PortSwigger Burp Suite EU Alternative 2026 — DAST, UK Post-Brexit & GDPR Risk

Post #1246 in the sota.io EU Application Security Testing Series

PortSwigger Web Security's Burp Suite is the undisputed industry standard for Dynamic Application Security Testing (DAST). Used by millions of security professionals worldwide, Burp Suite Professional is the de facto proxy tool for web application penetration testing. But for EU organizations building security-conscious development pipelines, PortSwigger's UK incorporation creates a sovereignty problem that most security teams have not fully examined.

The issue is not hypothetical. Since Brexit, the UK operates under its own legal framework — one that includes the Investigatory Powers Act 2016 (IPA), widely characterized as one of the most expansive surveillance laws in the democratic world. And since August 2022, a US-UK CLOUD Act bilateral agreement means that US authorities can request data directly from UK companies, including PortSwigger. For EU organizations scanning their production systems with Burp Suite Enterprise Edition, this creates a chain of legal exposure that runs from Knutsford, Cheshire, to Whitehall to Washington D.C.

Who Owns PortSwigger?

PortSwigger Ltd is a private limited company incorporated in England and Wales. The company was founded in 1999 by Dafydd Stuttard (known in the security community as "daf"). PortSwigger remains privately held with no publicly disclosed private equity or venture capital investment — an unusual distinction in the security tooling market that has seen significant consolidation.

Corporate Structure:

• PortSwigger Ltd — Private limited company, England and Wales
• Registered address: Knutsford, Cheshire, UK
• Jurisdiction: England and Wales (Companies House)
• Ownership: Private (no public investors disclosed)
• Revenue: Estimated $50M+ ARR (private)

Unlike Checkmarx (US PE), Sonatype (Vista Equity), or Synopsys/Black Duck (Clearlake Capital + Francisco Partners), PortSwigger has no US private equity overlay — which initially sounds reassuring. But the UK legal framework creates its own sovereignty exposure independent of corporate ownership.

The UK Post-Brexit Legal Framework

When the UK left the EU on January 31, 2020, it retained a version of GDPR as "UK GDPR" under the Data Protection Act 2018. The EU granted the UK an adequacy decision in June 2021, allowing data to flow from the EU to the UK without additional safeguards — similar to the mechanism that once governed EU-US transfers before Schrems II invalidated Privacy Shield.

However, this adequacy decision does not make the UK equivalent to an EU member state for sovereignty purposes. Two UK laws create specific risks:

Investigatory Powers Act 2016 (IPA)

The IPA — nicknamed the "Snoopers' Charter" — is the UK's comprehensive surveillance law. It grants authorities sweeping powers:

Section 252 — National Security Notices: UK intelligence can require communications providers (including SaaS companies like PortSwigger) to provide data or capabilities without judicial oversight in the initial stage. The target company is typically prohibited from disclosing the notice exists (non-disclosure requirement).

Bulk Collection Powers (Part 6): UK intelligence agencies (GCHQ, MI5, MI6) can collect bulk communications data, including intercepted internet traffic, under ministerial authorization — without needing to specify a known target.

Section 76 — Bulk Acquisition: Intelligence agencies can require retention and disclosure of bulk communications data from UK companies.

For EU organizations, the critical question is: does PortSwigger qualify as a "telecommunications operator" or "telecommunications service" under IPA? The answer is nuanced but concerning. Companies providing internet-mediated services can fall under IPA's scope, and security tooling that routes HTTP traffic through cloud infrastructure sits in a gray zone.

US-UK CLOUD Act Bilateral Agreement

This is the element most EU security professionals are unaware of. On October 3, 2019, the US and UK signed a bilateral agreement under the Clarifying Lawful Overseas Use of Data (CLOUD Act) of 2018. The agreement entered into force on August 3, 2022.

What it means for PortSwigger: Under this agreement, US authorities (FBI, DOJ) can issue orders directly to UK companies — including PortSwigger — requesting data on specific individuals or organizations. UK companies are legally obligated to comply. Crucially, this works in both directions: UK authorities can also request data from US companies more easily.

The US-UK CLOUD Act bilateral agreement effectively means that a UK company like PortSwigger faces not just UK IPA exposure but also direct US legal process — without those requests needing to go through mutual legal assistance treaty (MLAT) channels, which would at least require judicial review.

Five Eyes Intelligence Sharing (UKUSA Agreement)

The UK is a founding member of the Five Eyes alliance (UK, USA, Canada, Australia, New Zealand). The UKUSA Agreement provides a framework for intelligence sharing between these nations. In practice, signals intelligence (SIGINT) collected by GCHQ under IPA bulk powers can be shared with NSA and other Five Eyes agencies.

