Single Python file. Probes any chatbot endpoint for system prompt extraction, prompt injection, and jailbreak attacks. Outputs an HTML report you can paste into a Jira ticket on Monday.
Burp Suite does not cover prompt injection. Nessus does not cover system prompt extraction. Garak does, but Garak is a research toolkit with a learning curve. We built the pragmatic, productized version. Free and open source for the three most common attack classes. Paid for the other twelve.
All three are real-world attacks observed against production chatbots in 2025 and 2026. None require sophistication. All have real consequences if they succeed.
Five prompt variants that trick the chatbot into revealing its internal instructions. Successful extraction leaks the company's proprietary prompt engineering, internal URLs, and the exact list of guardrails attackers then engineer around.
Five payloads that try to make the chatbot emit attacker-chosen output. Success means the bot becomes an attack proxy. Phishing your users with its verified voice. Emitting XSS payloads downstream. Breaking out of guardrails on demand.
Role-play frames (DAN, developer mode), hypothetical framing, and encoding bypasses (ROT13, leet) that try to evade the bot's safety policy. Success means the bot says things its policy forbids, with your brand on the screenshot.
No SaaS signup. No API key. Just a Python file and the URL of the chatbot you own (or have written authorization to test).
$ curl -O https://raw.githubusercontent.com/CVEasy/cveasy-chatbot-pentest/main/cveasy_chatbot_pentest.py $ python3 cveasy_chatbot_pentest.py \ --url https://your-bot.example.com/api/chat \ --output report.html CVEasy Chatbot Pentest. Probing https://your-bot.example.com/api/chat Rate limit: 1.0s . Max tokens: 200 . Timeout: 30.0s [1/3] System prompt extraction . 5 probes [2/3] Prompt injection . 5 probes [3/3] Jailbreak via role-play / encoding . 3 probes Summary: [TRIGGERED] System Prompt Extraction: 2 of 5 probes succeeded. [TRIGGERED] Prompt Injection: 3 of 5 probes succeeded. [clean] Jailbreak: No probe succeeded. Report written to report.html CVEasy AI covers 15 attack classes plus full TRIS scoring. https://cveasyai.com
The HTML report uses CVEasy editorial design. Drop it into a Jira ticket, a Slack thread, or an audit binder.
If you are a team running a chatbot in production, the free tool catches the bottom of the iceberg. The paid CVEasy AI app catches everything above the waterline.
| Capability | Free CLI | CVEasy AI |
|---|---|---|
| System prompt extraction | Yes . 5 probes | Yes . 50+ probes, multilingual |
| Prompt injection (direct) | Yes . 5 probes | Yes . 50+ probes |
| Jailbreak via role-play | Yes . 3 probes | Yes . 30+ probes |
| Indirect prompt injection (URLs, files, RAG) | No | Yes |
| Tool / function abuse | No | Yes |
| PII / conversation leakage | No | Yes |
| Cross-tenant leakage | No | Yes |
| Cost / resource exhaustion (recon only) | No | Yes |
| RAG poisoning | No | Yes |
| Hallucination weaponization | No | Yes |
| Multi-turn coercion (chain attacks) | No | Yes |
| TRIS scoring (12 layers) | No . single tier | Yes . full 12 layers |
| Continuous monitoring | No . one-shot | Yes . daily feed |
| Customer-deliverable HTML reports | Yes . basic | Yes . audit binder grade |
| Auto-discovery of chatbots across your surface | No | Yes |
We ship a new attack class every few weeks. Subscribe and we will email you a sample report and the upgrade pricing when we drop the next class. No marketing fluff. Three to five emails a year.
No spam. Unsubscribe anytime.
CVEasy AI's payload generation, AI Red-Team Mode, and customer brief authoring are powered by Anthropic Claude Opus. The paid product supports bring-your-own Anthropic API key for predictable enterprise compute billing.
CVEasy AI is partnered with and deployed across Fortune 500 security organizations. The TRIS 12-layer scoring framework was built against real enterprise CVE backlogs, not academic datasets.
Ten patents filed on TRIS 12-layer vulnerability scoring, breach and attack simulation, and AI chatbot pentest methodology. Patent IP is the moat; this free tool is one slice of it released for the community.
This tool is 855 lines of Python in a single file. Fork it, modify it, redistribute it. If a customer of yours asks where the probes came from, you can show them. No black box.
If your chatbot trips even one of the three free attack classes, you should probably see the other twelve before someone else does.