Let "Claude Code" do your Pentesting!

In this video, I walk through a live demo of using Claude Code for pentesting, covering the same security test cases you'd run manually with Burp Suite, but letting AI drive the workflow. This is a hands-on look at how Claude Code integrates with Burp via MCP and controls a Playwright browser to perform real security tests autonomously, including IDOR, authentication bypass, and CSRF protection checks. We start with a manual walkthrough in Burp Suite on a sample snippet-sharing app, then repeat the exact same tests using Claude Code. The result: a white-box pentesting workflow where the AI has access to both the running app and the source code, making it more effective than a traditional black-box approach. Read on Medium:   / c58bc6987a99   📌 MCP setup commands: Burp MCP: claude mcp add --transport sse burp http://127.0.0.1:9876/ -s user Playwright MCP with Burp proxy: claude mcp add playwright -s user -- npx @playwright/mcp@latest --proxy-server=http://127.0.0.1:8080 --ignore-https-errors ⏱️ Chapters: 00:00:00 Intro 00:00:36 Burp Suite Overview 00:01:55 Installing & Starting Burp 00:03:32 Demo App & Manual Test Setup 00:05:04 IDOR Test Case — Manual Walkthrough with Burp 00:07:42 Authentication & CSRF Protection Testing 00:09:04 Pivoting to Claude Code 00:09:17 Setting Up the Burp MCP 00:10:49 Setting Up Playwright MCP with Burp Proxy 00:13:16 Prompting Claude Code — The Test Case 00:16:29 Claude Code Live Demo 00:20:51 Results & White-Box Advantage 00:21:03 Packaging as a Claude Code Skill 00:22:02 Recap #AppSec 🛡️ #Pentesting 🔐 #ClaudeCode 🤖 #BurpSuite 🔁 #IDOR 🔓 #SecurityEngineering 🧠 #DevSecOps ⚙️ #ApplicationSecurity 👨🏻‍💻 #ClaudeCode 🤖 #BurpSuite 🔁 #MCP 🔌 #Playwright 🎭