This creates a transitive exposure: data held by a UK company, accessed by GCHQ under IPA, can flow to US intelligence through Five Eyes channels — even if the US CLOUD Act bilateral agreement is not formally invoked.

What Data Does Burp Suite Handle?

Understanding the sovereignty risk requires understanding what Burp Suite actually captures. DAST is fundamentally different from SAST (which scans source code) — but it intercepts different categories of sensitive data:

Burp Suite Professional (Local Proxy Mode)

• HTTP request/response logs: Every request your application sends, including Authorization headers, Bearer tokens, session cookies, CSRF tokens
• Application responses: Including dynamically generated content, user data in JSON/HTML, internal API structures
• Authentication flows: OAuth tokens, SAML assertions, JWT contents — all visible in plaintext through the proxy
• Identified vulnerabilities: Burp's scanner findings describe specific security weaknesses in your systems — this is a map of your attack surface

In Professional mode, data stays local to the tester's machine. The sovereignty risk is primarily around who has access to the Burp Suite software supply chain and whether PortSwigger could be compelled to instrument updates.

Burp Suite Enterprise Edition (Cloud/Centralized Mode)

This is where the exposure becomes unambiguous:

• Centralized scan results: All DAST findings, including vulnerability descriptions, affected endpoints, and proof-of-concept payloads, stored in PortSwigger infrastructure
• Scan configurations: Which URLs, authentication mechanisms, and application sections are being tested
• Scheduled scan data: Your testing cadence, application structure, and security posture over time
• API integrations: Connections to JIRA, GitHub, and CI/CD pipelines expose development workflow patterns

For EU organizations running Burp Suite Enterprise in PortSwigger's hosted infrastructure, the scan results describe in detail the security vulnerabilities of EU systems — a particular concern under NIS2 Art.21(2)(e) which requires "security in network and information systems" including third-party tools.

CLOUD Act Sovereignty Score: PortSwigger / Burp Suite

Using the same five-dimension framework applied across the EU-AST series:

Score interpretation: 19/25 reflects a company that, despite no US corporate structure, faces substantial UK and transitive US government access risk via IPA 2016 and the US-UK bilateral CLOUD Act agreement. The D2 score of 5/5 is notable — few non-US companies achieve this, but the combination of IPA + bilateral agreement + Five Eyes creates an exposure profile comparable to US-headquartered vendors.

Comparison with EU-AST Series:

• Checkmarx: 19/25 (US PE majority, FedRAMP in progress)
• Sonatype Nexus: 17/25 (US-only operations)
• Synopsys/Black Duck: 18/25 (US PE buyout 2024)
• PortSwigger/Burp Suite: 19/25 (UK IPA + US-UK bilateral)

PortSwigger ties Checkmarx as the highest-risk vendor in this series — despite being a UK private company with no disclosed US ownership.

The UK Adequacy Decision Risk

EU organizations often note that the UK has an EU adequacy decision and therefore GDPR-compliant data transfers are permitted. This is technically correct for current transfers — but it obscures the sovereignty question.

The adequacy decision addresses data transfer legality, not intelligence access. Schrems II invalidated Privacy Shield not because data transfers were formally illegal, but because US intelligence agencies could access transferred data without meaningful legal recourse for EU data subjects. The same logic applies to UK-based transfers:

1. UK adequacy decision permits the transfer ✓
2. But UK intelligence can access data under IPA without meaningful EU data subject recourse ✗
3. US intelligence can access UK-held data via Five Eyes sharing ✗
4. US authorities can directly request PortSwigger data via US-UK bilateral agreement ✗

Adequacy ≠ Sovereignty. The adequacy decision may itself face Schrems-III style challenge — the European Data Protection Board has expressed concerns about IPA's bulk collection provisions and their compatibility with EU data subject rights. Max Schrems' organization noyb has already published analyses suggesting UK adequacy may not survive legal challenge.

For risk-averse EU organizations, particularly those in NIS2-regulated sectors (energy, healthcare, finance, digital infrastructure), relying on UK adequacy for security tooling data creates unnecessary exposure.

GDPR Art.32 Implications for DAST Tooling

GDPR Art.32 requires organizations to implement "appropriate technical and organisational measures" ensuring security "appropriate to the risk." For DAST tooling, this creates specific obligations:

Processor agreements: If Burp Suite Enterprise is processing personal data (which it does when scanning applications containing user data), PortSwigger is a data processor under GDPR Art.28. Your DPA with PortSwigger must address their obligations as a UK-based processor — including IPA compliance obligations that could conflict with GDPR processor requirements.

