Burp Suite MCP Server
Updated June 2026✓ OfficialThe Burp Suite MCP server, built by PortSwigger, provides the official Burp Suite MCP Server, published by PortSwigger, is a Burp extension that exposes Burp Suite's web-security testing engine to AI clients over the Model Context Protocol, letting Claude and other assistants drive live penetration-testing workflows against a target instead of just reasoning about them abstractly. It is officially maintained and best for Security.
by PortSwigger
About
The official Burp Suite MCP Server, published by PortSwigger, is a Burp extension that exposes Burp Suite's web-security testing engine to AI clients over the Model Context Protocol, letting Claude and other assistants drive live penetration-testing workflows against a target instead of just reasoning about them abstractly. It ships as a Java extension you load into Burp (built from source with `./gradlew embedProxyJar` to produce `burp-mcp-all.jar`, then added via the Extensions tab), and it bundles a packaged stdio MCP proxy alongside an SSE server so any MCP client can connect — Claude Desktop even gets an automatic installer that writes the client config for you. Once loaded, an MCP tab in the Burp UI controls the server: an Enabled checkbox toggles it, the host/port default to http://127.0.0.1:9876, and a separate opt-in checkbox is required before the assistant is allowed to expose config-editing tools, keeping destructive changes behind an explicit gate. Through these tools an AI client can interrogate and manipulate Burp's state — inspecting proxy history and HTTP traffic, sending and modifying requests, and coordinating scanning — which suits agentic security-testing, triage, and report-drafting workflows. Requires Java (with the `jar` command) on your PATH and a running Burp Suite instance. This is PortSwigger's own first-party server, so it tracks Burp's capabilities directly rather than screen-scraping the UI.
Installation
git clone https://github.com/PortSwigger/mcp-server.git && cd mcp-server && ./gradlew embedProxyJarCategories
Frequently Asked Questions
What is Burp Suite MCP Server?
Who built Burp Suite MCP Server?
Is Burp Suite MCP Server free?
How do I install Burp Suite MCP Server?
What does Burp Suite MCP Server integrate with?
Related Guides
Repo Health
Local/stdio install — runs on your machine, so there is no remote endpoint to verify live. Trust signal below is from the source repo.
Repo recency not yet available for this server.
Quick Info
- Install Type
- binary
- Author
- PortSwigger
- Categories
- 1
- Integrations
- 5
Related Servers
Snyk MCP Server (Community)
There is no official, Snyk-published Model Context Protocol server as of this writing — a commonly referenced `snyk/mcp-server` repo does not exist. The most active real alternative is sammcj/mcp-snyk, a community-built, MIT-licensed MCP server that wraps Snyk's API and CLI for agentic security scanning (marked alpha by its author, so expect rough edges). It exposes tools to scan a GitHub or GitLab repository by URL for vulnerabilities, scan an existing Snyk project by ID, and verify that a configured API token is valid, returning the associated user and organization info. Authentication uses a Snyk API token and an org ID, supplied via `SNYK_API_KEY`/`SNYK_ORG_ID` environment variables, falling back to the locally configured Snyk CLI org if one isn't set explicitly. Install with `npx -y github:sammcj/mcp-snyk` in your MCP client config (Claude Desktop, Cursor, etc.). Typical use: ask Claude to "scan https://github.com/org/repo for security vulnerabilities using Snyk" and get back a structured findings summary instead of switching to the Snyk web console. Snyk's own engineering org separately maintains snyk/agentic-integration-wrappers, a set of wrappers for plugging Snyk scanning into agentic workflows more broadly — worth checking if this community MCP server doesn't cover your use case, since it isn't an official Snyk product and has no guaranteed support or roadmap.
