Extending Burp Suite for fun and profit – The Montoya way – Part 10 May 5, 2026 | By Federico Dotta Articles , Tools Setting up the environment + Hello World Inspecting and tampering HTTP requests and responses Inspecting and tampering WebSocket messages Creating new tabs for processing HTTP requests and responses Adding new functionalities to the context menu (accessible by right-clicking) Adding new checks to Burp Suite Active and Passive Scanner Using the Collaborator in Burp Suite plugins BChecks – A quick way to extend Burp Suite Active and Passive Scanner Custom scan checks – An improved quick way to extend Burp Suite Active and Passive Scanner Burp AI … and much more! Hi there! To kick off my collaboration with PortSwigger as a Burp Suite Ambassador and the Extensibility Month on PortSwigger Discord , what better topic than AI, features recently introduced by PortSwigger to further expand the capabilities of the suite. On this topic, I’m sure we’ll see many new features in the future, but we already have APIs available that we can use to create powerful extensions! For a couple of years now at HN Security we’ve been dedicating part of our R&D time to the AI space, which has mainly led to the development of an internal AI red teaming methodology , but also to evaluating possible integrations of these technologies into our company’s documentation tools and testing tools. At the moment, these integrations are still limited, both for compliance reasons and due to the agreements we have with our clients, but we are likely in a transition phase that could lead, in the near future, to a more pervasive use of these technologies, which could further improve the quality of our team’s work. This article will focus on the use of the AI features currently offered by PortSwigger within extensions, without going for the moment into detail about their use within the Burp GUI, as that would be out of scope for this series of articles. To approach this topic, we are going to develop an extension that will simplify reporting of a issue, named AI Reporter . The idea is the following one: when we find an issue during our manual analyses, we want to use AI to analyze the request and response, extract the relevant information, and add a specific issue to Burp. For example, we’re in Repeater, we discover a SQL injection, and from the context menu we select ‘Report with AI’, telling to the model that the current request proves a SQL injection. The tool will then take care of creating a specific issue for us with the details of the identified problem, including generic SQL Injection information and details on the particular issue extracted from request/response. Usually, I always publish a PoC target to test the extension, but this time it is not necessary. You can try the extension with any previous target or with any other target in which you found an issue (remember that the extension will send these details to a third party; so if you want to try the extension during a PT you should be allowed to use third party LLM models). If you need a convenient target, the PortSwigger Web Security Academy has pretty much everything for any kind of application issue, such as SQL Injection labs . Disclaimer: this extension by using Burp’s AI features consumes AI Credits. At the moment, every user with a Burp Suite Professional license has 10,000 free credits, and once they are finished, additional credits need to be purchased. The extension’s credit consumption is usually moderate, but it also depends on the size of the request/response being reported. Disclaimer 2: as mentioned previously, the reported requests and responses, along with the data entered in the popup created by the extension, are sent to PortSwigger’s AI infrastructure. You can find more details on Burp AI policy in the Burp AI trust and compliance FAQ . So, let’s start from the beginning. How can we use AI in our extension? We can get a reference to the Ai object that we need from the usual MontoyaApi object that we get when we initialize an extension: As the documentation said, we need to do an extra step : in order to allow our extension to use AI features it need to declare its usage in the initialization: So, we can build the skeleton of a new extension, as explained in Part 1 , adding what it necessary to get access to the AI features: package org.fd; import burp.api.montoya.BurpExtension; import burp.api.montoya.EnhancedCapability; import burp.api.montoya.MontoyaApi; import burp.api.montoya.ai.Ai; import burp.api.montoya.logging.Logging; import java.util.Set; import static burp.api.montoya.EnhancedCapability.AI_FEATURES; public class AiReporter implements BurpExtension { MontoyaApi api; Ai ai; Logging logging; AiEngine aiEngine; boolean debug; @Override public void initialize(MontoyaApi api) { // Save a reference to the MontoyaApi object this.api = api; // Save a reference to the AI object this.ai = api.ai(); // api.logging() returns an object that we can use to...