New Burp Bounty Pro v3.0.0 release
By Eduardo Garcia — Founder, Bounty Security
After months of development driven directly by user feedback, Burp Bounty Pro 3.0.0 is live. This isn't an incremental update — it's a ground-up rebuild of the scanning engine with four major features that change how you build and run vulnerability profiles inside Burp Suite.
If you've been using Burp Bounty Pro for single-step payloads and passive detection, v3.0 opens up an entirely new dimension: chained attack sequences, timing-based blind detection, dynamic variables, and per-scan performance control. Here's everything that's new and why it matters for your workflow.
Multi-Step Scanning: Chain Attacks That Single Requests Can't
This was one of the most requested features from users, and for good reason. Real-world vulnerabilities rarely live in a single request. Authentication bypasses require logging in first. CSRF exploitation needs a token from one page before posting to another. Second-order SQL injection means injecting in one endpoint and triggering in a different one.
With v3.0.0, profiles now support multiple scanning steps. Each step defines its own payloads, match rules, and detection logic. The key feature: cookie reuse across steps. Step 1 authenticates and captures a session cookie. Step 2 reuses that cookie to access a protected endpoint. Step 3 tests the actual vulnerability behind the login wall.
Every step has its own request/response viewer in the scan results, so you can trace exactly what happened at each stage. If a step fails to match, the entire sequence stops for that insertion point — no wasted requests, no noise.
A concrete example from the default profiles: the Auth_Bypass_MultiStep profile sends credentials in Step 1, checks for a Set-Cookie: session= header, then in Step 2 requests /admin/dashboard with the captured cookie and looks for Welcome, Admin. Two steps, one profile, fully automated.
Multi-step also works with the time-based detection engine (more on that below), enabling timing attack chains where Step 1 sends a baseline request and Step 2 sends a time-delay payload — the difference confirms the vulnerability.
Time-Based Detection Engine: Catch What String Matching Misses
Sleep-based SQL injection. Blind command injection. Any vulnerability where the only signal is a timing difference in the response. Before v3.0.0, testing these required manual work in Intruder or custom scripts outside Burp Bounty.
The new time-based detection engine adds time delay matching logic natively to any profile. It supports three comparison modes:
"Between" — the response time must fall within a range (e.g., between 5 and 10 seconds). "Greater than" — response time must exceed a threshold. "Less than" — response time must be below a threshold. Thresholds are configurable in seconds.
The engine is fully integrated into multi-step workflows. A typical time-based SQLi profile might use Step 1 to establish a baseline response time, then Step 2 to inject a SLEEP(5) payload and compare the delta. This eliminates false positives caused by normal network latency — you're comparing against the target's own baseline, not an arbitrary number.
Global Variables System: Write Profiles Once, Reuse Everywhere
If you've ever built a profile that tests for SSRF using Burp Collaborator, you know the pain: hardcoding {BC} or your redirect domain into each payload. If your Collaborator URL changes, or you switch to a private instance for an internal pentest, you need to edit every profile.
v3.0 introduces a global variables system managed from the Variables tab. Define variables like {EMAIL}, {BC}, {RANDOM}, {REDIRECT_DOMAIN}, {ATTACKER_DOMAIN}, and they're dynamically replaced in payloads, greps, and raw requests at scan time. Built-in context variables like {CURRENT_HOST}, {CURRENT_PORT}, {CURRENT_COOKIES}, {CURRENT_USER_AGENT}, and {CURRENT_REFERER} inject the actual values from the request being scanned.
This changes how you think about profile portability. Write a profile once with variables, export it as a .bb file, share it with your team — each team member configures their own variable values locally. The profile works everywhere without modification.
For users running internal penetration tests who can't use the default Burp Collaborator, this was a particularly requested improvement. You can now define a custom {BC} variable pointing to your private Collaborator instance and every profile that references it will use your custom address.
Per-Scan Performance Control: Different Settings for Different Targets
Previously, scanner settings (threads, concurrency, requests per second) were global — one configuration for every scan. In v3.0.0, scanner settings are configured per scan through the URL Filter popup that appears before every Active, Passive, and Smart Scan.
This means you can run a fast scan with 20 threads against a staging environment while simultaneously running a cautious 3-thread scan with rate limiting against a production target — from the same Burp Suite instance. Each scan creates its own independent thread pool with its configured settings.
The URL Filter popup itself is new for Passive and Smart Scan types. Before v3.0, URL filtering only appeared for Active Scans. Now you get full control over scope, domains, and file extensions before launching any scan type.
