Burpwn – Burp Suite but its for AI agents (it works)

Burpwn, a transparent intercepting proxy and execution sandbox for AI agents, has been released in early development. The tool allows autonomous agents to perform web pentesting with full TLS-MITM, traffic capture, and replay capabilities, while keeping the agent's own LLM traffic isolated. It is Linux-only and relies on user/network namespaces, nftables, and bubblewrap.

A transparent intercepting proxy + execution sandbox + agent interface for AI-driven web pentesting. burpwn is to an AI agent what Burp Suite is to a human pentester. It runs every command an agent executes inside a rootless Linux sandbox whose entire network HTTP/HTTPS/DNS/TCP is forced through a built-in intercepting proxy. The agent can then go back through history, search and filter the decrypted request/response flows, replay and edit them Repeater , apply match/replace rules, block and rewrite traffic in flight, and organize flows into workspaces — all from a scriptable CLI or over MCP. It is at once a Burp and a tshark, but driven by an agent. Status:early development. See the milestones below. Existing intercepting proxies are built for a human clicking in a GUI. An autonomous agent needs a programmatic surface: create a session, run tooling, and query the captured traffic — without the agent's own LLM traffic ever being captured. burpwn delivers exactly that: the agent process stays outside the sandbox; only the commands it executes its children enter the captured network namespace, so LLM traffic is excluded by construction. Rootless transparent sandbox. Each executed command runs in its own Linux user + network namespace. An nftables REDIRECT ruleset inside that namespace forces all TCP and UDP/53 to the burpwn proxy. bubblewrap isolates the filesystem and processes. No root, no setuid, no CAP NET ADMIN on the host — the kernel grants the needed capability inside the child namespace. TLS-MITM. A per-install root CA is generated once; leaf certs are minted on the fly per SNI and the CA is injected into the sandbox trust store so HTTPS is decrypted. Cert-pinned targets fall back cleanly to TLS pass-through with metadata-only logging. Capture & query. Flows are stored in a per-session SQLite database WAL, content-addressed body dedup, FTS5 full-text search written by a single-writer task off the proxy hot path. Agent integration rtk-style . burpwn init installs the right command-rewrite hook for the detected agent Claude Code / Copilot, Cursor, Gemini CLI, Cline/Roo , plus a generic global shell hook so even a custom agent is covered. burpwn doctor check the rootless prerequisites burpwn ca init && burpwn ca export generate / print the MITM CA burpwn session new --name engagement-1 burpwn exec -- curl -s https://target.example/ runs sandboxed; traffic captured + decrypted burpwn req list browse captured flows burpwn req show 42 --raw decrypted request + response burpwn req replay 42 --set-header 'X: 1' Repeater burpwn intercept enable blocking intercept also via MCP await intercept Linux-only relies on user/network namespaces, nftables, bubblewrap . Install the prerequisites first — Fedora/RHEL: sudo dnf install bubblewrap nftables iproute ; Debian/Ubuntu: sudo apt install bubblewrap nftables iproute2 . one-liner: download the prebuilt binary, install to ~/.local/bin, generate the CA, run preflight curl -fsSL https://raw.githubusercontent.com/own2pwn-fr/burpwn/main/install.sh | sh from a checkout builds from source if no prebuilt binary fits your arch ./install.sh ./install.sh --hooks also installs the global shell hook ./install.sh --from-source force a source build or via cargo / the Makefile cargo install --git https://github.com/own2pwn-fr/burpwn burpwn make install PREFIX=/usr/local make install may need sudo ; make help lists tasks The curl | sh path downloads the release binary for your architecture x86 64 / aarch64 Linux and verifies its checksum; if none matches it falls back to a cargo source build. cargo build --release produces a single burpwn binary at target/release/burpwn cargo test the privileged rootless-sandbox test is ignore d burpwn init installs an rtk-style command-rewrite hook so every shell command your agent runs is transparently routed through burpwn exec captured + decrypted , while the agent's own LLM traffic is never touched. There is also an MCP server and a ready-made agent skill: burpwn init --agent claude Claude Code / Copilot PreToolUse hook also: cursor, gemini, cline burpwn init --global generic shell hook — works for any agent burpwn mcp MCP server over stdio session/exec/req/intercept tools The bundled agent skill lives in skills/burpwn/ /own2pwn-fr/burpwn/blob/main/skills/burpwn — copy it into ~/.claude/skills/ or your agent's skills dir to teach an agent the workflow.