minirep is a DevTools-native security and API analysis companion built for people who want browser context, real traffic, and repeatable validation without immediately leaving Chrome. It captures traffic from the inspected tab, lets you replay and mutate requests, extracts findings from responses and loaded client resources, and adds AI-assisted reasoning through AI MiniReper.
How to think about minirep
minirep is best used as the browser-native front line of your workflow: capture what the app is actually doing, understand it quickly, build context from findings, and then decide whether to continue validating inside minirep or move deeper into tools like Burp Suite.
Why teams use it
Real session context
Work from actual browser traffic, selected requests, pinned flows, and extracted findings instead of synthetic examples or copied fragments.
One-screen workflow
Capture, request editing, response analysis, extractor findings, and AI reasoning live in one movable DevTools workspace.
Fast triage
Move quickly from “what is this app doing?” to “what should I test next?” without having to export everything into another tool first.
Bounded automation
Use structured AI-assisted audit flows and request variants while keeping the process anchored to captured traffic and operator review.
Core product areas
Capture and workspace
- live request capture from the inspected tab
- HAR-seeded startup context
- request filtering and search
- movable dashboard layout
- import/export of captured traffic
Request replay and validation
- editable request text and JSON views
- built-in sender for replay
- baseline capture
- runner workflows for diffing and negative testing
Extractor
- secrets, endpoints, parameters, XSS signals, web cache poisoning signals, security header issues, endpoint graphing, response search, and Supabase-focused findings
- optional inclusion of loaded script resources and source map sources
- AI context handoff from extractor findings
AI MiniReper
Askmode for explanation, triage, and targeted reasoningAgentmode for bounded audit-style execution- auto context from selected requests, pinned requests, and chosen extractor findings
- auto-run of structured attack suggestions, with post-run analysis
Where minirep fits in a modern security workflow
minirep is especially strong in the part of the workflow where frontend context matters:
- understanding what the browser is really sending
- identifying hidden endpoints and exposed client-side assumptions
- mapping auth context across requests
- validating boundary, cache, and parameter behavior with live replay
- feeding real, selected evidence into an AI assistant
It is not meant to replace every part of a mature AppSec toolchain. It is strongest as the fast, browser-native layer that sits before or beside heavier tools.
Minirep as a companion to Burp Suite
If you already use Burp:
- use
minirepto stay close to the browser and understand live flows quickly - use
Extractorto turn traffic into findings and candidate context - use
AI MiniReperto triage, explain, and stage follow-up ideas - use the runner to test variants without leaving the panel
- move to Burp when you need broader proxying, manual exploitation depth, scan ecosystems, or larger engagements
The practical model is:
- Observe and understand in
minirep - Validate quickly in
minirep - Escalate to Burp when the target deserves deeper proxy-driven testing
Best-fit use cases
Application security
AppSec engineers can use minirep to understand flows, inspect headers, validate auth boundaries, and triage client-side exposure quickly.
Bug bounty and research
Researchers can keep reconnaissance and browser-grounded validation close to the actual application session instead of immediately jumping out into a disconnected workflow.
Developer debugging
Developers and QA teams can use the same surfaces for API debugging, request mutation, error analysis, and replay-driven troubleshooting.
Supabase-heavy frontends
Teams reviewing Supabase-backed applications can use the dedicated Supabase extractor output to quickly surface table access and sensitive field exposure signals.