Free Tool / Open Source / MIT License

Your AI chatbot is leaking.
Here's a free tool to prove it.

Single Python file. Probes any chatbot endpoint for system prompt extraction, prompt injection, and jailbreak attacks. Outputs an HTML report you can paste into a Jira ticket on Monday.

Download on GitHub See how it works MIT licensed . Reads in five minutes . Works on any HTTP chatbot
15
AI chatbot attack classes we cover (3 free)
10
Patents filed on TRIS + BAS methodology
0
Other commercial pentest tools shipping this
Why this exists

Every SaaS team shipped an AI chatbot. Nobody is testing them.

Burp Suite does not cover prompt injection. Nessus does not cover system prompt extraction. Garak does, but Garak is a research toolkit with a learning curve. We built the pragmatic, productized version. Free and open source for the three most common attack classes. Paid for the other twelve.

What the free tool tests

Three attack classes. Each takes 5 to 15 prompts.

All three are real-world attacks observed against production chatbots in 2025 and 2026. None require sophistication. All have real consequences if they succeed.

01

System prompt extraction

Five prompt variants that trick the chatbot into revealing its internal instructions. Successful extraction leaks the company's proprietary prompt engineering, internal URLs, and the exact list of guardrails attackers then engineer around.

Impact . Competitive intel leak
02

Prompt injection

Five payloads that try to make the chatbot emit attacker-chosen output. Success means the bot becomes an attack proxy. Phishing your users with its verified voice. Emitting XSS payloads downstream. Breaking out of guardrails on demand.

Impact . Hijacked bot behavior
03

Jailbreak

Role-play frames (DAN, developer mode), hypothetical framing, and encoding bypasses (ROT13, leet) that try to evade the bot's safety policy. Success means the bot says things its policy forbids, with your brand on the screenshot.

Impact . Brand and legal exposure
How to run it

One command. Five minutes to first finding.

No SaaS signup. No API key. Just a Python file and the URL of the chatbot you own (or have written authorization to test).

$ curl -O https://raw.githubusercontent.com/CVEasy/cveasy-chatbot-pentest/main/cveasy_chatbot_pentest.py

$ python3 cveasy_chatbot_pentest.py \
    --url https://your-bot.example.com/api/chat \
    --output report.html

CVEasy Chatbot Pentest. Probing https://your-bot.example.com/api/chat
  Rate limit: 1.0s . Max tokens: 200 . Timeout: 30.0s

[1/3] System prompt extraction . 5 probes
[2/3] Prompt injection . 5 probes
[3/3] Jailbreak via role-play / encoding . 3 probes

Summary:
  [TRIGGERED] System Prompt Extraction: 2 of 5 probes succeeded.
  [TRIGGERED] Prompt Injection: 3 of 5 probes succeeded.
  [clean]    Jailbreak: No probe succeeded.

Report written to report.html
CVEasy AI covers 15 attack classes plus full TRIS scoring. https://cveasyai.com

The HTML report uses CVEasy editorial design. Drop it into a Jira ticket, a Slack thread, or an audit binder.

Free vs CVEasy AI

The free tool covers three of fifteen. The other twelve are the moat.

If you are a team running a chatbot in production, the free tool catches the bottom of the iceberg. The paid CVEasy AI app catches everything above the waterline.

CapabilityFree CLICVEasy AI
System prompt extractionYes . 5 probes
Prompt injection (direct)Yes . 5 probes
Jailbreak via role-playYes . 3 probes
Indirect prompt injection (URLs, files, RAG)No
Tool / function abuseNo
PII / conversation leakageNo
Cross-tenant leakageNo
Cost / resource exhaustion (recon only)No
RAG poisoningNo
Hallucination weaponizationNo
Multi-turn coercion (chain attacks)No
TRIS scoring (12 layers)No . single tier
Continuous monitoringNo . one-shot
Customer-deliverable HTML reportsYes . basic
Auto-discovery of chatbots across your surfaceNo
Talk to sales
Stay in the loop

Get notified when we release the other twelve.

We ship a new attack class every few weeks. Subscribe and we will email you a sample report and the upgrade pricing when we drop the next class. No marketing fluff. Three to five emails a year.

No spam. Unsubscribe anytime.

Trust

Who built this. Why we are the right people.

Build with Claude Partner

Built with Anthropic Claude.

CVEasy AI's payload generation, AI Red-Team Mode, and customer brief authoring are powered by Anthropic Claude Opus. The paid product supports bring-your-own Anthropic API key for predictable enterprise compute billing.

Trusted at Enterprise Scale

Deployed across Fortune 500 security teams.

CVEasy AI is partnered with and deployed across Fortune 500 security organizations. The TRIS 12-layer scoring framework was built against real enterprise CVE backlogs, not academic datasets.

10 Patents Filed USPTO Pending TRIS v2

Patent-protected scoring and attack methodology.

Ten patents filed on TRIS 12-layer vulnerability scoring, breach and attack simulation, and AI chatbot pentest methodology. Patent IP is the moat; this free tool is one slice of it released for the community.

GitHub MIT Licensed Single File

Open source. Read every line.

This tool is 855 lines of Python in a single file. Fork it, modify it, redistribute it. If a customer of yours asks where the probes came from, you can show them. No black box.

Try the free tool. If it finds something, we can talk.

If your chatbot trips even one of the three free attack classes, you should probably see the other twelve before someone else does.

Download on GitHub Talk to sales