burp-mcp-server

Provides an MCP server (stdio for Claude Desktop, and an HTTP mode for testing) that integrates with BurpSuite via the Montoya API to trigger scans, retrieve scan results, and access proxy/traffic history and scan queue/issue resources.

Evaluated Apr 04, 2026 (16d ago)

Repo ↗ Security mcp burpsuite montoya-api security-testing json-rpc claude-desktop java stdio http-mode

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

Rate Limits

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Security-relevant points from the README: server runs on localhost only by default; environment variable BURP_MCP_LOG_LEVEL suggests logging can be verbose and logs may contain sensitive information (review log retention). No explicit TLS/authentication, scope/permission model, or data-handling guarantees are documented. Dependency hygiene cannot be verified from provided content; Jackson/SLF4J are listed but no CVE status is available.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You have BurpSuite and want an agent/workflow (Claude Desktop via MCP) to drive scanning and then retrieve results programmatically on a local machine.

Avoid When

You need strong authentication/authorization for multi-user access, or you must comply with strict operational controls (because no auth model or rate limiting details are documented).

Use Cases

• Use Claude Desktop (MCP) to initiate BurpSuite passive/active/full scans
• Fetch scan results and discovered vulnerabilities from BurpSuite
• Inspect proxy HTTP request/response history through a conversational interface
• Monitor scan queue status and active tasks via MCP resources

Not For

• Internet-exposed deployment without network controls (server is stated as localhost-only by default)
• Use as a general-purpose API for third-party apps without understanding BurpSuite/Montoya access requirements
• Automated large-scale scanning from untrusted prompts without guardrails/authorization

Interface

REST API

Yes

GraphQL

gRPC

MCP Server

Yes ↗

SDK

Webhooks

Authentication

Methods: None documented (local stdio/localhost operation implied)

OAuth: No Scopes: No

No authentication mechanism is described for the MCP server or HTTP mode in the provided README. Configuration appears to be local/controlled via CLI and environment variables.

Pricing

Free tier: No

Requires CC: No

Open-source MIT license; no service pricing described.

Agent Metadata

Pagination

none

Idempotent

False

Retry Guidance

Not documented

Known Gotchas

⚠ No documented rate limits for the MCP/HTTP endpoints
⚠ No documented authentication/authorization—assume local-only security boundaries
⚠ Scan actions can be stateful/expensive; repeated calls may queue multiple scan tasks
⚠ HTTP mode and stdio mode differ; tool behavior may vary depending on transport

Alternatives

Use BurpSuite extension(s) or Montoya API directly from your own code Use BurpSuite's built-in reporting/export and a separate ingestion pipeline into your tooling Other MCP servers that expose security tooling (if available) with documented auth/rate limits

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for burp-mcp-server.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-04-04.