BruteForceAI is a new penetration testing framework that combines artificial intelligence and automation to take brute-force to the next level. Developed by Mor David, the tool uses large language models to automatically analyze login forms and conduct targeted attacks faster and more effectively. Unlike traditional solutions, it does not require complex manual configuration and reduces the risk of human error, simplifying the work of security specialists.
It works in two distinct phases. In the first phase, the LLM analyzes the target page’s HTML and precisely identifies input fields, buttons, and CSS selectors. Next comes the so-called “Smart Attack phase,” during which the tool launches multi-threaded credential tests exploiting the detected selectors. The user can choose between a classic brute-force approach, which tries all possible combinations, or the more discreet password-spray mode, which is useful for reducing the risk of blocking.
Among its strengths are its evasion capabilities. The tool is able to mimic human behavior thanks to timed delays and random jitter, alternate user agents, support the use of proxies, and control browser visibility. This makes attacks more difficult to intercept by automated defense systems. Furthermore, it logs everything in a SQLite database and sends immediate notifications via webhooks to platforms like Slack, Discord, Teams, or Telegram.
For those new to penetration testing, BruteForceAI offers an interesting insight. It’s not just a software for launching attacks, but a tool for understanding how authentication mechanisms work and how vulnerable they are if not adequately protected. Used in authorized contexts, it becomes an ally for learning, testing, and improving cyber defenses without having to write complex code.
| Parameter | Description | Default |
|---|---|---|
--mode | Attack mode (bruteforce/passwordspray) | Brute force |
--threads | Number of threads | 1 |
--delay | Delay between retries (seconds) | 0 |
--jitter | Random jitter (seconds) | 0 |
--success-exit | Stop after first success | False |
--force-retry | Retry existing attempts | False |
Its adoption is primarily intended for red teams, security researchers, and professionals who perform testing on behalf of others. By automating typically slow and repetitive steps, it drastically reduces analysis times and makes it easier to detect weak login systems. It’s a concrete example of how artificial intelligence can improve established tools, transforming a tedious, manual process into an optimized flow.
From a technical standpoint, installation is not complicated. Python 3.8 or higher, Playwright, and some standard libraries such as requests and PyYAML are required. After cloning the repository from GitHub and running the pip install -r requirements.txt command, you can choose the language model to use: Ollama for local execution or Groq for cloud deployment. Once configured, the tool launches with simple commands for analyzing targets and executing attacks.
It is important to emphasize that BruteForceAI is intended solely for ethical and professional purposes: authorized testing, academic research, and educational activities. Misuse against unauthorized systems is illegal and unethical.
In the right hands, however, it represents a valuable resource for discovering vulnerabilities and strengthening the security of digital systems, introducing new generations of specialists to more intelligent and informed methodologies.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
