Investors
The inspection layer for the internet.
BrokenApp is building automated, evidence-backed security and quality assurance for every deployed web application. We're open to investment and acquisition conversations.
The opportunity
AI is writing more code than ever. Who's checking it?
AI coding tools are generating software at unprecedented scale. Claude Code, Codex, Copilot — every tool ships code faster. But faster code means faster bugs. The volume of deployed software is outpacing every team's ability to test it.
Manual QA doesn't scale. Bug bounty programs are expensive and inconsistent. Existing DAST tools produce noise, not signal. There is no automated, evidence-backed inspection layer for the internet — until now.
Our position
Built different. On purpose.
BrokenApp is an npm CLI that installs in one command. No SaaS dashboard to maintain. No cloud infrastructure to scale. It runs locally, integrates with CI/CD, and produces structured, evidence-backed reports that AI tools can immediately act on.
Every scan produces a machine-readable application spec — views, API surface, state machine — that AI coding agents consume for context. No other tool generates this.
This architecture means near-zero marginal cost per scan, built-in privacy compliance, and a distribution model that compounds through developer adoption — not enterprise sales cycles.
Market
Why now.
AI code explosion
AI-generated code is scaling faster than human review capacity. Every line needs automated inspection.
Regulation tightening
SOC 2, PCI DSS, GDPR enforcement increasing. Companies need continuous compliance evidence, not annual audits.
DevSecOps adoption
Security shifting left into CI/CD. Teams want CLI tools that integrate into existing pipelines, not separate dashboards.
API-first architectures
Every app is an API surface now. IDOR, BOLA, broken auth — the OWASP API Top 10 is the new attack surface.
Traction
1,000
Challenge spots
$2K
Prize pool
9
Detection modules
Free
Open distribution
Metrics update as we launch. Challenge signups, scans completed, and bugs found will replace these.
Product
What we've built.
Full-app scanning
Headless browser crawling. Every route, form, endpoint, and asset. Structured JSON output with evidence.
IDOR / BOLA detection
Cross-user replay with N×N auth matrix. Body similarity scoring. Automatic severity classification.
Exposure scanning
18 compiled regex patterns. 22 active probes. Runs automatically on every scan. Secrets always masked.
Auth flow testing
Native Supabase and Firebase support. Login, session persistence, token refresh, logout invalidation.
Business logic testing
Step-skip detection via view-transition graphs. Replay attack detection for write endpoints.
GitHub integration
Auto-create issues. PR comments. SARIF export for Code Scanning. Close issues when findings resolve.
GraphQL support
Per-operation endpoint detection. Splits POST /graphql into individual queries and mutations.
Compliance mapping
CWE + OWASP Top 10 / API Top 10 on every finding. SOC 2 and PCI DSS report generation.
Baseline & triage
Blake3 fingerprinting. Mark accepted risk or false positive. Diff-aware rescans surface only new issues.
Business model
Free for distribution. Paid for power.
Every feature free forever in the CLI. We sell compute, not features. Hosted Scans at $29/mo for teams without a local dev environment. Teams at $99/mo for shared scanning with GitHub sync and SARIF. Enterprise for SSO, custom rules, and SLA.
The free CLI drives adoption and organic distribution. Every shared report is a distribution event. Developers using the CLI advertise the product through their workflows. Paid tiers sell cloud hosting, scheduled scans, team access, and enterprise control.
Let's talk.
Whether you're interested in investing, exploring an acquisition, or discussing partnership opportunities — we'd like to hear from you.
Investment inquiries
[email protected]Acquisition discussions
[email protected]Strategic partnerships
[email protected]Press & media
[email protected]