autonomous exploratory testingv0.5.0 — live

one command.
25 testers.
zero cost.

AI personas explore your web app like impatient users, attackers, screen-readers, and edge-case hunters. Then every finding is replay-verified — reproduced independently, or clearly marked if we couldn't — so the report you read is real.

run breakit free
or paste in your terminal
$ npx breakit test https://your.site
findsXSS & injection·exposed secret keys·broken flows·a11y gaps·dark patterns·slow routes·i18n bugs
25personas
12tool calls
5min runs
replaychecked
breakit run5 personas · live
browser mode
00:00abuserFUZZ/api/users — SQL injection payloadcritical
00:03grandmaNAV/checkout — confused by "proceed"
00:07mobileREPORTnav overlap at 390px viewporthigh
00:11teenCLICKSubmit ×12 — 12 duplicate API callscritical
the cast — 25 personasview all 25 →
QA
Confused Grandma
Gets lost

Misreads labels, clicks wrong things, gets lost in flows.

UX
Angry Subscriber
Tries to cancel

Hunts dark patterns and cancellation friction.

QA
Form Abuser
Breaks inputs

XSS, SQL injection, 10k-char strings, empty submits.

UX
Skeptical Buyer
Doubts claims

Checks pricing, proof, trust signals, and fine print.

QA
Impatient Teenager
Zero patience

Double-clicks everything, rage-clicks spinners.

UX
Screen Reader User
Keyboard only

ARIA, headings, keyboard-only navigation.

UX
Privacy Hawk
Fights tracking

Cookie consent, trackers, privacy messaging.

UX
Speed Runner
Shortest path

Main task in minimum clicks, zero tolerance for bloat.

UX
Enterprise Evaluator
Checks compliance

SSO, compliance, audit trail, team features.

UX
Non-Native Speaker
Reads literally

Vague labels, idioms, and unclear instructions.

For solo devs and small teams shipping web apps. Like Lighthouse, but for confusion, trust, friction, and edge-case behaviour.

breakit.devr_8a91f3
4m 12s · 25 personas
2critical
5high
6medium
3low
4info
3 of 4 findings independently reproduced
criticalXSS via bio field — rendered unescaped in feedreproduced#a1b2
criticalAnonymous Supabase read exposes users table email columnreproduced#f7a8
highDuplicate submission on double-click — no debouncereproduced#c3d4
mediumNav overlap at 390px viewport widthunverified#e5f6
what you get

not a checklist.
a console.

every finding has evidence, repro steps, a fingerprint, and a fix suggestion. ranked by severity and confidence.

multi-category findings per runacross security, a11y, UX, performance, validation, conversion.
fingerprinted, never duplicatedfix it once, future runs won't refile it. compare against last run.
repro steps + selectorsevery finding includes the exact path a persona took. paste into your repo.
sarif export, ci-readyfail PRs on critical findings. plug into GitHub Actions in 2 lines.
bring your own keysgemini, anthropic, openai. encrypted at rest. never logged.
how it works

three commands. sixteen stages.

Point it at a URL and walk away. The whole pipeline runs unattended and hands back one ranked report.

01

you point

paste a URL. optionally an email + password for auth. pick a pack: QA, UX, or all 25.

$ npx breakit test breakit.dev
02

we explore

personas crawl in parallel, then passive security probes run before dedup. opt-in active probes run only after ownership verification. 16-stage pipeline: snapshots, graph, corpus, two persona waves, probe, verification.

discovery → wave 1 → wave 2 → probe
03

you ship

you get a ranked report with fingerprints, repro, and fix suggestions. SARIF for CI. share links for the team.

$ open report.html
pipeline — 16 stages, every runtypical run · 4m 12s
discovery
snapshot
site graph
corpus
wave 1
memory
wave 2
security probe
dedup
score
verify
report agent
action log
compare
persist
report
versus everything else

the tradeoffs, on one page.

One pass covers what usually takes four tools — and it runs unattended, on every push.

breakitchatgptmanual QAlighthouse
replay-verifies findings, marks the rest
regression coverage of unseen flows
finds UX & trust friction, not just bugs
repro steps for every finding
accessibility + security in one pass
secret leaks + opt-in auth probes
runs unattended in CI
time per run5 min~days1 min
cost per run$0.00$0.05$$$free
features

built for engineers who hate flaky tests.

