PortSwigger · Rate Limits
Portswigger Rate Limits
PortSwigger Burp Suite DAST APIs do not publish explicit per-minute or per-hour request rate limits in public documentation. The PAYS (Pay-as-you-scan) model enforces a default cap of 500 scan-hours per month, adjustable upon request. API access is gated by API key authentication and role-based permissions.
Portswigger Rate Limits is the machine-readable rate-limit profile for PortSwigger on the APIs.io network, conforming to the API Commons Rate Limits specification.
It captures 3 rate-limit definitions, measuring requests_per_minute and scan_hours_per_month.
The profile also includes response codes documented for throttled.
Tagged areas include Rate Limiting, DAST, and API Security.
3 Limits
Throttle: 429
Rate LimitingDASTAPI Security
Limits
DAST GraphQL API Requests key
-1
No explicit rate limit documented. Requests are authenticated via API key and subject to role-based access control. Contact PortSwigger for enterprise-specific limits.
DAST REST API Requests key
-1
No explicit rate limit documented. Requests require API key authentication. REST API exposes limited functionality compared to GraphQL API.
PAYS Scan Hours Monthly Cap org
500
Default monthly scan hours cap for Pay-as-you-scan subscriptions. Cap is adjustable upon request. Scans run to completion even if the monthly limit is exceeded; overages are billed. Billed per minute, rounded to the nearest cent.