AI features in Burp Suite extensions are disabled by default, giving you complete control over whether an extension can access AI. This page explains how we protect your data and ensure AI-powered interactions remain secure.
For more information on Burp's AI features and how they work, see Burp AI.
All AI-related data is handled in accordance with PortSwigger's Security & Compliance framework, which includes:
ISO 27001 certification - Rigorous information security management.
Robust encryption - Data is encrypted in transit and at rest using industry-standard cryptographic methods.
Access controls - AI request and response data is stored in a restricted audit trail, accessible only by authorized PortSwigger personnel for security and compliance purposes.
No. Burp's AI providers do not store any of the data they process. Requests are handled in real time and immediately returned to Burp. There is no risk that this information could be surfaced to a third party.
AI request data is processed securely and stored by PortSwigger as part of an encrypted audit trail. No unauthorized personnel can access this stored data.
Burp uses a secure process to communicate with AI services:
Burp securely transmits the request data to PortSwigger's AI infrastructure.
PortSwigger's AI infrastructure makes a request to a trusted AI provider. The data remains within our trust boundary and is not stored by the provider.
The AI provider processes the request and returns a response to the AI infrastructure, where it is securely stored in an encrypted audit trail.
PortSwigger's AI infrastructure passes the response back for Burp to use.
Currently, this option is not available. However, all stored data is encrypted and access-controlled to ensure security. We continuously review our policies to align with user needs.
For full details on our security policies, compliance certifications, and how we protect customer data, see the PortSwigger Trust Center.
Yes. To disable all AI features in Burp:
Go to Settings > AI.
Select the Disable AI features checkbox.
When this checkbox is selected, Burp cannot access PortSwigger's secure AI infrastructure. Any AI-related features are grayed out, and cannot be selected.
No. Burp does not communicate with any AI provider or system until you actively use one of its AI features, such as generating explanations or exploring vulnerabilities. AI interactions are entirely user-initiated and controlled.
Currently, we use models from OpenAI and Anthropic in our features. We are actively testing our service with these models and may explore additional options in the future.
All of the AI models that Burp Suite can communicate with are hosted in the USA.
Currently, this option is unavailable.
To use AI features in Burp Suite, your network must allow HTTPS traffic on port 443 to https://ai.portswigger.net. If your organization has strict firewall rules, ensure this domain is allowlisted to enable AI functionality.
Currently, this option is unavailable.
By default, AI features are disabled for all extensions to keep you in control of how and when Burp uses AI. You need to manually enable AI functionality for any extensions you want to be able to make AI calls.
You can enable or disable AI for extensions you have already installed. To enable AI for an extension:
Select Extensions > Installed, and find the extensions you want to manage.
Select the Use AI checkbox for those extensions.
AI-powered extensions display a checkbox in the Enable AI column on the Extensions > Installed page. This checkbox is not displayed for non-AI extensions.
PortSwigger does not collect data from AI-powered extensions by default. Any data processed depends entirely on the extension's implementation.
We recommend reviewing the extension's code and documentation to understand:
What data is sent externally (for example, full HTTP requests, specific payloads, or extracted content).
How the extension handles sensitive information (for example, whether it masks or filters data).
If you are working with sensitive data, make sure that any extension aligns with your security and compliance requirements before use.
We review extensions in the BApp Store to ensure they meet our quality and compatibility standards, but we cannot guarantee their behavior.
The decisions made by an AI model depend on how the extension author has implemented it, including:
What data is sent.
How prompts are structured.
How responses are used.
We strongly recommend that you review the extension's functionality to understand the data it processes and make sure that it aligns with your security and compliance requirements.
If you are testing in regulated or legally sensitive environments, consider additional safeguards to verify the AI's output before acting.