[tptacek]

This is great.

For what it's worth, the approach you take with web applications is pretty much the same as the one used by all the high-end software security firms (certainly Matasano, iSEC, Leviathan, and Bishop Fox). Out on a limb, I'd say every consultant at every one of those firms gets a copy of Burp.

The walk/filter/replay workflow you're talking about is one Burp is built around --- that's the Proxy History, "Send To Repeater", and "Repeater" features.

Regarding software teams at startups: I totally buy that mitmproxy is more scriptable than Burp (it doesn't hurt that most of the people we're working with in 2017 are Python shops). But I used Intruder a lot when testing, and I'm not sure I'd want to lose that; I think there's a lot of value in the sort of but not quite random fuzzing Burp is good at doing, for serendipity finds.