Introduction
Modern cybersecurity is no longer reserved for penetration testers or security researchers.
Every website you visit, every web application you use, and every online account you own depends on HTTP requests moving between browsers and servers. Understanding that communication is one of the most valuable cybersecurity skills you can learn.
Burp Suite Community Edition is one of the industry’s most respected tools for inspecting, understanding, and testing web applications. Whether you’re learning cybersecurity, studying web development, or simply want to understand how websites actually work, Burp Suite provides an excellent learning environment.
Unlike automated vulnerability scanners that hide the details, Burp Suite encourages you to observe, manipulate, and understand web traffic manually. That aligns perfectly with the philosophy of Digital Sovereignty—understanding the systems you depend on instead of treating them as black boxes.
This guide focuses entirely on ethical, defensive, and educational use. Every exercise should be performed only against applications you own or have explicit permission to test, or within intentionally vulnerable training environments.
MEN OF LETTERS
Get the Modern Sovereignty
Framework PDF and join a
community committed to
digital freedom and self-reliance.
Begin Your Sovereignty Protocol
Most people use technology they do not understand.Digital Sovereignty is more than cybersecurity. It is the ability to understand the systems that shape your digital life and consciously take control of them.
- Digital Sovereignty Fundamentals
- Privacy & Security Principles
- AI & Modern Systems
- The Four Pillars of Sovereignty
Start your journey with the free PDF.
What Is Burp Suite Community Edition?
Burp Suite Community Edition is a free web application security testing platform developed by PortSwigger.
Instead of attacking systems automatically, Burp places itself between your web browser and a website, allowing you to inspect every HTTP and HTTPS request exchanged during normal browsing.
Think of it as a microscope for web traffic.
Rather than guessing what happens after clicking a button or submitting a login form, you can see:
- Every request
- Every response
- HTTP headers
- Cookies
- Authentication tokens
- Parameters
- JSON payloads
- Status codes
- Redirects
This visibility makes Burp Suite one of the best learning tools available for understanding how modern web applications function.
Community Edition vs Professional Edition
The Community Edition includes many of the core manual testing features:
- Intercepting Proxy
- HTTP History
- Repeater
- Decoder
- Comparer
- Target mapping
- Basic project management
The Professional Edition adds advanced automation, vulnerability scanning, extensions, collaboration, and productivity features aimed at professional penetration testers.
For learning web security fundamentals, the Community Edition is more than sufficient.
Why Burp Suite Matters
Many beginners jump directly into vulnerability scanning tools without first understanding how web applications communicate.
That approach often leads to running tools without understanding the results.
Burp Suite encourages a different mindset.
Instead of asking:
“How do I hack this website?”
You learn to ask:
“How does this website actually work?”
That distinction is important.
By observing normal application behaviour first, you develop the ability to identify unusual or insecure behaviour later.
From the perspective of Digital Sovereignty, Burp Suite transforms websites from mysterious systems into understandable ones.
The skills you develop include:
- Understanding HTTP
- Learning browser-server communication
- Inspecting authentication
- Understanding cookies
- Learning sessions
- Understanding APIs
- Identifying insecure configurations
- Debugging web applications
- Learning defensive security concepts
Even web developers use Burp to debug applications during development.
How Burp Suite Works
At its core, Burp Suite functions as an intercepting proxy.
Normally, communication follows this path:
Browser
│
▼
Website
With Burp Suite enabled, traffic changes to:
Browser
│
▼
Burp Suite Proxy
│
▼
Website
Because Burp sits between the browser and the server, it can:
- View requests
- Pause requests
- Modify requests
- Forward requests
- Analyze responses
- Save traffic history
Imagine mailing a letter through a transparent envelope. Before it reaches its destination, you can inspect the contents, reseal the envelope, and send it on its way. Burp performs a similar role for web traffic.
This process is fundamental to learning how authentication, sessions, APIs, and web applications operate.
Requirements
Before installing Burp Suite, ensure you have:
Operating System
- Windows 10 or later
- Linux (including Kali Linux)
- macOS
Java
Recent versions of Burp Suite bundle a compatible Java Runtime Environment (JRE), so a separate Java installation is generally unnecessary.
Web Browser
Any modern browser works, including:
- Firefox
- Chromium
- Google Chrome
- Microsoft Edge
Many security professionals prefer using a dedicated browser profile exclusively for testing to keep normal browsing separate from lab activities.
