{"slug": "burpwn-burp-suite-but-its-for-ai-agents-it-works", "title": "Burpwn – Burp Suite but its for AI agents (it works)", "summary": "Burpwn, a transparent intercepting proxy and execution sandbox for AI agents, has been released in early development. The tool allows autonomous agents to perform web pentesting with full TLS-MITM, traffic capture, and replay capabilities, while keeping the agent's own LLM traffic isolated. It is Linux-only and relies on user/network namespaces, nftables, and bubblewrap.", "body_md": "**A transparent intercepting proxy + execution sandbox + agent interface for AI-driven web pentesting.**\n\nburpwn is to an AI agent what Burp Suite is to a human pentester. It runs every command an agent\nexecutes inside a rootless Linux sandbox whose **entire** network (HTTP/HTTPS/DNS/TCP) is forced\nthrough a built-in intercepting proxy. The agent can then go back through history, search and filter\nthe decrypted request/response flows, replay and edit them (Repeater), apply match/replace rules,\nblock and rewrite traffic in flight, and organize flows into workspaces — all from a scriptable CLI\nor over MCP. It is at once a Burp and a tshark, but driven by an agent.\n\nStatus:early development. See the milestones below.\n\nExisting intercepting proxies are built for a human clicking in a GUI. An autonomous agent needs a\n*programmatic* surface: create a session, run tooling, and query the captured traffic — without the\nagent's own LLM traffic ever being captured. burpwn delivers exactly that: the agent process stays\n**outside** the sandbox; only the commands it executes (its children) enter the captured network\nnamespace, so LLM traffic is excluded by construction.\n\n**Rootless transparent sandbox.** Each executed command runs in its own Linux user + network namespace. An nftables`REDIRECT`\n\nruleset inside that namespace forces all TCP (and UDP/53) to the burpwn proxy. bubblewrap isolates the filesystem and processes. No root, no setuid, no CAP_NET_ADMIN on the host — the kernel grants the needed capability*inside*the child namespace.**TLS-MITM.** A per-install root CA is generated once; leaf certs are minted on the fly per SNI and the CA is injected into the sandbox trust store so HTTPS is decrypted. Cert-pinned targets fall back cleanly to TLS pass-through with metadata-only logging.**Capture & query.** Flows are stored in a per-session SQLite database (WAL, content-addressed body dedup, FTS5 full-text search) written by a single-writer task off the proxy hot path.**Agent integration (rtk-style).**`burpwn init`\n\ninstalls the right command-rewrite hook for the detected agent (Claude Code / Copilot, Cursor, Gemini CLI, Cline/Roo), plus a generic global shell hook so even a custom agent is covered.\n\n```\nburpwn doctor # check the rootless prerequisites\nburpwn ca init && burpwn ca export # generate / print the MITM CA\nburpwn session new --name engagement-1\nburpwn exec -- curl -s https://target.example/ # runs sandboxed; traffic captured + decrypted\nburpwn req list # browse captured flows\nburpwn req show 42 --raw # decrypted request + response\nburpwn req replay 42 --set-header 'X: 1' # Repeater\nburpwn intercept enable # blocking intercept (also via MCP await_intercept)\n```\n\nLinux-only (relies on user/network namespaces, nftables, bubblewrap). Install the prerequisites\nfirst — Fedora/RHEL: `sudo dnf install bubblewrap nftables iproute`\n\n; Debian/Ubuntu:\n`sudo apt install bubblewrap nftables iproute2`\n\n.\n\n```\n# one-liner: download the prebuilt binary, install to ~/.local/bin, generate the CA, run preflight\ncurl -fsSL https://raw.githubusercontent.com/own2pwn-fr/burpwn/main/install.sh | sh\n\n# from a checkout (builds from source if no prebuilt binary fits your arch)\n./install.sh # ./install.sh --hooks also installs the global shell hook\n./install.sh --from-source # force a source build\n\n# or via cargo / the Makefile\ncargo install --git https://github.com/own2pwn-fr/burpwn burpwn\nmake install # PREFIX=/usr/local make install (may need sudo); `make help` lists tasks\n```\n\nThe `curl | sh`\n\npath downloads the release binary for your architecture (x86_64 / aarch64 Linux) and\nverifies its checksum; if none matches it falls back to a `cargo`\n\nsource build.\n\n```\ncargo build --release # produces a single `burpwn` binary at target/release/burpwn\ncargo test # the privileged rootless-sandbox test is #[ignore]d\n```\n\n`burpwn init`\n\ninstalls an rtk-style command-rewrite hook so every shell command your agent runs is\ntransparently routed through `burpwn exec`\n\n(captured + decrypted), while the agent's own LLM traffic\nis never touched. There is also an MCP server and a ready-made agent skill:\n\n```\nburpwn init --agent claude # Claude Code / Copilot PreToolUse hook (also: cursor, gemini, cline)\nburpwn init --global # generic shell hook — works for any agent\nburpwn mcp # MCP server over stdio (session/exec/req/intercept tools)\n```\n\nThe bundled agent skill lives in [ skills/burpwn/](/own2pwn-fr/burpwn/blob/main/skills/burpwn) — copy it into\n\n`~/.claude/skills/`\n\n(or your agent's skills dir) to teach an agent the workflow.", "url": "https://wpnews.pro/news/burpwn-burp-suite-but-its-for-ai-agents-it-works", "canonical_source": "https://github.com/own2pwn-fr/burpwn", "published_at": "2026-06-14 17:54:29+00:00", "updated_at": "2026-06-14 18:11:57.486115+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools", "ai-safety", "developer-tools"], "entities": ["Burpwn", "Burp Suite", "Claude Code", "Copilot", "Cursor", "Gemini CLI", "Cline", "Roo"], "alternates": {"html": "https://wpnews.pro/news/burpwn-burp-suite-but-its-for-ai-agents-it-works", "markdown": "https://wpnews.pro/news/burpwn-burp-suite-but-its-for-ai-agents-it-works.md", "text": "https://wpnews.pro/news/burpwn-burp-suite-but-its-for-ai-agents-it-works.txt", "jsonld": "https://wpnews.pro/news/burpwn-burp-suite-but-its-for-ai-agents-it-works.jsonld"}}