Everything you need to find, prioritize, and fix real bugs — no test scripts, no per-seat pricing, no vendor lock-in.

SECURITY

passive + opt-in active probes

deterministic HTTP checks for secret-class key leaks, exposed debug files, anonymous Supabase reads, email auto-confirm, and no observed login throttling. no LLM guesswork.

PERSONAS

25 archetypes

from grandma to fraudster. each has its own patience, tech literacy, and threat model.

PIPELINE

16-stage exploration

discovery → snapshot → graph → corpus → wave 1 → memory → wave 2 → probe → dedup → score → verify.

DEDUP

fingerprinted findings

every bug has a stable hash. fix it once. compare against any prior run.

CI

scoped to the diff

on a pull request, test only the routes whose code changed. gate the build on severity. ship SARIF to github code-scanning.

CUSTOM

your own personas

define traits, focus areas, max actions. saved per workspace, runnable in any pack.

BYOK

bring your own keys

gemini, anthropic, openai. AES-256-GCM at rest. never logged. rotatable in one click.

live

watch a run, right now.

this is a real-ish stream of what you'll see on /run/[id]. no edits, no cuts.

$ breakit run https://demo-app.com
browser mode
5 critical5 bugs5 ux
0:12grandma

Clicked "Deploy to Production" thinking it sends an email

bug
0:18abuser

Injected <script>alert(1)</script> in bio field — it rendered!

critical
0:24mobile

Navigation menu overlaps content at 390px viewport

bug
0:31teen

Double-clicked "Submit" — form submitted twice, duplicate entry

bug
0:38visitor

Could not find pricing page from homepage — no nav link

ux
0:45abuser

Pasted 50,000 chars into "Name" field — page froze for 4s

critical
0:52grandma

Typed phone number in email field, got cryptic "ERR_VALIDATION"

ux
1:01teen

Hit back button during checkout — cart emptied, no recovery

bug
1:08mobile

Tap target for "Delete Account" is only 24x24px

ux
1:15visitor

Signup flow has 7 required fields with no progress indicator

ux
1:22abuser

Empty form submission returns 500 Internal Server Error

critical
1:30grandma

Clicked logo expecting to go home — nothing happened

bug
1:37teen

Rage-clicked loading spinner 12 times — spawned 12 API calls

critical
1:44mobile

Horizontal scroll on /settings — content overflows viewport

bug
1:51visitor

"Get Started" redirected to login with no signup option visible

ux
1:58abuser

SQL injection in search: ' OR 1=1-- returned all users

critical
0:12grandma

Clicked "Deploy to Production" thinking it sends an email

bug
0:18abuser

Injected <script>alert(1)</script> in bio field — it rendered!

critical
0:24mobile

Navigation menu overlaps content at 390px viewport

bug
0:31teen

Double-clicked "Submit" — form submitted twice, duplicate entry

bug
0:38visitor

Could not find pricing page from homepage — no nav link

ux
0:45abuser

Pasted 50,000 chars into "Name" field — page froze for 4s

critical
0:52grandma

Typed phone number in email field, got cryptic "ERR_VALIDATION"

ux
1:01teen

Hit back button during checkout — cart emptied, no recovery

bug
1:08mobile

Tap target for "Delete Account" is only 24x24px

ux
1:15visitor

Signup flow has 7 required fields with no progress indicator

ux
1:22abuser

Empty form submission returns 500 Internal Server Error

critical
1:30grandma

Clicked logo expecting to go home — nothing happened

bug
1:37teen

Rage-clicked loading spinner 12 times — spawned 12 API calls

critical
1:44mobile

Horizontal scroll on /settings — content overflows viewport

bug
1:51visitor

"Get Started" redirected to login with no signup option visible

ux
1:58abuser

SQL injection in search: ' OR 1=1-- returned all users

critical
this run
targetbreakit.dev
modebrowser
packall (25)
budget300s
regionfra
findings so far13425
tool calls
1,284
≈ 51 / persona
stop guessing.

start breaking.

ship with the confidence that 25 ruthless testers have already tried — and failed — to break it.

$ npx breakit test https://your.site