Practice Environment
Only test applications that you own, have explicit permission to assess, or that are intentionally designed for security training.
Examples include local development environments and deliberately vulnerable practice labs.
Installing Burp Suite Community Edition
The installation process is straightforward.
Step 1 — Download the Installer
Visit the official PortSwigger website and download the latest Community Edition installer for your operating system.
Choose the correct installer for:
- Windows (.exe)
- Linux (.sh)
- macOS (.dmg)
Always download Burp Suite from the official source to ensure you receive authentic and up-to-date software.
Step 2 — Install the Application
Windows
- Run the installer.
- Accept the license agreement.
- Choose the installation directory.
- Complete the installation.
- Launch Burp Suite.
Linux
Make the installer executable:
chmod +x burpsuite_community_linux_v2026.sh
Run the installer:
./burpsuite_community_linux_v2026.sh
If prompted, follow the graphical installation wizard.
macOS
Open the downloaded DMG file, drag Burp Suite into the Applications folder, and launch it from Launchpad or the Applications directory.
Step 3 — First Launch
When Burp Suite starts for the first time, you’ll typically be asked to create or open a project.
For most beginners:
- Select Temporary Project
- Choose Use Burp Defaults
- Click Start Burp
You’ll now arrive at the main Burp Suite dashboard, where you’ll begin exploring its tools in the next section.
Initial Configuration
Installing Burp Suite is only the first step. To inspect web traffic, you need to configure your browser to send its requests through Burp’s proxy.
This setup is what allows Burp Suite to observe, pause, and modify HTTP and HTTPS traffic before it reaches a web server.
Important: Only intercept traffic from browsers or applications you own or have permission to test. Use Burp Suite in isolated labs, development environments, or intentionally vulnerable practice applications.
Understanding the Burp Suite Interface
When Burp Suite launches, you’ll see several tabs. Each serves a specific purpose in the testing workflow.
Dashboard
The Dashboard provides an overview of your current project, logs, events, and background tasks.
As a beginner, you won’t spend much time here, but it’s useful for monitoring project activity.
Target
The Target tab maps the websites and applications you’ve visited through Burp.
It helps you understand:
- Website structure
- Available endpoints
- Domains
- Directories
- API paths
Think of it as a blueprint of the application you’re exploring.
Proxy
The Proxy tab is where most beginners start.
It contains:
- Intercept
- HTTP History
- WebSockets
- Options
The Proxy is responsible for capturing traffic between your browser and the destination website.
Repeater
Repeater allows you to resend individual HTTP requests repeatedly.
Instead of refreshing an entire web page, you can modify a request and immediately observe the server’s response.
This is invaluable for learning how web applications process user input.
Decoder
The Decoder tool converts data between common encoding formats.
Examples include:
- URL Encoding
- Base64
- Hexadecimal
- HTML Encoding
Understanding encoding is essential because web applications frequently transform data before transmitting it.
Comparer
Comparer highlights differences between two requests or responses.
You can compare:
- Cookies
- Authentication tokens
- JSON responses
- API output
- HTTP headers
Instead of manually inspecting dozens of lines, Burp identifies the differences automatically.
Organizer
Organizer allows you to save interesting requests during testing for future analysis.
Although simple, it becomes useful during larger projects.
Understanding HTTP Before Using Burp
Burp Suite becomes much easier once you understand how browsers communicate.
Every time you:
- Open a webpage
- Submit a form
- Log in
- Search
- Upload a file
your browser sends an HTTP request.
Example:
GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Accept: text/html
The server replies with an HTTP response.
Example:
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 8456
The response contains:
- Status code
- Headers
- Cookies
- HTML
- JSON
- Images
- Scripts
Burp allows you to inspect every part of this conversation.
Configuring Your Browser
Step 1 — Launch Burp Suite
Open Burp Suite.
Start a Temporary Project using the default configuration.
Step 2 — Verify the Proxy Listener
Navigate to:
Proxy → Options
You should see a listener similar to:
127.0.0.1:8080
This means Burp is listening locally for browser traffic.
No changes are usually required.
Step 3 — Configure Firefox
Many security professionals prefer Firefox because it allows independent proxy settings.
