Burpwn: a security proxy built for auditing AI agents

Anyone who's audited a web application knows that Burp Suite is the starting point: you intercept HTTP traffic, inspect it, modify it, and hunt for where business logic fails. That same approach is now landing in the world of AI agents. Burpwn, released this week and featured on Hacker News, is a proxy designed specifically to sit between an AI agent and the external tools or APIs it invokes.

The project is in a very early stage, barely noticed on HN at the time of writing, but the approach deserves attention because it tackles a real problem the community has been flagging for months: autonomous agents make decisions and execute actions, yet until now we've had almost no visibility into what they send, to whom, and in what context.

What it actually does

Burpwn acts as an interception layer between the agent and its external destinations: MCP servers, REST APIs, web tools, whatever the agent calls during its lifecycle. The idea is to replicate the workflow any pentester already knows:

• Intercept the request before it reaches its destination.
• Inspect the full payload, including the context the agent attaches.
• Modify or block the call to test how the agent reacts.
• Log the call history for later analysis.

In the current Claude ecosystem, this makes immediate sense. Claude Code can orchestrate sub-agents, invoke MCP servers, and execute hooks at each stage of the lifecycle. Each of these points is a potential attack surface: prompt injection in an MCP server response, data exfiltration through a compromised tool, or simply unexpected behaviors that only show up when you observe actual traffic.

Why it matters now

Offensive AI security is several steps behind deployment. Companies have been running agents in production for months, connected to databases, internal systems, and third-party APIs, without access to tools equivalent to what they use for auditing conventional web applications. Burp Suite took years to become what it is; projects like Burpwn suggest someone is starting to build that stack for agents.

The underlying problem is non-trivial. An AI agent doesn't generate predictable HTTP traffic: the context it sends to each tool varies based on conversation state, system instructions, and previous results. That makes generic proxies difficult to use directly: you need to understand the semantics of the messages, not just the bytes.

If Burpwn incorporates logic specific to parsing the format of tool calls, the JSON schema used by MCP and other agent interfaces, it could be genuinely useful for red teams wanting to map what information leaves the perimeter when an agent operates.

Who it's useful for today

In its current state, the most obvious user profile is the security researcher or red teamer already working with agents who wants to inspect traffic without building a custom solution with `mitmproxy` and ad hoc Python scripts. It could also interest teams developing their own MCP servers who want to verify they're not leaking sensitive data in their responses.

For product teams deploying agents in production environments, it's still too early: the tool needs documentation, validated use cases, and probably CI/CD workflow integration before it's operational in that context.

A missing piece

We don't yet know how far Burpwn will go or whether the author will maintain it actively. What is clear is that the problem it aims to solve, visibility and control over what agents do when no one is watching, won't disappear. The sooner the community starts building and refining tools like this, the better positioned we'll be when agent audit requirements shift from recommendation to regulatory obligation.

We'll be watching this closely. A proxy purpose-built for agents is exactly the kind of tool the ecosystem needs, even if this particular one still has to prove it lives up to its name.