BurpSuite Pro Connector

Burp Scanner is a state-of-the-art vulnerability scanner for web applications. It is designed with security testers in mind, to integrate closely with your existing techniques and methodologies for manual and automated testing.

To import your data from BurpSuite to the Kenna.AppSec module, you will need to leverage the BurpSuite XML Connector under the Dynamic Assessment tools.

The Connector is a mandatory full run connector, as it is a file-based (XML) connector.


User Prerequisites/Connector Setup:

  • Given that the Connector is file based, users must simply have access to export data from BurpSuite in the proper format.

Configuring your Connector in Kenna


To set up the Connector, navigate to the Connectors tab in your Kenna deployment (you must be a Kenna Administrator to do so). On the Connectors page, select BurpSuite.


Once you select the BurpSuite, the following screen will appear:


  • Enter a name for the connector, or leave it as “Burp” if you wish.

  • Click Save and Verify.

  • If you’d like to set a connector level asset inactivity limit, you can do that at this time, or later. (We recommend 2-3x the scan cadence of your Burp Scans).


What BurpSuite Items does Kenna Import?

Kenna will import all of the applications associated with the user leveraged for the export loaded to the connector. We will pull:

BurpSuite Field

Kenna Field


issue > host

Application identifier

Search for Application identifier in Kenna by using the custom query box and typing application:""

issue > host + issue > path


IFF path is present


Finding Status

 Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Kenna will autoclose the vulnerability.


Vulnerability Name




Informational - 0
Low - 3
Medium - 6
High - 9
Else - 0


Identifier (vulnerability)


CWE ids



WASC ids






issue.host (without protocol)




Last Seen

Kenna does not receive an explicit last seen time. We utilize the report export time as the last seen date for all items.

The Kenna Connector does not pull in the following:

  • Custom Fields

  • Tags

Optional Settings

The following settings can be enabled on the backend for BurpSuite Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

  • Exclude Informationals

    • When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Kenna to be the scanner reported last seen time.

  • Custom Ordered Locators

    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.


Common Reasons for Burp Connector Run Failures

  • Unexpected data returned

    • If Kenna receives data that is not in the expected format and we are unable to process it, the connector will fail.

  • If more than 1% of connector payloads fail to import cleanly, Kenna will auto-fail the Connector Run


Additional Assistance:

Please contact Kenna Support should you require any additional assistance with the BurpSuite Connector.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.