Open:
Settings
↓
Network Settings
↓
Manual Proxy Configuration
Configure:
HTTP Proxy: 127.0.0.1 Port: 8080
Use this proxy for HTTPS
Save the settings.
Firefox will now route its traffic through Burp Suite.
Step 4 — Configure Chrome or Chromium
Chrome generally uses your operating system’s proxy settings.
For dedicated testing, many professionals instead launch Chrome using Burp’s embedded browser or create a separate testing profile.
Keeping testing separate from everyday browsing reduces accidental interception of personal accounts.
Installing Burp's CA Certificate
HTTPS traffic is encrypted.
Without Burp’s certificate, your browser cannot inspect encrypted connections.
To inspect HTTPS traffic:
- Visit
http://burp
Inside your configured browser.
- Download the CA Certificate.
- Import it into your browser’s certificate manager.
- Trust it for website identification.
Once installed, HTTPS traffic can be intercepted safely within your testing environment.
Only trust Burp’s CA certificate inside your testing browser. Avoid installing it system-wide unless you fully understand the implications.
Your First Captured Request
Now it’s time to intercept traffic.
Navigate to:
</p> Proxy ↓ Intercept
Ensure:
Intercept is <strong>ON
Open your configured browser.
Visit:
https://example.com
Instead of loading immediately, Burp pauses the request.
You’ll see something similar to:
</p> GET / HTTP/2 Host: example.com User-Agent: Mozilla/5.0 Accept: text/html
Burp has successfully intercepted your first HTTP request.
Understanding an HTTP Request
Let’s examine each part.
</div> <div> GET /login HTTP/2 Host: demo.local Cookie: SESSIONID=abc123 User-Agent: Mozilla/5.0 Accept: text/html
HTTP Method
GET
Requests information.
Other methods include:
- GET
- POST
- PUT
- PATCH
- DELETE
- OPTIONS
URL
/login
The resource being requested.
Host Header
Host:
Specifies the destination server.
Cookies
Cookies often contain:
- Session identifiers
- Preferences
- Authentication tokens
Understanding cookies is fundamental to understanding authentication.
Headers
Headers provide information such as:
- Browser type
- Accepted formats
- Language
- Compression
- Authentication
Forwarding the Request
Click:
Dropping a Request
Instead of forwarding, click:
Forward
The request proceeds to the web server.
The webpage loads normally.
You have now successfully intercepted traffic.
Drop
The request never reaches the server.
The webpage may:
- Fail to load
- Display an error
- Retry automatically
This demonstrates that Burp truly sits between your browser and the destination.
Using HTTP History
One of Burp’s most valuable features is HTTP History.
Proxy
↓
HTTP History
Every request you’ve made appears in chronological order.
| Method | URL | Status |
|---|---|---|
| GET | / | 200 |
| GET | /style.css | 200 |
| GET | /logo.png | 200 |
| POST | /login | 302 |
| GET | /dashboard | 200 |
Instead of focusing only on pages, Burp records every asset the browser requests.
You’ll often discover:
- JavaScript files
- Images
- APIs
- CSS
- Authentication endpoints
- AJAX requests
This provides a much deeper understanding of how websites function.
Filtering HTTP History
Large websites generate hundreds of requests.
Use filters to focus on:
- HTML
- JavaScript
- Images
- CSS
- POST requests
- Status codes
- Specific hosts
Filtering helps reduce noise and identify the requests that matter.
Sending a Request to Repeater
Suppose you find this request:
POST /login username=alice password=test
Right-click the request.
Choose:
Send to Repeater
Now open:
Repeater[/code
The request appears exactly as it was originally sent.
Understanding Repeater
Repeater is one of Burp’s most powerful learning tools.
Instead of refreshing an entire webpage, you resend only the request you want to study.
You can safely experiment inside your lab environment.
Examples include:
- Changing parameters
- Observing different responses
- Understanding validation
- Learning how forms work
Example: Modifying a Parameter
Original request:
{code]GET /profile?id=5[/code]
Change it to:
GET /profile?id=6
Click:
Send
Observe the server’s response.
This simple exercise teaches how URL parameters influence application behavior.
Reading the Response
The lower panel displays:
HTTP/2 200 OK
Followed by:
- Headers
- Cookies
- HTML
- JSON
- Response size
- Response time
Compare the request and response to understand how the application behaves.
