PortSwigger

Our friends at HackerOne have just launched the new H1 Platform, designed to help security teams close the growing gap between finding and fixing vulnerabilities. Powered by agentic AI and backed by the world's largest security researcher community, H1 Platform brings Continuous Threat Exposure Management (CTEM) across the security lifecycle - from validation and prioritization through to remediation and reporting. Find out how this can help organizations turn security findings into action, faster in the comments below 👇

🔴 Live today and tomorrow: Burp Suite DAST demo. Pick a time that suits you. We're demoing several major updates to Burp Suite DAST today and tomorrow - starting with something we think changes how teams approach authenticated scanning. • Authenticated scanning enhancements: Passkey, biometric, TOTP, OAuth flows, and dynamic tokens • Scan freeze windows • API finder: Amazon API Gateway, Azure, Apigee • Burp AI in DAST: An early look • Vulnerability management: Sneak peek of issue lifecycle tracking, status assignment, and targeted retesting Register via the link in the comments to join or receive the recording.

We're delighted to announce that there'll be not one, but two original PortSwigger Research briefings at Black Hat USA 2026 👀 🍿 - James Kettle will be making his 11th appearance on the Black Hat stage with "Can AI Do Novel Security Research? Meet the HTTP Terminator": https://lnkd.in/e_HV6F47 - Gareth Heyes is also returning to Vegas with "CSS: The Bomb Inside Your Inbox": https://lnkd.in/e3RSfKvJ We hope to see you there! #BlackHat #BHUSA

One week until our Burp Suite DAST demo. Join us to see several major feature updates, including: • Authenticated scanning enhancements: Passkey, biometric, TOTP, OAuth flows, dynamic tokens • Scan freeze windows • API finder - AWS, Azure, Apigee • Burp AI in DAST - early look • Vulnerability management: sneak peek We’re running four demos over two days on 27/28 May - click the link in the comments and pick a time that suits you.

🎬 🍿 "I started this year saying 2026 is going to be wild [...] I’m equal parts utterly horrified and super excited." Ahead of his hotly anticipated 11th original research presentation at Black Hat USA, James Kettle joins Risky Business Media for a peek behind the scenes of what he's been up to for the past few months, including accidentally popping a bank in his sleep. They're also joined by Burp Suite creator, Dafydd Stuttard, to discuss what James's research and frontier LLMs mean for the future of Burp Suite and web security testing in general. See the link in the comments 👇

Most DAST tools have a quiet problem with modern authentication. Fingerprint, face ID, passkeys - when a scanner can't pass a biometric login, it doesn't flag the gap. It just stops. Coverage looks complete. The app behind the login isn't tested. We've fixed that. And it's one of several new features we're demoing on 27/28 May. Join us for a live walkthrough of what's new in Burp Suite DAST: • Authenticated scanning enhancements: Passkey, biometric, TOTP, OAuth flows, and dynamic tokens. Scan what most tools can't reach. • Scan freeze windows: Control when scans run, so automation never clashes with critical maintenance windows. • API finder: Automatic discovery of APIs on Amazon API Gateway, Azure, and Apigee. • Burp AI in DAST: An early look at what's coming. • Vulnerability management sneak peek: See what’s in store for issue lifecycle tracking, status assignment, and targeted retesting. ~30 minutes. Click the link in the comments to register.

"The beast needs a cage!" - Burp Suite creator, Dafydd Stuttard, gives his considered take on what's next for AppSec post-Mythos. In this blog post, he covers: - The impact of recent model advancements on pentesting practitioners. - What this means for the future of Burp Suite. - Key learnings from James Kettle 's upcoming Black Hat presentation. Check out the link to the blog post in the comments 👇

Senior pentesters have a deeply refined intuition about what’s vulnerable in an environment. The problem? That expertise is often siloed with an individual and trapped in their notes or Python scripts. When seniors are at capacity, coverage gaps open up precisely where your environment relies on specialist knowledge. Custom scan checks in Burp Suite help encode that hard-won knowledge into repeatable tests. Expertise can scale across teams, applications, and workflows that need it. Even with thousands of applications and APIs to test and expertise split between multiple testers, you can: • React faster to critical threats. • Tailor testing to individual tech stacks and domain-specific business logic. Read more in the blog linked below 👇

One of the reasons modern DAST disappoints is that many vendors start with the wrong question. They ask: “How do we scale AppSec with automation?” At PortSwigger, we ask: “How do practitioners and AppSec teams actually work?” That sounds subtle, but it leads to a very different product. If automation and manual testing are inherently codependent, they shouldn’t live in separate worlds. Your pentesters shouldn’t need to reinterpret findings from a different engine, taxonomy, and evidence model before they can even begin to validate anything in Burp Suite. A good DAST product passes work to practitioners in a form they already trust. A great DAST product empowers practitioners to shape what the automation does. That’s the core idea behind Burp Suite DAST. Burp Suite DAST is built on the same scanning engine as Burp Suite Professional. This means the library of finely-tuned scan configurations, powerful extensions, and custom scan checks your team developed over the years can be scaled across your entire application portfolio. That’s a more tester-friendly way to scale. It’s automation grounded in how real testing teams already operate. Our recent webinar goes deeper into this model and explains how manual and automated testing can work better together.

It’s Burp Extensibility month! Throughout May, we’ll be celebrating the community, people, tools, and ideas that make Burp Suite extensibility so impactful. Get ready for a month of events, resources, discussion, and the launch of the 2026 Burp Suite Extension Awards! 🏆 The 2026 Burp Suite Extension Awards Burp Suite extensions are built by community members who identify real problems, solve them, and share their work with others. This is your opportunity to recognise the extensions that have saved you time, improved your workflow, supported a tricky task, or become an essential part of how you use Burp Suite. Submit one extension per form via the form linked in the comments, and you’re welcome to submit as many nominations as you like. For each nomination, you'll be entered into a prize draw for a Burp Extensibility t-shirt! Nominations close on 26 May at 14:00 BST. 🎤 Upcoming Burp Extensibility events We’ll kick things off on 6 May with Introduction to Extensibility in Burp, followed by a month of sessions and community discussion on the PortSwigger Discord server. Highlights from the event schedule include sessions from our new Burp Ambassadors, covering custom extensions for complex Burp Suite testing scenarios and Bambda generation, as well as a session from PortSwigger researcher Zak Fedotkin on vibecoding Burp extensions. Join the PortSwigger Discord via the link in the comments below to get involved!