Data minimization: DAST scan results contain detailed maps of application vulnerabilities. Storing these with a UK processor that faces IPA disclosure obligations may conflict with GDPR Art.5(1)(c) minimization and Art.25 data protection by design.

Third-party risk assessments: Under NIS2 Art.21(2)(d), essential and important entities must assess supply chain security risks. Using a UK-based security scanner — which could be compelled to provide findings data, or theoretically to instrument its software — should appear in NIS2 third-party assessments.

CRA Art.13 Documentation: The Cyber Resilience Act requires security documentation for products with digital elements. If your DAST scanning tool is subject to foreign government access under IPA, this is a material factor in your security posture documentation.

EU-Native DAST Alternatives

The open-source DAST ecosystem provides credible alternatives with 0/25 sovereignty exposure when self-hosted:

OWASP ZAP (Zaproxy) — 0/25 (self-hosted)

OWASP Foundation — The Open Web Application Security Project is a US-based 501(c)(3) nonprofit, but ZAP is fully open-source (Apache 2.0 license). When self-hosted, no data leaves your infrastructure.

• Sovereignty score: 0/25 (self-hosted, no cloud dependency)
• Capability: Full DAST proxy, automated scanner, active/passive scanning, CI/CD integration
• Enterprise features: ZAP HUD, scripting engine, REST API, Docker-ready
• EU limitation: OWASP Foundation itself is US-based — but as self-hosted open-source, this is legally irrelevant
• Production use: ZAP is used by major EU enterprises and public sector organizations
• GDPR posture: Scan results stay in your infrastructure; no third-party processor relationship

Greenbone Vulnerability Management (GVM/OpenVAS) — 0/25

Greenbone Networks GmbH — Headquartered in Osnabrück, Germany. EU-incorporated, EU-governed, no US parent.

• Sovereignty score: 0/25 (EU company, self-hosted deployment)
• Product: Greenbone Enterprise Appliance, Greenbone Community Edition (OpenVAS)
• Jurisdiction: Germany (Niedersachsen), German GmbH
• Investors: German/EU investors, no disclosed US PE
• Capability: Vulnerability scanning with 100,000+ NVTs (Network Vulnerability Tests), web application scanning
• GDPR posture: German Data Protection Act (BDSG) applies; DPAs under EU GDPR fully enforceable
• Limitation: Network vulnerability scanner (Greenbone's strength is infrastructure/network scanning), less specialized in web app DAST vs. Burp Suite's proxy capabilities

Nuclei (ProjectDiscovery) — 0/25 (self-hosted)

ProjectDiscovery Inc. — Delaware corporation, US-based. However, Nuclei is open-source (MIT license) and when self-hosted, creates no data processor relationship.

• Sovereignty score: 0/25 (self-hosted)
• Capability: Template-based vulnerability scanner with 8,000+ community templates
• EU use: Self-hosted Nuclei is widely used in EU enterprise security pipelines
• Cloud version: ProjectDiscovery Cloud Platform (PDCP) = Delaware company, avoid for sovereign deployments

Caido — Emerging Alternative

Caido Technologies Inc. — Canadian company. Burp Suite-inspired web security proxy, built in Rust. Smaller company, no PE overlay, no US intelligence relationships disclosed.

• Sovereignty profile: Canadian jurisdiction (Canadian Security Intelligence Service Act applies, Five Eyes member)
• Note: Canada is also a Five Eyes member — same fundamental exposure as UK
• Recommendation: Monitor but not a solution for EU sovereignty concerns

EU Enterprise DAST Stack: Recommended Architecture

For EU organizations requiring both compliance and comprehensive DAST coverage:

EU-Sovereign DAST Stack:
├── OWASP ZAP (self-hosted) — web application DAST proxy
│   ├── ZAP Docker container in EU infrastructure
│   ├── REST API integration with EU CI/CD (GitLab CE, Forgejo)
│   └── Scan results stored in EU-based SIEM/logging
├── Greenbone Community Edition — infrastructure vulnerability scanning
│   ├── Self-hosted appliance on EU infrastructure
│   └── Results in EU-controlled database
├── Nuclei (self-hosted) — template-based web vuln scanning
│   └── ProjectDiscovery templates, no cloud dependency
└── Results aggregation: DefectDojo (OWASP, self-hosted)
    └── EU-controlled vulnerability tracking and reporting

CLOUD Act score: 0/25 — all components self-hosted on EU infrastructure with no US or UK cloud dependency.

