67% of security researchers already use AI in security testing, with Burp AI emerging as a leading AI tool. This signals a significant shift in how pentesting is evolving.

KNUTSFORD, England: PortSwigger, a renowned application security software provider and the makers of Burp Suite, today announced that Burp AI has been recognized in HackerOne's latest Hacker-Powered Security Report as one of the most widely used AI tools among security researchers. The findings and this recognition reflect a broader industry shift: pentesting is becoming AI-augmented, and Burp AI is at the forefront of this transformation.

The HackerOne report draws on insights from the global researcher and bug bounty community. This group often pioneers new workflows before they become mainstream. Their widespread use of AI is a clear signal that these tools are already changing how security testing gets done.

Key findings from HackerOne’s report

• AI adoption is now mainstream: 67% of researchers use AI and automation to accelerate testing workflows.
• Burp AI is a leader: Among AI-enhanced tools, Burp AI is one of the most widely used, with adoption growing at approximately 25% month over month.
• Human-in-the-loop is the winning model: Only 12% of researchers believe AI will replace humans. Most view AI as a powerful assistant that helps them deliver deeper impact.
• Authorization is the new battleground: IDOR reports have grown 116% over the past five years, and Improper Access Control by 66%, while XSS has plateaued with declining bug bounty payouts.

A hybrid future for security testing

The data suggests that automation and AI agents are raising the baseline by surfacing common issues like reflected XSS. But the most impactful findings still come from complex flaws like broken access controls and business logic vulnerabilities, where human skill remains essential. The future of web security is a hybrid of AI-assisted testing by experienced manual partitioners, reinforced by AI-enhanced automation at scale.

Burp AI is designed for this hybrid future. Integrated into Burp Suite Professional, it:

• Allows manual testers focus on what matters by enabling them to outsource repetitive tasks like recon, payload experimentation, and PoC scaffolding by "pairing" with an agentic AI assistant that has direct access to Burp Suite's industry-leading tooling and all the context that provides.
• Augments manual testers by complementing their expertise and intuition with the state-of-the-art power tools they need to maximize their impact while minimizing load.
• Extends automation into uncharted territory, enabling scanning at scale for issues like broken access controls that have traditionally proven challenging to automate without overwhelming teams with false positives to triage.
• Keeps humans not just in the loop, but in control with transparent, secure, and human-driven AI assistance whenever, and wherever testers want it. This enables them to optimize how they're spending their limited time, without disrupting the tried workflows that they've honed over years.

Dafydd Stuttard, CEO and founder of PortSwigger, said: “HackerOne’s latest data validates what we’ve seen first-hand: AI helps testers reclaim hours per engagement and reinvest that time in the work that needs human attention. And just like Burp Suite has become the most trusted tool in security testing, Burp AI is built with that same commitment to reliability and trust. This isn’t about replacing testers, it’s about amplifying them. Keeping the human in the loop provides essential safety guardrails around the huge productivity gains that AI offers.”

Why it matters

• Organizations adopting Burp AI and AI-augmentation workflows can expect to: Deliver deeper, higher-value findings by spending less time on repetitive tasks and more time on complex flaws.
• Work more efficiently, cutting the noise of false positives and accelerating recon so testing time goes further.
• Stay ahead of attackers and peers by using the same tools already shaping the industry.
• Attract and retain top talent by giving testers cutting-edge tools that make their work more impactful and rewarding.

About PortSwigger

PortSwigger is a global leader in web application security, serving over 17,000 customers in over 160 countries. Its flagship product, Burp Suite, is the world’s most widely used toolkit for web security testing. PortSwigger’s mission is to enable the world to secure the web, through cutting-edge software, research, and community initiatives.

Learn more

The Hacker-Powered Security Report highlights a clear direction: automation for scale, human ingenuity for impact. Burp AI delivers that model today.

To learn more about Burp AI and how it can accelerate your security testing, visit: https://portswigger.net/burp/ai

To read the report, see https://www.hackerone.com/report/hacker-powered-security.

Fonte: Business Wire