Burp Suite Community Edition is the free tier of PortSwigger’s web application security testing platform. It sits between a browser and a target application, intercepting and manipulating HTTP and HTTPS traffic. For learners and occasional testers, it covers a meaningful slice of what professional web application penetration testing actually involves — but PortSwigger draws sharp lines around the features that matter most for automated and high-volume work.

What Community Edition Gives You

The intercepting proxy is the core of Burp Suite, and Community Edition gives you the full version of it. You can intercept requests and responses, modify them on the fly, drop them, or forward them unchanged. The proxy listens on localhost:8080 by default and works with any browser you configure to route traffic through it. TLS interception is supported, which means you can inspect encrypted HTTPS traffic after installing Burp’s CA certificate into your browser’s trust store.

Alongside the proxy, you get the Repeater tool without restriction. Repeater lets you take a captured request, modify any part of it — headers, parameters, body, method — and resend it as many times as you want. This is the workhorse for manual vulnerability testing. If you suspect a parameter is vulnerable to SQL injection or reflected XSS, you can craft and resend payloads by hand, inspect responses, and iterate. Repeater’s lack of automation doesn’t hurt it for methodical, request-by-request testing.

The Decoder and Comparer tools are also fully available. Decoder handles encoding and decoding across formats including Base64, URL encoding, HTML encoding, hex, and gzip, which comes up constantly when examining tokens, cookies, and serialized data. Comparer does a visual diff between two pieces of data — two responses, two request bodies, two encoded strings. These are not glamorous tools, but they solve specific, recurring problems in web testing without requiring any workaround or upgrade.

Community Edition also includes the Sequencer, which analyzes the randomness of tokens. You feed it a series of captured tokens — session cookies, CSRF tokens, password reset links — and it runs statistical tests against them to assess their predictability. The tests include FIPS 140-2 standard randomness checks and a bit-level analysis across the token sample. It won’t catch a broken token generator on its own, but it provides structured evidence that something is wrong when a token generator is weak.

Where Community Edition Stops

The Scanner is absent entirely. In Burp Suite Professional, the active scanner crawls an application and fires payloads to detect vulnerabilities automatically — SQL injection, XSS, server-side request forgery, path traversal, and dozens of other classes. Community Edition has no equivalent. You can spot these vulnerabilities manually, and the Repeater tool supports that work, but there is no automated detection. For someone testing a large application with hundreds of endpoints, the absence of the scanner is not a minor inconvenience.

The Intruder tool exists in Community Edition but is throttled. Intruder automates request sending with payload substitution across one or more insertion points. In Professional, it runs at full speed. In Community Edition, PortSwigger imposes an intentional rate limit that makes Intruder slow enough to be impractical for any real-scale task — brute-forcing login forms, fuzzing parameters, or enumerating directories. The throttle is significant enough that a task requiring thousands of requests could take hours rather than minutes. Many testers work around this by exporting requests to tools like ffuf, wfuzz, or Turbo Intruder, which is a Burp extension that PortSwigger makes available separately and does not carry the same rate limit.

The Collaborator client is not available in Community Edition. Burp Collaborator is a server-side component that detects out-of-band interactions — DNS lookups, HTTP requests, and SMTP connections triggered by the target application in response to injected payloads. It’s essential for detecting blind SSRF, blind XXE, and some forms of blind command injection, where the vulnerability doesn’t produce a visible response change in the HTTP reply. Without Collaborator, detecting these vulnerability classes requires alternative out-of-band infrastructure, such as a self-hosted interactsh server or a canary token service.

Project files, a feature that allows you to save your entire testing session — requests, responses, scanner results, target maps, notes — are not supported in Community Edition. When you close Burp, your work is gone. You can export individual requests from Repeater or copy items manually, but there is no persistent project state. For any engagement longer than a single sitting, this is a real limitation. PortSwigger has been clear that project file support is a Professional feature, and there is no workaround beyond manual documentation.

Extensions through the BApp Store are partially available in Community Edition. Some extensions work without restriction, while others explicitly require Professional. Extensions that interact with the Scanner or Collaborator fall into the latter category. Tools like Autorize, which tests for broken object-level authorization by replaying requests under different authentication contexts, work in Community Edition. Others, like ActiveScan++, require Professional because they extend the scanner’s functionality.

Practical Use Cases and Honest Limits

Community Edition is well-suited to learning web application security, particularly when paired with PortSwigger’s own Web Security Academy, which is a free online training platform that offers labs specifically designed to be completed with Burp Suite. Every lab on the Academy platform is solvable using Community Edition’s manual tools. The labs cover SQL injection, authentication flaws, access control issues, business logic vulnerabilities, and more. Completing them methodically builds proficiency with Repeater and the proxy that translates directly to professional testing work.

For bug bounty hunters targeting a single endpoint or a small, well-scoped target, Community Edition’s manual tools hold up. The Repeater, Proxy, and Decoder cover the workflow for most low-hanging findings. The friction appears when you’re trying to test at scale — enumerating a large application’s surface, fuzzing multiple parameters, or confirming out-of-band vulnerabilities. Experienced bug bounty researchers typically chain Community Edition with external tools: ffuf for parameter and directory fuzzing, interactsh for out-of-band detection, and sqlmap or nuclei for automated checks against specific vulnerability classes.

The annual license for Burp Suite Professional costs $449 per user as of 2024. That price reflects its position as a purpose-built commercial tool for professional use. Community Edition is deliberately constrained to protect that commercial boundary, not because the underlying capability is technically difficult to expose. The throttled Intruder is the clearest example: the feature exists in the code, but a rate limiter separates the free experience from the paid one.