EU-native commercial option: Detectify (Stockholm, Sweden) — EU-incorporated DAST SaaS.

• Detectify AB — Swedish corporation, Investis/Insight Partners investors (mixed EU/US)
• Self-reported GDPR compliance, EU data residency option
• Automated scanner with research community crowdsourced findings
• Caution: Verify investor structure and data residency guarantees before EU sovereign deployment

NIS2 Art.21(2)(e) — Security in Development Processes

NIS2-regulated entities (Annex I/II: energy, health, digital infrastructure, finance, transport, water, space) must implement "security in network and information systems, including [...] security in the supply chain including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

Using Burp Suite Enterprise as a security testing tool creates a supply chain relationship with PortSwigger. Under NIS2 Art.21(2)(d), this relationship must be assessed. Key questions for NIS2 compliance assessments:

1. Data classification: What categories of data are exposed to PortSwigger through Enterprise scan results?
2. IPA disclosure risk: Has your CISO assessed the IPA 2016 disclosure risk for PortSwigger-held scan data?
3. DPA compliance: Does your DPA with PortSwigger (required for GDPR Art.28 compliance) address IPA disclosure conflict?
4. Incident notification: If PortSwigger received an IPA National Security Notice disclosing your scan data to GCHQ, would you receive notification? (Answer: almost certainly not — NSNs include non-disclosure requirements)

The DAST Scanning Paradox

There is an ironic dimension to the DAST sovereignty risk. Organizations use DAST tools precisely to find security vulnerabilities — but in doing so, they create a comprehensive map of those vulnerabilities and store it with a third-party processor. If that processor is subject to foreign government access, the vulnerability map itself becomes accessible.

Under a worst-case IPA scenario (unlikely but legally possible): GCHQ could obtain PortSwigger Enterprise scan results documenting the specific vulnerabilities of an EU organization's web applications. This scan data would include exploitable weaknesses, their severity, and their specific URLs — information of obvious intelligence or offensive cyber value.

This is not a hypothetical risk invented for compliance theater. Intelligence agencies actively collect vulnerability data on foreign infrastructure as part of offensive cyber operations. The Snowden disclosures demonstrated that NSA (and by extension Five Eyes) collected software vulnerability information systematically. GCHQ's JTRIG unit was documented as conducting active cyber operations against EU targets.

The DAST paradox: your security testing tool creates a vulnerability disclosure risk if operated through a foreign-jurisdiction cloud.

Practical Migration Path

For EU organizations currently using Burp Suite:

Immediate actions (no tool change required):

1. Switch to Burp Suite Professional (local mode) instead of Enterprise Edition — local deployment eliminates the cloud-based data processor relationship
2. Audit your DPA with PortSwigger for GDPR Art.28 compliance and IPA conflict assessment
3. Classify scan result data — identify what personal data appears in scan results and assess retention/transfer risks

Medium-term (3-6 months):

1. Pilot OWASP ZAP in parallel — ZAP covers 80% of Burp Suite use cases for typical web application scanning
2. Evaluate Greenbone CE for network/infrastructure vulnerability scanning component
3. Implement DefectDojo for EU-hosted vulnerability tracking and management

Long-term (6-12 months):

1. Full EU-sovereign DAST pipeline using ZAP + Nuclei + Greenbone
2. Internal security team capability — train security engineers on ZAP's Groovy scripting and REST API
3. NIS2 supply chain documentation reflecting EU-only security tooling

Summary: PortSwigger Burp Suite EU Alternative 2026

Bottom line for EU security teams: PortSwigger's UK incorporation, combined with IPA 2016 powers and the US-UK CLOUD Act bilateral agreement, creates a sovereignty risk that is easy to overlook but legally significant. For casual security research, Burp Suite Professional in local mode presents minimal practical risk. For enterprise deployments where scan results are centralized in PortSwigger's infrastructure, the exposure warrants a formal NIS2 third-party risk assessment — and likely a migration toward EU-sovereign tooling.

The EU-AST series continues next with the finale: a comparative analysis of all five AST vendors examined — Checkmarx, Sonatype, Synopsys/Black Duck, PortSwigger, and the EU-native stack — with a GDPR Art.32 decision framework for security-conscious DevSecOps pipelines.

Part 4 of 5 in the sota.io EU Application Security Testing Series. Previous posts: Checkmarx EU Alternative 2026 | Sonatype Nexus EU Alternative 2026 | Synopsys Coverity EU Alternative 2026.

Deploy your security-tested applications to sota.io — EU-native managed PaaS on Hetzner Germany. No US parent company, no CLOUD Act exposure, GDPR-compliant from day one.