
Download the extension
The extension is distributed as a pre-built JAR from the dedicated repository:Vigolium Burp Suite extension
Grab the latest
burp-vigolium.jar and browse the source at
github.com/vigolium/burp-vigolium.burp-vigolium.jar directly, or build it from source:
Install and connect
Start the Vigolium server
The extension needs a running server to talk to. Start one (add Retrieve the API key to paste into the extension:
--mirror-fs <dir> to also write traffic to disk):Load the JAR into Burp
In Burp, go to Extensions → Installed → Add. Set Extension type: Java, choose the downloaded
burp-vigolium.jar, and click Next. A Vigolium tab appears.Point it at your server
Open Vigolium → Settings, enter the Server URL (default
http://127.0.0.1:9002) and API Key on the Server Connection row, then click Test Connection to confirm the server is reachable.The installed extension version is shown in the upper-right corner of the Settings view. Release builds read it from the JAR manifest; local IDE runs display
development.Three dispatch workflows
Right-click a request in Proxy History, Target Site map, Repeater, or any supported Burp request view — the actions are available directly, without opening a nested menu:| Action | Default shortcut | What it does |
|---|---|---|
| Send to Vigolium (ingestion) | Ctrl+Alt+V | Stores the selected request/response in Vigolium via /api/ingest-http |
| Send to Native Scan | Ctrl+Alt+N | Starts a deterministic module-based scan of the selected request |
| Send to Agentic Scan | Ctrl+Alt+A | Starts an AI-guided (swarm) scan of the selected request |
Forward proxy traffic automatically
Instead of dispatching requests one at a time, enable Proxy Mode to forward everything flowing through Burp Proxy into Vigolium. Combine it with In-scope only so static assets and out-of-scope hosts don’t pollute the database, and use the Proxy Filter Rules to allow or deny by file extension, HTTP method, or host.Passive-only ingestion
Pair Proxy Mode with a passive-only server (
vigolium server -S --passive-only) to continuously analyze browsed traffic — secrets, security headers, cookie flags, disclosure — without sending any active requests. See Server & Ingestion.What you get inside Burp
The Vigolium panel is organized into six tabs:| Tab | Purpose |
|---|---|
| Findings Records | Searchable, sortable findings with per-finding evidence tabs, request/response editors, an expandable description, and Copy Finding as Markdown |
| HTTP Records | Filterable, sortable request/response records synchronized with Vigolium |
| Scanning Records | Native and agentic scan history with pagination, auto-refresh, and scan logs |
| Bridge | Target Site map snapshots, the live loopback listener, Proxy forwarding, and filter rules |
| Settings | Extension version, server connection, scan options, request statistics, and configurable hotkeys |
| Logs | Timestamped activity log (INFO / WARN / ERROR) |

Keyboard shortcuts
Every action is rebindable under Settings → Keyboard Shortcuts. The defaults:| Action | Default shortcut |
|---|---|
| Send to ingestion | Ctrl+Alt+V |
| Send to native scan | Ctrl+Alt+N |
| Send to agentic scan | Ctrl+Alt+A |
| Snapshot Target Site map | Ctrl+Alt+S |
| Refresh active record view | Ctrl+Alt+R |
Ctrl+Alt+R is contextual — while focus is inside Findings Records, HTTP Records, Native Scans, or Agentic Scans, it activates that view’s Refresh button.
Target Site map snapshots
Beyond per-request dispatch, the extension can upload your whole Target Site map to Vigolium in one shot. Open Vigolium → Bridge → Target Site Map Snapshot and either run a snapshot immediately (Ctrl+Alt+S) or enable periodic snapshots (disabled by default; five-minute interval when on). Use In-scope only to exclude out-of-scope traffic.
Snapshots are incremental within the current Burp session and idempotent on the server: requests and available responses upload in bounded chunks, and unchanged records are never duplicated.
Bidirectional live bridge
The live bridge connects Vigolium’s CLI and server to Burp in both directions over an opt-in, loopback-only listener — query live Burp Proxy history from Vigolium, or copy Vigolium traffic back into Burp’s Target Site map.Enable the listener in Burp
Open Vigolium → Bridge, select Enable live bridge, and set the listener URL (default
http://127.0.0.1:9009). The extension starts an embedded HTTP server on that loopback address; it refuses non-loopback binds. Optionally enable In-scope items only to keep bridge searches within Burp’s Target scope.Point Vigolium at the listener
--burp-bridge-url flag instead of the env var.source: burp, and the usual traffic filters, sorting, pagination, and JSON output all continue to apply. Bridge imports are idempotent — new requests are inserted, changed responses refresh the existing row, and unchanged traffic is skipped.
The bridge listener is disabled by default and requires no credentials because it only binds to a validated loopback address, rejects unexpected
Host/Origin headers, and uses temporary result references that expire when the listener restarts or the extension unloads. Disabling the setting or unloading the extension stops the listener immediately.Under the hood
The extension calls the standard Vigolium API (authenticated withAuthorization: Bearer {API_KEY}):
| Method | Endpoint | Description |
|---|---|---|
GET | /health | Test the server connection |
POST | /api/ingest-http | Store selected or forwarded Burp traffic |
POST | /api/scan-request | Start a native scan for selected traffic |
POST | /api/agent/run/swarm | Start an agentic scan for selected traffic |
POST | /api/scan-all-records | Scan all stored HTTP records |
POST | /api/burp/sitemap/snapshot | Upload an idempotent Site map snapshot chunk |
GET | /api/findings, /api/http-records, /api/scans, /api/agent/sessions | List findings, records, and scan runs |
/api/burp-bridge/{search,inspect,sitemap}). For lower-level ingestion details, see Server ingestion; for the full extension reference and source, see github.com/vigolium/burp-vigolium.