BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Burp Suite: Web Application Testing/Burp Scanner (Professional)
40 minIntermediate

Burp Scanner (Professional)

After this lesson, you will be able to: Understand Burp Scanner (Professional): passive vs active scanning, crawling, reading scan results (severity and confidence), tuning audit profiles, and the limits of automated scanning.

The Scanner is Burp's automated vulnerability finder, a Professional feature. This lesson covers passive vs active scanning, crawling, reading results, tuning, and crucially the boundary of what automation can and cannot find, so you treat it as a tool, not a replacement for skill.

Prerequisites:Fuzzing and Parameter Discovery

💡 Authorization first

Only perform these techniques in authorized lab environments. Never test systems you do not own or have explicit written permission to test. Every lab in this subtrack uses the PortSwigger Web Security Academy, which is built specifically for legal Burp Suite practice.

Passive vs active scanning

Passive scanning analyzes traffic already passing through the proxy without sending extra requests; it finds issues visible in normal responses (missing security headers, insecure cookies, information disclosure) and is always safe to leave on. Active scanning sends crafted requests to probe for specific vulnerabilities (injection, etc.); it is intrusive and must only run against in-scope targets you are authorized to test.

Crawling and audit profiles

Crawling is how Burp discovers application content by following links and forms; you configure the scope, depth, and login sequences so it can reach authenticated areas. Audit profiles control what the scanner tests for, letting you trade coverage against noise and speed, and reduce false positives. Tuning the profile to the target is what makes the Scanner useful rather than a flood of low-value findings.

Reading scan results

Each issue has a severity (high, medium, low, informational) and a confidence (certain, firm, tentative), plus a description and remediation advice. Triage by severity and confidence together: a high-severity, certain finding is your priority; a tentative low is often noise to verify or dismiss. Always manually confirm a scanner finding before reporting it; automated tools produce false positives.

ℹ️ What the Scanner cannot do

Automated scanning excels at known, pattern-based vulnerabilities but cannot understand business logic, chain multiple weaknesses into an exploit, or reason about your application's intent. The most valuable findings (broken access control, business-logic flaws, multi-step exploits) come from a human using Repeater and Intruder. Treat the Scanner as a first pass that frees you to do the thinking, not as the tester.

Quick Check

Which scan type is always safe to leave on because it sends no extra requests?

Pick one.

Common mistakes only experienced testers catch

Running an active scan against an out-of-scope or unauthorized target. Reporting scanner findings without manual confirmation (false positives). Trusting the Scanner to find business-logic and access-control bugs (it cannot). Leaving a noisy default audit profile on a fragile app. Forgetting login sequences, so the crawl never reaches authenticated pages. Treating a clean scan as proof of security.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Fuzzing and Parameter Discovery
Back to Burp Suite: Web Application Testing