan configurations
- Add folders to your site tree
- Get scan results and reports
- Manage your pool of agent machines, including authorizing new agent machines.
You can find more detailed information about how to use the API and the full range of supported operations in the API documentation. This also includes example payloads for typical queries.
As this is a beta version of the API, we would be grateful if customers could inform us of any problems that they encounter so that we can continue to optimize the behavior over the coming months. The Jenkins/TeamCity CI plugins and the generic CI driver will continue to use the existing public REST API. However, we are planning to release additional GraphQL-based versions in the near future.
Note: As a workaround for accessing functionality that was not supported by the public REST API, a small number of customers have integrated their own tools with Burp Suite Enterprise Edition using our internal REST API. Unfortunately, after upgrading to version 2020.4, these integrations will no longer be supported because the internal REST API has largely been replaced. However, you should be able to refactor your integrations to achieve the same results using the new GraphQL API. The vast majority of customers will be unaffected by this issue.
Burp Suite Enterprise Edition in the cloud
This release also marks the start of beta testing for the cloud-native version of Burp Suite Enterprise Edition. Over the next quarter, a small number of customers will be beta testing on both AWS and Azure.
We have also implemented several minor performance improvements and bug fixes. Most notably, the following issues have been resolved:
- A null pointer exception is no longer raised when Jira tickets are created automatically using the default severity and confidence settings.
- Changing the name of a site while using a slower network connection no longer causes errors.
Enterprise Edition 2020.2 released 2020-Feb-12
This release adds a number of new features to help simplify and streamline your post-scan activities. You can now:
- Choose to download a detailed scan report instead of just a summary.
- Tailor scan reports to your needs by choosing which severity of issues to include.
- Specify email addresses that should automatically receive an end-of-scan summary when a scan is completed for a particular site. Note that configuring your email server is a prerequisite for enabling this feature.
- Download a summary of aggregated issues in CSV format.
- Automatically create Jira tickets for issues based on their severity and confidence.
Enterprise Edition 2020.1 Released 2020-Jan-13
This release contains a number of valuable enhancements.
There is a new scan configuration library that replicates the Burp Suite Pro feature. You can:
- View and manage built-in and custom scan configurations.
- Configure detailed settings for crawling and auditing, as well as platform authentication and upstream proxy settings.
- Import and export configurations in JSON format.
For each scan, you can now view full details of the individual URLs that were scanned, together with the numbers of issues, requests, and insertion points. You can drill into each URL to view the details of individual issues:
You can now download the scan event log, via the “More actions” button on the scan results page.
There is a new database migration tool that lets you migrate from the bundled database to an external database. See documentation on database migration.
There are various other enhancements and bug fixes:
- Estimates of scan time remaining are now based on the duration of the preceding scan where applicable.
- Scans that have not made any progress for 24 hours will be automatically canceled.
- Issue details can now be retrieved from the aggregated issues list for scans created through the REST
- API when the site is not saved in the Sites tree.
- Hover action buttons on the Sites tree are now available for users belonging to groups that have site restrictions configured.
Enterprise Edition 1.1.04 Released 2019-Nov-05
This release includes various enhancements and bugfixes:
- The page for a folder in the Sites tree now includes a Scans tab, showing scans for all the sites in the selected folder.
- When creating a new site and selecting the folder to add it to, you can now search for the folder by name.
- When creating a new scan and selecting the site to scan, you can now search for the site by name.
- When viewing issues in the aggregated issues view, there is now a preview pane where you can view details of the selected issue, and perform actions such as creating a Jira ticket.
- A bug that caused Burp Suite Enterprise Edition to leak file handles in some situations has been resolved.
Enterprise Edition 1.1.03 Released 2019-Oct-1
This release adds some new dashboard views.
There is a new site-level dashboard showing various information about the issues that have been found for the site, and its security posture over time. There are new tabs on the site page that let you switch between the dashboard, scan history, issues, and site details:
The sites area has new aggregated issues views. For a selected folder (or for all sites), this view shows all of the issues from the latest scans grouped by issue type. You can expand each aggregated issue to view the details of individual occurrences, and you can filter the view by severity, date, and whether issues are new or regressed:
Various performance improvements have been made. The sites page now loads considerably faster, and large folders are collapsed by default.
Various bugs have been fixed.
In a large organization with many sites and folders, the new folder-level dashboards let you drill down into parts of the organization and understand the vulnerabilities and trends within each area.
Enterprise Edition 1.1.01 Released 2019-Jul-18
This release contains a new database backup feature. This is currently only available when using the internal bundled database (H2).
Automatic backups are enabled by default. The following options can be configured:
- The number of backups to store.
- The backup schedule.
- The location to store backup files (this is configured during installation).
You can also trigger a manual database backup at any time.
A number of minor bugs have also been fixed.
Enterprise Edition 1.1 Released 2019-Jun-28
Burp Suite Enterprise Edition is now officially out of beta!
This release also adds a beautiful new home page dashboard, with various charts showing an at-a-glance view of your overall security posture:
The new charts show:
- Current issue counts
- Issue counts over time
- New and resolved issues over time (deltas between successive scans)
- Most vulnerable sites
- Most serious vulnerabilities
- Recent, running, and upcoming scans
Coming out of beta means we regard Burp Suite Enterprise Edition as essentially stable and suitable for general usage. It doesn’t mean there are no bugs. All software has bugs, and feedback is always welcome about any problems that users observe.
PortSwigger will, of course, be continuing to enhance Burp Suite Enterprise Edition with various new features over the coming months.