Burp Suite MCP Server
The Burp Suite MCP Server exposes Burp Suite's REST API as tools for AI assistants, enabling automated web application security scanning and vulnerability management.
Scan URLs for vulnerabilities – Initiate security scans against one or more target URLs, with optional scope configuration, and receive a
task_idfor tracking.Check scan progress – Retrieve real-time scan status and findings by
task_id, with the ability to filter results by severity (low,info,medium,high, orall).Get scan summary – Obtain a high-level overview of scan results showing issue counts grouped by severity.
Wait for scan completion – Poll a scan until it finishes or a timeout is reached, with configurable polling interval — useful for CI/CD pipelines.
List active scans – View all currently running or pending scans (availability depends on Burp API version).
Cancel a scan – Stop an in-progress scan by its
task_id(availability depends on Burp API version).Query security issue definitions – Access Burp Suite's built-in knowledge base, including vulnerability names, descriptions, remediation guidance, and references.
Check Burp connectivity – Validate the connection and configuration to the Burp Suite REST API.
Allows interaction with Burp Suite's REST API to trigger vulnerability scans, monitor scan progress, retrieve security findings, and query Burp's security knowledge base.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Burp Suite MCP ServerScan https://example.com and alert me of any high severity vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Burp Suite MCP Server
An MCP (Model Context Protocol) server that exposes Burp Suite's REST API as tools for AI assistants. Use Cursor or other MCP clients to trigger vulnerability scans, check progress, and query Burp's security knowledge base.
Prerequisites
Burp Suite Professional (or Burp Suite DAST) with the REST API enabled
Python 3.11+
Burp running locally with REST API bound to a reachable address (e.g.
http://127.0.0.1:1337)
Setup
1. Enable Burp REST API
Open Burp Suite → Settings → Suite → REST API
Check Service running
Set the URL/port (e.g. port
1337)Create an API key and copy it
2. Install the MCP server
uv sync # or: pip install -e .3. Configure environment
Copy .env.example to .env and fill in your values:
cp .env.example .envEdit .env:
BURP_REST_API_BASE=http://127.0.0.1:1337
BURP_REST_API_KEY=your-api-key-here
BURP_REST_API_VERSION=v0.1Transport modes
The server supports three transports, selected with --transport:
Flag | Transport | Use case |
| stdio (default) | Local MCP clients (Cursor, Claude Desktop) |
| Server-Sent Events | HTTP clients using the legacy SSE protocol |
| Streamable HTTP | HTTP clients using the modern MCP HTTP protocol |
For sse and http, bind address and port are configurable:
# Default: localhost only, port 8000
uv run python main.py --transport http
# Expose on all interfaces, custom port
uv run python main.py --transport http --host 0.0.0.0 --port 9000
# SSE transport
uv run python main.py --transport sse --host 127.0.0.1 --port 8000Cursor MCP Configuration
stdio (local process)
Add to your Cursor MCP config (e.g. ~/.cursor/mcp.json or project .cursor/mcp.json):
{
"mcpServers": {
"burp-suite": {
"command": "uv",
"args": ["run", "python", "/path/to/burp-mcp/main.py"],
"cwd": "/path/to/burp-mcp"
}
}
}HTTP (remote/shared server)
Start the server with HTTP transport, then point your MCP client at it:
uv run python main.py --transport http --host 0.0.0.0 --port 8000{
"mcpServers": {
"burp-suite": {
"url": "http://localhost:8000/mcp"
}
}
}Tools
Tool | Description |
| Get Burp's security issue definitions (name, description, remediation, references) |
| Start a scan for given URLs. Returns a |
| Get scan status and findings by |
| High-level summary: total issues by severity |
| List running/pending scans (may not be supported by all Burp API versions) |
| Cancel a scan by task_id (may not be supported by all Burp API versions) |
| Test connectivity to Burp API; validates config |
| Poll until scan completes or times out (for CI/CD) |
Usage Examples
Scan a URL:
"Scan https://example.com for vulnerabilities"
Check scan progress:
"Check scan progress for task_id 123"
Get high-severity issues only:
"Check scan 123 and show only high severity issues"
Security knowledge:
"What security issues does Burp know about?"
Command-line usage
Run scans from scripts or the terminal:
uv run python examples/ci-scan.py https://your-target.com
# or
./examples/ci-scan.sh https://your-target.comBurp REST API Endpoints Used
Endpoint | Method | Description |
| GET | Security issue definitions |
| POST | Start scan (body: |
| GET | List scans (may not be supported) |
| GET | Scan progress and results |
| DELETE | Cancel scan (may not be supported) |
Interactive API docs: [BURP_REST_API_BASE]/[API_KEY]
License
MIT
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jayluxferro/burp-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server