Using Decoder
Decoder converts encoded data.
Navigate to:
Decoder
Paste:
SGVsbG8gV29ybGQ=
Choose:
Decode as Base64
Output:
Hello World
URL Encoding Example
Input:
Hello%20World
Decode.
Output:
Hello World
Hex Example
Input:
48656c6c6f
Decode.
Output:
Hello
Decoder is extremely useful when inspecting:
- Cookies
- URLs
- API requests
- Encoded parameters
Using Comparer
Comparer helps identify differences.
Example:
Response A
{
"role":"user"
}
Response B
{
"role":"admin"
}
Comparer highlights only the changed values.
This saves considerable time during analysis.
Exploring the Target Site Map
Navigate to:
Target
↓
Site Map
You’ll see something like:
example.com
├── /
├── /login
├── /products
├── /cart
├── /profile
├── /api
├── /logout
The Site Map helps you understand how the application is organized.
As you continue browsing, Burp automatically expands the map.
Practical Ethical Learning Exercises
These exercises are designed for safe, educational environments such as your own applications or intentionally vulnerable labs.
Exercise 1 — Observe a Homepage Request
Visit a simple website and inspect:
- Request method
- Status code
- Headers
- Response size
Goal:
Understand the structure of a basic HTTP transaction.
Exercise 2 — Submit a Login Form
Observe:
- POST request
- Form parameters
- Cookies
- Redirects
Goal:
Learn how authentication requests are transmitted.
Exercise 3 — Compare Two Searches
Search:
apple
Then:
orange
Send both requests to Comparer.
Observe which values change.
Goal:
Understand how applications transmit search queries.
Exercise 4 — Decode Cookies
Copy a cookie into Decoder.
Determine whether it is:
- Plain text
- URL encoded
- Base64 encoded
- Hexadecimal
Goal:
Recognize common encoding formats used by web applications.
Building the Right Mindset
Beginners often view Burp Suite as a hacking tool.
Professionals view it differently.
Burp Suite is an observability platform.
It teaches you to answer questions such as:
- What did my browser send?
- What did the server return?
- Why did the application behave this way?
- What changed between two requests?
- How are authentication and sessions managed?
This mindset is at the heart of Digital Sovereignty.
Rather than blindly trusting complex systems, you learn to inspect, understand, and reason about them. Mastery begins with observation.
Real-World Ethical Use Cases
Burp Suite is used by a wide range of professionals—not only penetration testers. Understanding these legitimate use cases helps reinforce that the tool is designed for improving security, reliability, and transparency rather than enabling unauthorized activity.
1. Learning How Web Applications Work
For beginners, Burp Suite is one of the fastest ways to understand what happens after you click a button in your browser.
Instead of guessing, you can observe:
- HTTP requests
- HTTP responses
- Cookies
- Redirects
- API calls
- Authentication flows
- Session management
This knowledge forms the foundation of web security, software development, and digital literacy.
2. Secure Software Development
Developers frequently use Burp Suite while building applications to verify that:
- Sensitive data is not exposed
- Authentication works correctly
- Cookies have appropriate security flags
- APIs return expected responses
- Forms transmit data securely
- Input validation behaves as intended
By identifying issues early in development, teams can reduce the likelihood of vulnerabilities reaching production.
3. API Learning and Debugging
Modern applications rely heavily on APIs.
Burp Suite helps you understand:
- REST APIs
- JSON payloads
- Authentication tokens
- Response codes
- Request headers
This makes it valuable for developers, DevOps engineers, and students learning modern web architectures.
4. Security Training Labs
Many educational platforms provide intentionally vulnerable applications for legal practice.
Burp Suite is commonly used alongside these labs to learn:
- Authentication concepts
- Session handling
- Input validation
- Access control
- Secure coding practices
Practicing in controlled environments allows learners to build skills responsibly.
5. Troubleshooting Web Applications
Developers often use Burp Suite to answer questions such as:
- Why did this request fail?
- Which API returned an error?
- Which cookie changed?
- What data was submitted?
- Which redirect occurred?
Rather than relying on assumptions, they inspect the actual network traffic.
Common Mistakes Beginners Make
Learning Burp Suite involves more than understanding its features. Avoiding common mistakes will help you progress more efficiently.
