| Cost | Free. | $499/year per user on PortSwigger's current Pro buy page. | Free. No account, no card, no email for the Free tier. | $499/year regular; Founder's Edition is $249/year for life while active. |
| Saved projects | Not listed in Community. | Yes. Project files save work. | Yes. Local projects with history, scope, findings, endpoint metadata, and indexes. | Yes. Same local-first project store plus reporting, automation, and team-ready evidence paths. |
| Scanner | No Burp Scanner. | Yes. Burp's mature web vulnerability scanner. | Passive included. Reads captured traffic. | Active scanning and bounded proof replay. Scope-gated, evidence-first, and designed around captured project context. |
| Crawler / discovery | Manual. | Yes. Automatic crawl and content discovery. | Captured-traffic Site Map. | Smart Site Map flags. Auth, IDOR/BOLA, and endpoint intelligence from real traffic. |
| Intruder / attack workflow | Demo. | Full Intruder. Custom attacks and richer productivity. | Starter attack workflow. | Attack Studio and proof workflows. Includes advanced attack modes, scanner proof replay, and automation hooks. |
| Cluster bomb | Expect Community limits. Community has Intruder demo. | Best Burp fit. Cluster bomb is an Intruder attack type and full Intruder is Pro. | Upgrade for advanced attack modes. | Paid attack workflow. Use Hunter Pro for advanced payload and replay workflows. |
| Search / investigation | Not listed in Community. | Yes. Search function is listed under Professional. | Yes. Read-only SQL and full-text history search. | Yes. SQL, full-text search, Investigate, reporting, full CLI, and automation over the project database. |
| OAST / Collaborator | No. | Yes. Auto and manual OAST testing. | BYO OAST in Free. | Hosted Beacon/OAST. DNS/HTTP/SMTP callbacks, evidence chain, and promote-to-finding workflow. |
| Mobile / Frida | Not built in. | Possible through external setup and extensions. | Manual proxy capture. | Native advantage. Android lab setup, Frida cert-pinning bypass, APK/XAPK/APKS analysis, and mobile API replay. |
| JA3 / browser fingerprints | Not the focus. | Proxy tooling, but not Crusader's browser-fingerprint replay path. | Basic capture. | Native advantage. JA3/browser-fingerprint transport and WAF-sensitive replay paths. |
| IDOR / BOLA replay | Manual. | Manual or extension-driven. | Manual comparisons. | Native advantage. Identity Shadow Replay across actors with diffed evidence. |
| Extensions | Community-compatible extensions only. | Pro-specific BApps and API. | Community JavaScript plugins. | Advanced plugin APIs. Scanner findings, hosted Beacon, identity replay, mobile, JA3, reports, and MCP exposure. |
| Agent/AI workflow | Not the focus. | Burp AI and Pro API workflows. | Read-only MCP, SQL, and agent-readable project context. | Native advantage. Full MCP, automation CLI, scoped active/write families, project memory, and agent-ready evidence. |