Paste a URL.
Break your app.

AI personas attack your web app simultaneously. Bug reports with screenshots, CI gating, and novelty tracking.

Free during beta · No account required

How it works
01

Paste your URL

Drop in any web app URL. Or add a breakit.config.json to your project and run it from CI.

02

AI personas attack

A confused grandma, a form abuser, a mobile user, an impatient teen, and a first-timer — all exploring at once with real browsers.

03

Get your report

HTML, Markdown, JSON, and SARIF reports. Findings show up in GitHub Security tab. Fail CI on critical bugs.

04

Run it again

breakit remembers what it found before. Next run, personas hunt for new bugs only — no duplicate noise.

The breakers

Confused Grandma

Misclicks everything

Misreads labels, clicks the wrong button, fills "email" into the phone field. Finds UX issues your team is blind to.

Form Abuser

Breaks all inputs

XSS payloads, SQL injection, 10,000-character inputs, empty submits, unicode bombs. The pentester your forms deserve.

Mobile User

Tiny viewport

Tiny 390px viewport. Fat-finger taps, checks responsive breakpoints, finds overlapping elements and unreachable buttons.

OVLx12

Impatient Teenager

Zero patience

Double-clicks everything, navigates away mid-submit, spams the back button, rage-clicks loading spinners.

First-Time Visitor

Cold landing

Lands on your homepage cold. Can they figure out what you do? Find the signup? Complete onboarding? You might be surprised.

Built for CI

Ship with confidence

Add breakit to your deploy pipeline. Every push gets tested by AI personas that think like real users.

GitHub Action

One YAML block in your workflow. Runs on every deploy, fails on critical bugs.

- uses: petr-kin/breakit@v1
  with:
    url: ${{ env.DEPLOY_URL }}
    api-key: ${{ secrets.GEMINI_API_KEY }}
    severity-threshold: high

Severity gating

Exit code 2 when verified findings meet your threshold. Only high-confidence bugs fail your build.

npx breakit test https://staging.app.com \
  --severity-threshold high

Novelty tracking

SQLite corpus remembers past findings. Personas focus on new bugs, not re-reporting known ones.

# First run: finds 5 bugs
npx breakit test https://app.com

# Second run: hunts for NEW bugs only
npx breakit test https://app.com

SARIF reports

Findings appear in GitHub Security tab alongside CodeQL and Dependabot alerts.

npx breakit test https://app.com --sarif
# Uploads via codeql-action/upload-sarif

Config files

Persist settings per project. Credentials stay in env vars, never in config.

// breakit.config.json
{
  "url": "https://staging.app.com",
  "severityThreshold": "high",
  "credentials": {
    "password": "from-env:TEST_PASS"
  }
}

Zero cost to start

Gemini free tier. No account, no signup, no credit card. Just an API key and a URL.

export GEMINI_API_KEY=...
npx breakit test https://your-app.com
Live preview

Watch 5 personas test at once

Each persona runs in its own browser, finding different classes of bugs simultaneously.

$ breakit run https://demo-app.com
Live
5 active5 critical5 bugs5 ux1m 58s
0:12grandma

Clicked "Deploy to Production" thinking it sends an email

bug
0:18abuser

Injected <script>alert(1)</script> in bio field — it rendered!

critical
0:24mobile

Navigation menu overlaps content at 390px viewport

bug
0:31teen

Double-clicked "Submit" — form submitted twice, duplicate entry

bug
0:38visitor

Could not find pricing page from homepage — no nav link

ux
0:45abuser

Pasted 50,000 chars into "Name" field — page froze for 4s

critical
0:52grandma

Typed phone number in email field, got cryptic "ERR_VALIDATION"

ux
1:01teen

Hit back button during checkout — cart emptied, no recovery

bug
1:08mobile

Tap target for "Delete Account" is only 24x24px

ux
1:15visitor

Signup flow has 7 required fields with no progress indicator

ux
1:22abuser

Empty form submission returns 500 Internal Server Error

critical
1:30grandma

Clicked logo expecting to go home — nothing happened

bug
1:37teen

Rage-clicked loading spinner 12 times — spawned 12 API calls

critical
1:44mobile

Horizontal scroll on /settings — content overflows viewport

bug
1:51visitor

"Get Started" redirected to login with no signup option visible

ux
1:58abuser

SQL injection in search: ' OR 1=1-- returned all users

critical
0:12grandma

Clicked "Deploy to Production" thinking it sends an email

bug
0:18abuser

Injected <script>alert(1)</script> in bio field — it rendered!

critical
0:24mobile

Navigation menu overlaps content at 390px viewport

bug
0:31teen

Double-clicked "Submit" — form submitted twice, duplicate entry

bug
0:38visitor

Could not find pricing page from homepage — no nav link

ux
0:45abuser

Pasted 50,000 chars into "Name" field — page froze for 4s

critical
0:52grandma

Typed phone number in email field, got cryptic "ERR_VALIDATION"

ux
1:01teen

Hit back button during checkout — cart emptied, no recovery

bug
1:08mobile

Tap target for "Delete Account" is only 24x24px

ux
1:15visitor

Signup flow has 7 required fields with no progress indicator

ux
1:22abuser

Empty form submission returns 500 Internal Server Error

critical
1:30grandma

Clicked logo expecting to go home — nothing happened

bug
1:37teen

Rage-clicked loading spinner 12 times — spawned 12 API calls

critical
1:44mobile

Horizontal scroll on /settings — content overflows viewport

bug
1:51visitor

"Get Started" redirected to login with no signup option visible

ux
1:58abuser

SQL injection in search: ' OR 1=1-- returned all users

critical

Get early access.

Be the first to know when breakit.dev launches. Free during beta.

No spam, ever · Unsubscribe anytime