Dear Readers, Burp Suite and ChatGPT have been hot topics in the world of Cybersecurity. That is why we have decided to talk with the person who connected them both. The guest in this interview is Alexandre Teyar, the creator of BurpGPT, but it’s best he introduces himself.
- [Hakin9] Could you tell us a little bit more about yourself? What got you into Cybersecurity
[Alexandre] My passion for cyber security and IT began during my teenage years when I started reverse engineering and cracking games. I went on to pursue a master's degree in Computer Science, Network, and Telecommunication Systems from a French engineering school, where I had the opportunity to study in Ireland and Sweden, adding an international perspective to my education. My first job was as a pentester for a vulnerability scanner vendor, where I gained a strong foundation in offensive security. Currently, I am the Managing Director at Aegis Cyber, a UK-based cyber boutique that provides high-quality security services. Over the past decade, I have worked with more than 100 clients from diverse industries, including defense, oil, fintech, and crypto, to secure their information systems. I have experience in securing mobile apps, cloud infrastructure, web apps, and IoT devices. As a researcher, I have published papers on various topics, including mobile banking application security. I have also developed cutting-edge hacking techniques such as smali malware injection and evil twin attacks. Additionally, I am a developer who has created multiple cybersecurity tools that have become industry standards. BurpGPT is one such example.
- [Hakin9] Do you see the impact of AI on cybersecurity even now and do you think it will start becoming more and more important?
[Alexandre] AI is undeniably transforming the landscape of cybersecurity. At present, the most significant impact can be observed on the defensive side, with the widespread adoption of AI-powered intrusion detection and prevention systems (IDS/IPS) and other cutting-edge technologies employed by blue teams. On the offensive side, red teams are only just beginning to harness the potential of AI for cyberattacks, which has sparked numerous ethical debates on professional platforms like LinkedIn. As AI continues to evolve, its role in cybersecurity will undoubtedly become increasingly vital, shaping both the strategies of cyber defenders and the tactics of attackers.
- [Hakin9] In your opinion, can ChatGPT be a useful tool for cybersecurity specialists?
[Alexandre] ChatGPT showcases the potential of AI, particularly large language models, in addressing intricate challenges that would typically necessitate expertise in specialized fields, such as advanced cryptography, as well as considerable time and resources. When properly implemented and utilized, ChatGPT can undoubtedly offer valuable insights and support in tackling a wide array of network traffic and cybersecurity issues. As the technology continues to develop, cybersecurity specialists can benefit greatly from incorporating AI-powered tools like ChatGPT into their arsenal.
- [Hakin9] Have you created any other Burp extensions? What got you interested in Burp?
[Alexandre] I have created numerous Burp extensions, with the most prominent ones being the OpenAI parser and BurpGPT. Both were developed to tackle issues that Burp Suite initially had no built-in solutions for, and they rapidly gained recognition as industry standards. My interest in Burp Suite stemmed from my career as a penetration tester. Having been immersed in offensive cybersecurity for as long as I can remember, I have utilized essential tools in the red teamers' arsenal. Burp Suite has consistently been a top choice (alongside OWASP ZAP, and more recently, Nuclei and other modern frameworks) for web application testing. Consequently, I have devoted considerable time to mastering Burp Suite at its core, extending its innate capabilities to leverage its robust scanning engine for custom engagements tailored to my clients' needs.
- [Hakin9] Are there any more projects you’re working on?
[Alexandre] Currently, I am working on a Pro edition of BurpGPT that is slated for release in the near future. This upgraded version is designed to address the feedback gathered from the expert community after BurpGPT's initial launch. Stay tuned for updates on this exciting development as I continue to refine and expand the capabilities of this AI-driven tool for cybersecurity professionals.
- [Hakin9] Can AI-solutions be key in securing private resources?
[Alexandre] AI solutions for cybersecurity can be a double-edged sword, resembling a cat-and-mouse game. As AI progresses, its power will be harnessed by both blue and red teamers, potentially neutralizing each other's advancements. Additionally, data privacy concerns arise due to the current model, which necessitates sending data to centralized servers for analysis before receiving a response. This issue can be somewhat alleviated by deploying enterprise on-premises servers, but doing so requires specialized knowledge, and not all users may prioritize addressing these data privacy concerns. Consequently, striking a balance between AI-driven security benefits and data privacy remains an ongoing challenge in the field of cybersecurity.
- [Hakin9] What else may be a game changer in cybersecurity in your opinion?
[Alexandre] In my view, AI represents the most significant technological leap of the century, if not the millennium, and we are just at the dawn of this new era. The only other contender in the realm of information technology would be quantum computing, which faces physical and technological constraints that place it second on my list.
- [Hakin9] What's the difference between your new project BurpGPT Pro and BurpGPT?
[Alexandre] BurpGPT Pro offers a wide range of features that have been highly requested by the community of specialists. One of the most notable features is the ability to run everything locally, ensuring that no data ever leaves the network when using local Large Language Models. This is particularly advantageous for security specialists who need to perform engagements for their clients without compromising any data privacy requirements. Additionally, users can now create and use custom-trained models, which means that companies and specialists alike can spend time training a model on a very specific type of traffic analysis and then utilize it with Burp through BurpGPT Pro. This opens up a world of practical applications. Along with these significant improvements, the UI/UX has been enhanced, and a prompt library has been added. For more information, please visit https://burpgpt.app.
- [Hakin9] With the implementation of AI, can cybersecurity specialists be afraid of their jobs?
[Alexandre] Artificial Intelligence (AI) is rapidly changing the cybersecurity landscape. With the increasing ability of models to understand the expected behavior of complex applications, they can detect logic bugs, which is something that non-AI vulnerability scanners struggle with. This is one of the reasons why offensive security jobs still exist. However, this transition will take some time, and I believe that there will always be a need for highly skilled specialists to instruct and operate these models/AI co-pilots. This is also true for the blue team side of things, as we see blue team tooling gaining new "AI-features" every day. Once these technologies reach maturity, I believe there will be two possible outcomes. The first outcome is massive layoffs within the cybersecurity industry as staff gets replaced by AI-powered tools. The second outcome is huge productivity gains by assisting, training, and educating staff with these AI tools. The way companies choose to adopt AI tools will heavily depend on industry-specific factors and economic factors.