Blog

From the lab.

Security research, engineering deep dives, and product updates from the team building the inspection layer for the internet.

AnnouncementFeb 10, 2026

Launching BrokenApp: the inspection layer for the internet

Every deployed web app has bugs. We built a scanner that finds them, documents them with evidence, and pairs with AI to fix them. Today we're opening it up to everyone.

Read post

brokenapp v1.0

All posts

Latest from the team.

Challenge3 min

The Clean Code Challenge: $2,000 in prizes for fixing real bugs

We're scanning 1,000 apps and giving developers the reports for free. Fix the most bugs using AI coding tools and win up to $1,000. Here's how it works.

Feb 8, 2026Read

Research7 min

Anatomy of an IDOR: how we detect broken object-level authorization

IDOR vulnerabilities are the most common API security flaw. We break down our cross-user replay approach: capture two sessions, replay every ID-bearing request, classify by body similarity.

Feb 5, 2026Read

Engineering6 min

Testing every role pair: auth matrix scanning at N×N scale

Two-user IDOR scanning is a start, but real apps have admin, editor, viewer, and anonymous roles. We built an N×N auth matrix that tests every pair. Here's the architecture.

Feb 3, 2026Read

Research8 min

18 regex patterns and 22 active probes: how we find leaked secrets

API keys in client bundles. .env files on public servers. Debug endpoints without auth. Our exposure scanner runs automatically on every scan — here's what it catches and how.

Jan 28, 2026Read

Engineering5 min

Why we built BrokenApp in Rust

We needed a CLI that starts in milliseconds, runs concurrent browser sessions without leaking memory, and ships as a single binary. Rust was the obvious choice. Here's what we learned.

Jan 22, 2026Read

Research6 min

Step-skip and replay: detecting business logic flaws automatically

Security scanners check headers and injection vectors. But what about skipping the payment step? Or replaying a charge twice? We built view-transition graphs to catch what others miss.

Jan 18, 2026Read

Product4 min

Native auth flow testing for Supabase and Firebase

Login, session persistence, token refresh, logout invalidation, expired token rejection. Five tests, zero custom code. Just point BrokenApp at your auth config and we handle the rest.

Jan 14, 2026Read

Product5 min

From scan to GitHub issue in one command

Auto-create issues with fingerprint markers. Comment on PRs with new findings. Export SARIF for Code Scanning. Close issues when findings resolve. The security feedback loop, automated.

Jan 10, 2026Read

Stay in the loop.

New research, product updates, and security findings. No spam, unsubscribe anytime.