Bounty Security

Burp Bounty Pro v3.1.0 is out. New: AI Scanner. Sends each request to an LLM with structured context extracted from the response. The AI decides which profiles to launch automatically. A new option alongside Active Scan and Smart Scan, not a replacement.

The gateway is the map of the architecture. Kong → likely rate limiting and auth plugins. Envoy → service mesh + microservices. Latency headers → where the LLM provider lives. Passive recon that changes the whole engagement 🎁 15 days free → bountysecurity.ai/pages/contact-…

Profile 2 of the new AI/LLM set in Burp Bounty Pro: API gateway fingerprints. 🌐 Detects: x-kong-upstream-latency x-kong-proxy-latency x-kong-request-id x-envoy-upstream-service-time x-envoy-attempt-count x-envoy-original-path

Sharp take from my @kaptorsecurity co-founder @joserabal . Technical people used to be the most aware of the risks. Now we're one of attackers' favourite targets. Malicious extensions, agent Skills repos, indirect prompt injection Full take 👇 linkedin.com/posts/cybersec…

x-openai-model: gpt-4o → which prompt injection patterns to use x-mcp-enabled: true → tool poisoning attack surface exists x-anthropic-model: claude-sonnet → different guardrails to bypass Test it: burpbountylab.com 👉 Burp Bounty Pro: bountysecurity.ai/pages/burp-bou…

AI pentests are growing fast. The first step on any of them: figure out the model, the provider, the architecture. Profile #1 of 6 in the new AI/LLM set detects: 🔍 x-ai-backend 🔍 x-llm-provider 🔍 x-openai-model 🔍 x-anthropic-model 🔍 x-mcp-enabled 🔍 x-model

Validate them on Burp Bounty Lab. Load Burp Bounty Pro with the new profiles, point at burpbountylab.com, all 6 fire Start of an AI-focused profile set. Disclosure patterns you keep seeing in AI pentests? Drop them.

Just shipped 6 new passive profiles for Burp Bounty Pro, focused on AI/LLM disclosure surfaces: 🔍 AI/LLM response headers 🌐 Kong + Envoy fingerprints ❤️ Health, status, metrics endpoints 📦 AI metadata in JSON bodies 🤖 OpenAI-compatible API detection ⏱️ RateLimit headers

Have you tried AI-driven pentesting and felt it falls short of what you expected? Loss of focus, false positives, low-impact findings, token costs that don’t pay off... This Thursday on the Kaptor blog: approaches, architectures, and tips to make AI genuinely useful.

5 features the data says most users miss: 🏷️ Tags Manager 🧠 Custom Smart Scan rules 🔗 Multi-step profiles ✨ AI Scanner prompt customization 🪙 Per-host scan deduplication Deep dive each day. Some old, some new in v3.1.0. All worth knowing bountysecurity.ai/pages/burp-bou…

Sent a survey to Burp Bounty Pro users. Half didn't know Tags Manager existed. We spent months building it. It powers Smart Scan rules, filters the Profiles tab, organizes scans by tech stack. Half the people using BBP daily weren't touching it. This week: a roundup.

The math: scan 500 endpoints across 3 hosts. Without dedup, 62 profiles fire 500 times each. With dedup, 3 times each. ~30,000 fewer requests, same coverage ✨ Automatic. No config needed. bountysecurity.ai/pages/burp-bou…

Quiet v3.1.0 feature in Burp Bounty Pro: per-host scan deduplication. 62 of 256 default profiles run once per host, not once per request: 📂 Exposed .git 🔑 Admin panel discovery 📦 Backup files at root ⚙️ Actuator/management endpoints 🖥 Server-wide tech detection

The 28 default rules are a starting point. Real value shows up when you build rules for your testing methodology. Detect GraphQL → fire introspection. Detect Spring → fire Spring CVEs. Build once, works across every engagement ✨ bountysecurity.ai/pages/burp-bou…

🧠 Build your own Smart Scan rule in BBP: → IF: Passive profile matches "URL_Param" tag (params like redirect_url, callback, next) → THEN: Execute profiles with "SSRF" + "Open_Redirect" tags → Settings: threads, concurrency, RPS Browse target. Auto-fires on every match.

Sharp piece from @kaptorsecurity on why pentesting AI systems isn't a classic pentest with extra steps. Prompt injection, probabilistic guardrails, the lethal trifecta, PoisonedRAG, tool poisoning... Worth a read for anyone auditing AI-driven systems. kaptor.ai/blog/classic-p…

Real value: prioritize bug classes per engagement, teach the AI about your custom profile names, adjust correlations for specific tech stacks (GraphQL, JWT, etc) ✨ 10 minutes at the start of an engagement. bountysecurity.ai/pages/burp-bou…

🛠 Customize the AI Scanner in Burp Bounty Pro with two editable prompts: ⚙️ System Prompt: profile taxonomy, parameter correlations, confidence rules 📝 User Prompt: template per request with {REQUEST}, {PARAMETERS}, {RESPONSE_HEADERS}, {AVAILABLE_PROFILES} placeholders

Each scanner has independent config: excluded extensions, methods, threads, concurrency, RPS. Plus AI Analysis Concurrency for the AI Scanner. Most users only know about Live Passive bountysecurity.ai/pages/burp-bou…

🔄 Three Live Scanners in Burp Bounty Pro: 👁 Live Passive Scan: profiles analyze every request/response 🧠 Live Smart Scan: rules trigger active profiles on passive matches ✨ Live AI Scanner: LLM picks profiles per request Each one independent and fully configurable.