True Pause & Resume: No More Lost Scan State
The scanning engine has been rebuilt around a new PausableThreadPoolExecutor — a custom thread pool that supports pause/resume without terminating threads. When you pause a scan, threads block at safe synchronization points. When you resume, they continue exactly where they left off. Zero state loss.
Paused time is tracked separately and excluded from scan duration and timeout calculations. If a scan has a 60-minute timeout and you pause for 30 minutes, you still get the full 60 minutes of active scanning time.
This matters more than it sounds. During long engagements, being able to pause all scans while you investigate a finding, then resume without restarting from scratch, saves significant time.
Under the Hood: Efficiency Improvements That Reduce Noise
Beyond the headline features, v3.0.0 includes a significant number of scanning efficiency improvements:
Stop-on-first-match optimization — when a payload matches for a given profile and insertion point, remaining payloads are skipped. This alone reduces redundant issues from 6+ to 1–2 per insertion point, cutting noise dramatically.
Early filtering pipeline — URL extension, response code, and content-type checks are applied before making HTTP requests, drastically reducing unnecessary traffic. Combined with a passive scan exclusion list that automatically filters static files (jpg, gif, png, css, svg), your scans are leaner from the start.
Duplicate avoidance — the scanner tracks scanned issue/host combinations and prevents re-scanning the same issue on the same endpoint. Redirect loop protection caps redirects at 30 per request chain. Scan timeout detection (configurable, default 60 minutes) marks stuck scans as Failed and releases resources automatically.
Request throttling is now configurable per-request with millisecond granularity, giving you precise control over scan speed to avoid WAF detection and reduce server load.
UI Improvements: Faster Profile Workflow
Several quality-of-life changes make working with profiles noticeably faster:
Non-modal dialogs — all profile, rule, and tag editors are now non-blocking. You can edit a profile while viewing scan results, compare two profiles side by side, or configure new profiles while a scan is running. This sounds small, but if you've ever been locked out of Burp Suite while an editor dialog was open, you know how much this matters.
Profile and rule duplication with automatic naming (Name Copy, Name Copy1...) means you can clone a working profile and modify it instead of building from scratch. Double-click to edit any profile or rule row — no more hunting for the Edit button. Payload and grep markers highlighted in red for better visibility. Consistent profile tables across all three types (Active, Passive Request, Passive Response) with identical columns and context menus.
The Dashboard now has a dual-view layout: a detailed per-request log showing host, method, path, status code, response time, rule/profile name, severity, and confidence — plus a summary view that aggregates vulnerability counts by domain. The Scanner Log provides real-time progress tracking with per-scan pause/resume/stop controls.
Tag-Based Passive Scan Launching
Passive scanning gets a significant workflow improvement in v3.0.0. The right-click context menu now includes a tag-based submenu for passive scans. Instead of running all passive profiles every time, you can run only the ones you need: just security header checks, just secret detection, just technology fingerprinting.
The submenu organizes profiles by type (Request/Response) and tag, with profile counts displayed next to each tag. Combined with the new Set New Tag right-click option on profile tables (select multiple profiles, assign a tag in one click), organizing and launching targeted passive scans becomes a two-click operation.
What's Included on Day One
Every Burp Bounty Pro 3.0.0 license includes 254 default profiles covering CVEs, XSS, SQLi, SSRF, SSTI, RCE, path traversal, technology detection, sensitive data exposure, and more. Plus 27 default Smart Scan rules that automatically chain passive detection with active attacks — detect WordPress? Launch WordPress-specific exploit profiles. Spot SQLi-prone parameters? Trigger targeted injection testing.
All profiles use the .bb file format, which is compatible with Burp Bounty Go and GBounty. Build a profile in Pro, export it, and run it across your entire toolkit.
Requirements
Burp Bounty Pro 3.0.0 requires Burp Suite Professional and Java 14+. Installation takes under 5 minutes — download the .jar, load it in Burp Suite's Extensions tab, and activate your license. The built-in update checker detects new versions of both the extension and the profiles, so you stay current automatically.
Existing licenses work with v3.0.0. Your profiles, rules, and settings are preserved across updates.
Get Started
Burp Bounty Pro 3.0.0 is available now. Get Burp Bounty Pro or request a free trial to test it on your next engagement.
Full documentation is at docs.bountysecurity.ai. Questions or feedback? Reach out at hello@bountysecurity.ai or on X @BountySecurity.
Burp Bounty Pro is a Burp Suite extension created by Bounty Security for penetration testers, security consultants, and bug bounty hunters. Available as a monthly (€14.95) or yearly (€145) subscription.