Burp Suite — agentic threat model
The Burp Suite MCP extension presents a high-risk profile due to its ability to execute arbitrary web requests and active vulnerability scans. Without strict scope boundaries and human-in-the-loop verification, it can be weaponized via prompt injection to target unauthorized networks or exfiltrate sensitive data.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 1.00 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the extension acts as an MCP server for external AI clients, meaning the foundation model is determined by the connecting client. Threats include prompt injection on the client model leading to unauthorized tool execution.
Not certain from the listing — there is no mention of internal vector databases or RAG pipelines. However, the agent handles sensitive HTTP request/response history (proxy data) which could be leaked if exfiltrated.
The agent exposes highly sensitive tools (Burp scanner, repeater, proxy) via the Model Context Protocol (MCP). The primary threat is tool misuse, where an attacker manipulates the agent via prompt injection to scan unauthorized targets or replay malicious requests.
The MCP server runs locally or in a designated environment to interface with Burp Suite. If un-sandboxed, an attacker exploiting the agent could perform SSRF, local network scanning, or leverage Burp's capabilities to pivot into internal networks.
Not certain from the listing — while Burp Suite itself has extensive logging (Event log, Proxy history), it is unclear if the MCP extension implements specific guardrails, input validation, or LLM-specific observability to prevent malicious payloads.
The description explicitly notes that it 'demands careful scope control' because it can send arbitrary requests. Without strict network-level scoping or user-in-the-loop confirmation, the agent poses high compliance and authorization risks.
Not certain from the listing — there is no explicit mention of multi-agent orchestration, but as an MCP tool, it could be integrated into broader agentic workflows, risking cascading tool-execution chains.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).