Using Burp Against Systems Without Permission
The most serious mistake is testing websites or applications without explicit authorization.
Only use Burp Suite with:
- Your own applications
- Local development environments
- Practice labs
- Systems you have written permission to assess
Ethical learning protects both you and others.
Focusing on Tools Instead of Concepts
Many beginners memorize where buttons are located without understanding the underlying protocols.
Instead, prioritize learning:
- HTTP methods
- Status codes
- Cookies
- Sessions
- Headers
- Request structure
- Response structure
These concepts remain relevant regardless of which tools you use in the future.
Intercepting Everything
Leaving interception enabled continuously can become frustrating because every browser request pauses.
A practical workflow is:
- Enable interception when you want to inspect a request.
- Forward or analyze it.
- Disable interception when you return to normal browsing.
Ignoring HTTP History
Many newcomers spend all their time on the Intercept tab.
However, HTTP History often provides a more complete picture because it records every request and response during your browsing session.
Reviewing this history helps you understand the sequence of events within an application.
Editing Requests Without Understanding Them
Burp Suite makes it easy to modify requests, but changes should be deliberate.
Before altering any value, ask yourself:
- What does this parameter represent?
- Is it part of the URL?
- Is it stored in a cookie?
- Is it included in the request body?
- How might the server process it?
Understanding comes before experimentation.
Troubleshooting
Browser Cannot Load Websites
Possible causes include:
- Incorrect proxy configuration
- Burp Suite is not running
- Proxy listener is disabled
- Browser is using a different proxy
Verify that Burp is listening on:
127.0.0.1:8080
Then confirm your browser is configured to use that proxy.
HTTPS Certificate Warnings
If HTTPS sites display certificate errors:
- Confirm Burp’s CA certificate is installed.
- Ensure it is trusted by your testing browser.
- Restart the browser after installation if necessary.
Using a dedicated testing browser profile helps avoid conflicts with your everyday browsing.
No Traffic Appears in Burp
Check the following:
- Is the browser configured to use Burp?
- Is Burp running?
- Is the proxy listener enabled?
- Is another application already using port 8080?
If needed, change the listener to another available port and update the browser settings accordingly.
Requests Remain Stuck
If pages never finish loading, Intercept is likely enabled and waiting for your action.
Either:
- Click Forward, or
- Turn Intercept Off to allow requests to pass automatically.
Website Behaves Unexpectedly
Some websites implement advanced protections or certificate pinning that can interfere with interception.
For learning purposes, begin with:
- Local development environments
- Simple demonstration sites
- Intentionally vulnerable training applications
These environments are designed to work well with learning tools such as Burp Suite.
Best Practices
Developing good habits early will make Burp Suite more effective as your skills grow.
Use a Dedicated Browser Profile
Keep testing separate from personal browsing.
Benefits include:
- Cleaner request history
- Reduced risk of intercepting personal accounts
- Easier certificate management
- Better organization
Keep Projects Organized
Create separate Burp projects for different labs or applications.
This prevents unrelated traffic from becoming mixed together and makes reviewing previous work much easier.
Learn the Protocol Before the Tool
A deep understanding of:
- HTTP
- HTTPS
- Cookies
- Sessions
- Headers
- APIs
will make every feature of Burp Suite more meaningful.
Observe Before Modifying
A disciplined workflow is:
- Capture the original request.
- Read it carefully.
- Understand each component.
- Predict what will happen if something changes.
- Test your hypothesis.
- Compare the response.
This scientific approach develops analytical thinking rather than trial-and-error habits.
Practice Consistently
You do not need to spend hours each day.
Even 20–30 minutes of focused practice can significantly improve your understanding over time.
Consistency matters more than intensity.
Security Considerations
Burp Suite provides significant visibility into web traffic. That visibility comes with responsibility.
Handle Sensitive Data Carefully
Intercepted requests may contain:
- Session cookies
- Authentication tokens
- Personal information
- API keys
- Form submissions
Treat captured data as confidential, especially in professional environments.
Avoid Public Wi-Fi Testing
When working with sensitive projects, use trusted networks and secure devices.
Even though Burp is intercepting traffic locally, your overall environment should still follow sound security practices.
Keep Burp Suite Updated
New releases often include:
- Security fixes
- Compatibility improvements
- Performance enhancements
- New educational features
Running current software reduces compatibility issues and improves stability.
