HackTricks-wiki · carlospolop · Jan 20, 2026
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -609,6 +609,7 @@
 
 # 🕸️ Pentesting Web
 
+- [Burp Intruder Response Clustering](pentesting-web/burp-intruder-response-clustering.md)
 - [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
 - [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
   - [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)

diff --git a/src/pentesting-web/burp-intruder-response-clustering.md b/src/pentesting-web/burp-intruder-response-clustering.md
@@ -0,0 +1,34 @@
+# Burp Intruder Response Clustering (Colonel Clustered)
+
+{{#include ../banners/hacktricks-training.md}}
+
+Colonel Clustered is a Burp Suite extension that **clusters Intruder responses by content similarity** instead of metadata (size/status/type/time), surfacing outliers that otherwise blend in when all responses look the same.
+
+## Why use it
+- Intruder sorting on size/status/time misses **needle-in-the-haystack content changes** (e.g., a single line different across thousands of identical-length responses).
+- Extension **tokenizes responses per content-type**, pre-groups to trim work, then clusters the tokenized bodies so outliers appear as tiny clusters (often singletons).
+- Parameters are **auto-calibrated per batch** because the whole Intruder result set is available at analysis time—no knobs to tune.
+
+## Workflow
+1. Run an Intruder attack normally.
+2. In the Intruder results table, **select all requests → right click → Send to Colonel Clustered**.
+3. Open the **Col. Clustered** tab:
+   - **Fast/Default pass:** automatically starts a **DBSCAN-based** clustering. Shows a progress bar and can be cancelled.
+   - **Deep Analysis:** click when clustering looks off. Builds a **full similarity matrix** (more accurate, much slower—avoid ~10k+ requests). Also cancellable.
+4. Review clusters: choose a cluster to list members, then select a request/response to view it.
+5. For a suspected outlier, send it and a “normal” response to **Burp Comparer** to diff the exact body changes.
+
+## Usage notes
+- **Outlier discovery:** identical-size responses that differ in a single body line become a 1-member cluster—trivial to spot, then diff.
+- **Accuracy vs. speed:** DBSCAN is usually sufficient; if distinct responses are lumped together, rerun with Deep Analysis to separate them.
+- **Scale caution:** the similarity-matrix mode is CPU-heavy; keep large (>~10k) Intruder batches on the fast mode or prune before deep analysis.
+
+## Install
+- Prebuilt JAR: https://github.com/hoodoer/ColonelClustered/releases/download/v1.0.0/ColonelClustered.jar
+- Source/README: https://github.com/hoodoer/ColonelClustered
+
+## References
+- [Colonel Clustered: Finding Outliers in Burp Intruder](https://trustedsec.com/blog/colonel-clustered-finding-outliers-in-burp-intruder)
+- [Colonel Clustered GitHub](https://github.com/hoodoer/ColonelClustered)
+
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -220,6 +220,7 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
 - [ ] [**dApps / Decentralized Applications**](dapps-DecentralizedApplications.md)
 - [ ] [**Browser Extension Pentesting**](browser-extension-pentesting-methodology/)
 - [ ] [**wfuzz Web Fuzzing**](web-tool-wfuzz.md)
+- [ ] [**Burp Intruder Response Clustering (Colonel Clustered)**](burp-intruder-response-clustering.md)
 
 ## References