SonarQube MCP Server
The official SonarQube MCP Server, built and maintained by SonarSource, connects AI agents like Claude, Cursor, and VS Code Copilot to SonarQube Server or SonarQube Cloud so code quality and security become part of the agent's workflow rather than a separate CI step. Through it an assistant can pull the projects a token can see, retrieve open issues and code smells, inspect quality gate status and project metrics, and — notably — analyze a code snippet directly inside the agent context without the code first being committed and scanned by a pipeline, which lets Claude check its own just-written code against SonarQube's rules before you ever push. Authentication is a SonarQube user token supplied via the `SONARQUBE_TOKEN` environment variable; SonarQube Cloud users also set `SONARQUBE_ORG` (organization key), and self-hosted SonarQube Server users set `SONARQUBE_URL` to point at their instance (SonarQube Cloud US uses `https://sonarqube.us`). The server is distributed as a Java-based OCI container image at `sonarsource/sonarqube-mcp` on Docker Hub — run it with `docker run --pull=always -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG sonarsource/sonarqube-mcp`, or pin a version tag for reproducible deployments — and works with any OCI-compatible runtime such as Podman or nerdctl. SonarSource also provides an interactive Configuration Generator at mcp.sonarqube.com that emits ready-to-paste client config. Ideal for teams that want AI-assisted code review grounded in the same rules and quality gates their SonarQube project already enforces.
CrowdStrike Falcon
Connects AI agents with the CrowdStrike Falcon platform for intelligent security analysis.
Auth0 MCP Server
The official Auth0 MCP server lets Claude, Cursor, and Windsurf manage an Auth0 tenant end-to-end through natural language instead of the dashboard — create applications, deploy Actions, debug logs, and manage resource servers just by asking. Its standout feature is the guided onboarding flow: the auth0_onboarding tool detects your project framework, creates a correctly configured Auth0 application, writes credentials straight into a .env file (auto-added to .gitignore), and hands off to auth0_get_quickstart_guide, which resolves callback URLs and returns framework-specific SDK integration code — taking a project from zero to a working Auth0 login in one guided conversation. Beyond onboarding, the tool surface spans Applications (list/get/create/update, plus credential export), Resource Servers/APIs (create and manage scopes, token lifetimes, signing algorithms), Application Grants (authorize M2M apps against specific APIs with defined scopes), Actions (create, update, and deploy post-login/pre-token logic), Logs (search and inspect authentication events, e.g. failed logins from a given IP), and Forms (build and publish branded login/signup/password-reset forms). Installs via npx with a device-authorization OAuth flow that stores credentials in your system keychain, supports Claude Desktop, Claude Code, Cursor, Windsurf, VS Code, Gemini CLI, and Codex, and exposes --tools/--read-only flags to scope down which operations an AI agent can perform — important given its Beta status and full read/write tenant access by default.
Semgrep MCP Server
The official Semgrep MCP server lets an AI assistant run Semgrep — a fast, deterministic static analysis engine that semantically understands 30+ languages and ships over 5,000 security rules — directly against the code it is writing or reviewing, so you can "secure your vibe coding" without leaving Claude, Cursor, VS Code, or Windsurf. It exposes a focused tool surface: `security_check` scans code for vulnerabilities, `semgrep_scan` runs a scan with a given rule config, `semgrep_scan_with_custom_rule` applies a custom Semgrep rule you supply inline, `get_abstract_syntax_tree` returns the AST of a snippet so an agent can reason about code structure, `supported_languages` lists the languages Semgrep can parse, and `semgrep_rule_schema` fetches the latest rule JSON Schema for writing new rules. With a Semgrep AppSec Platform login and token, `semgrep_findings` pulls findings from your organization's cloud account. The server runs three ways — as a Python package via `uvx semgrep-mcp` (PyPI: semgrep-mcp), as a Docker container `ghcr.io/semgrep/mcp`, or against Semgrep's hosted endpoint at mcp.semgrep.ai — and supports stdio, Streamable HTTP, and SSE transports. Note: the standalone semgrep/mcp repository is now deprecated, with ongoing development folded into the main `semgrep` binary (semgrep/semgrep, under cli/src/semgrep/mcp), so future updates ship through the official Semgrep CLI itself.
Sponsored
1Password
14-day Free TrialStore and inject API keys, payment credentials, tokens, and file access secrets into your MCP server configs. Trusted by 150K+ developers.
Try 1Password free →