Understand HTTPS
HTTPS encryption protects data in transit.
Burp temporarily decrypts traffic within your local testing environment by acting as a trusted intermediary.
This process is safe when configured intentionally and used only within your own lab or authorized assessments.
Follow Responsible Disclosure
If you discover a genuine security issue in an application you are authorized to assess:
- Document your findings clearly.
- Report them through the appropriate channels.
- Avoid unnecessary disruption.
- Respect disclosure policies.
Responsible disclosure strengthens security for everyone.
Frequently Asked Questions
1. Is Burp Suite Community Edition free?
Yes. The Community Edition is free to download and includes the core manual tools needed to learn web application security.
2. Can beginners learn Burp Suite?
Absolutely. Although the interface may appear complex initially, focusing on the Proxy, HTTP History, Repeater, and Decoder tools provides an excellent starting point.
3. What is the difference between Community and Professional?
The Community Edition emphasizes manual analysis, while the Professional Edition adds advanced automation, vulnerability scanning, reporting, and productivity features.
4. Does Burp Suite work on Windows, Linux, and macOS?
Yes. Burp Suite is cross-platform and supports all major desktop operating systems.
5. Is Burp Suite only for penetration testers?
No. Developers, QA engineers, students, security analysts, and educators also use Burp Suite to understand and debug web applications.
6. Do I need programming experience?
No. Basic knowledge of web browsers and HTTP is enough to begin. As your understanding grows, familiarity with HTML, JavaScript, and APIs will become increasingly useful.
7. Is using Burp Suite illegal?
The software itself is legal. However, using it against systems without permission may violate laws or terms of service. Always limit your activities to environments you own or are explicitly authorized to test.
8. Can Burp Suite inspect HTTPS traffic?
Yes. After installing Burp’s CA certificate in your testing browser, it can inspect encrypted HTTPS traffic within your controlled environment.
9. What should I learn after Burp Suite?
A logical progression includes:
- HTTP and HTTPS fundamentals
- Browser developer tools
- REST APIs
- Authentication mechanisms
- Secure coding principles
- Common web vulnerabilities
- Defensive security testing methodologies
10. Is Burp Suite enough to become a web security professional?
Burp Suite is an essential tool, but it is only one part of the skill set. Strong knowledge of networking, web technologies, programming, operating systems, and secure development practices is equally important.
Conclusion
Burp Suite Community Edition is far more than a web proxy. It is a window into the communication that powers the modern internet.
Every login, search, purchase, and API request begins as an HTTP transaction. By learning to observe and understand those transactions, you gain insight into how web applications actually function.
That perspective aligns directly with the philosophy of Digital Sovereignty.
Rather than accepting technology as an opaque system, you develop the ability to inspect it, question it, and understand its behavior. These skills improve not only your cybersecurity knowledge but also your effectiveness as a developer, administrator, or informed technology user.
Mastery does not come from memorizing tools. It comes from cultivating curiosity, building foundational knowledge, and practicing responsibly. Burp Suite provides an excellent environment in which to begin that journey.
Further Reading & Official Resources
To continue building your web security knowledge, explore these trusted resources from industry-leading organizations:
- PortSwigger Burp Suite Community Edition
https://portswigger.net/burp/communitydownload
Download the latest version of Burp Suite Community Edition. - PortSwigger Web Security Academy
https://portswigger.net/web-security
Free hands-on labs and learning paths for web application security. - OWASP Web Security Testing Guide (WSTG)
https://owasp.org/www-project-web-security-testing-guide/
A comprehensive methodology for ethical web application security testing. - OWASP Top 10
https://owasp.org/www-project-top-ten/
Learn about the most critical web application security risks. - MDN Web Docs – HTTP
https://developer.mozilla.org/en-US/docs/Web/HTTP
Excellent documentation covering HTTP fundamentals and browser communication. - RFC 9110 – HTTP Semantics
https://www.rfc-editor.org/rfc/rfc9110
The official specification defining the HTTP protocol. - NIST Secure Software Development Framework (SSDF)
https://csrc.nist.gov/pubs/sp/800/218/final
Best practices for building and maintaining secure software throughout the development lifecycle.
Start Your Protocol
Small, deliberate steps create massive transformation over time.

