Allows interaction with Burp Suite's REST API to trigger vulnerability scans, monitor scan progress, retrieve security findings, and query Burp's security knowledge base.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Burp Suite MCP ServerScan https://example.com and alert me of any high severity vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Burp Suite MCP Server
An MCP (Model Context Protocol) server that exposes Burp Suite's REST API as tools for AI assistants. Use Cursor or other MCP clients to trigger vulnerability scans, check progress, and query Burp's security knowledge base.
Prerequisites
Burp Suite Professional (or Burp Suite DAST) with the REST API enabled
Python 3.11+
Burp running locally with REST API bound to a reachable address (e.g.
http://127.0.0.1:1337)
Setup
1. Enable Burp REST API
Open Burp Suite → Settings → Suite → REST API
Check Service running
Set the URL/port (e.g. port
1337)Create an API key and copy it
2. Install the MCP server
uv sync # or: pip install -e .3. Configure environment
Copy .env.example to .env and fill in your values:
cp .env.example .envEdit .env:
BURP_REST_API_BASE=http://127.0.0.1:1337
BURP_REST_API_KEY=your-api-key-here
BURP_REST_API_VERSION=v0.1Cursor MCP Configuration
Add to your Cursor MCP config (e.g. ~/.cursor/mcp.json or project .cursor/mcp.json):
{
"mcpServers": {
"burp-suite": {
"command": "uv",
"args": ["run", "python", "/path/to/burp-mcp/main.py"],
"cwd": "/path/to/burp-mcp"
}
}
}Or with python directly:
{
"mcpServers": {
"burp-suite": {
"command": "python",
"args": ["/path/to/burp-mcp/main.py"]
}
}
}Tools
Tool | Description |
| Get Burp's security issue definitions (name, description, remediation, references) |
| Start a scan for given URLs. Returns a |
| Get scan status and findings by |
| High-level summary: total issues by severity |
| List running/pending scans (may not be supported by all Burp API versions) |
| Cancel a scan by task_id (may not be supported by all Burp API versions) |
| Test connectivity to Burp API; validates config |
| Poll until scan completes or times out (for CI/CD) |
Usage Examples
Scan a URL:
"Scan https://example.com for vulnerabilities"
Check scan progress:
"Check scan progress for task_id 123"
Get high-severity issues only:
"Check scan 123 and show only high severity issues"
Security knowledge:
"What security issues does Burp know about?"
Command-line usage
Run scans from scripts or the terminal:
uv run python examples/ci-scan.py https://your-target.com
# or
./examples/ci-scan.sh https://your-target.comBurp REST API Endpoints Used
Endpoint | Method | Description |
| GET | Security issue definitions |
| POST | Start scan (body: |
| GET | List scans (may not be supported) |
| GET | Scan progress and results |
| DELETE | Cancel scan (may not be supported) |
Interactive API docs: [BURP_REST_API_BASE]/[API_KEY]
License
MIT
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.