How the Brain Works
The Brain is the core of OpenQA - an autonomous system that thinks, plans, and executes tests without human intervention.
Three Phases Per Session
Each autonomous session runs three phases in sequence — from intelligence gathering to active testing:
┌─────────────────────────────────────────────────────┐
│ PHASE 0 — PROJECT INTELLIGENCE │
│ Detect domain · Assess risk · Identify regulations │
│ Seed Kanban with strategic tasks │
└────────────────────────┬────────────────────────────┘
↓
┌─────────────────────────────────────────────────────┐
│ PHASE 1 — LLM ANALYSIS │
│ Deep understanding · Suggested tests · Risk areas │
└────────────────────────┬────────────────────────────┘
↓
┌─────────────────────────────────────────────────────┐
│ PHASE 2 — REACT LOOP (Think → Act → Observe) │
│ Specialist agents · Dynamic agents │
│ Test generation · Bug recording · Kanban updates │
└─────────────────────────────────────────────────────┘INTELLIGENCE
Analyses domain, risk level, regulations, and creates a proactive Kanban before any test runs
ANALYZE
LLM deep-dives into the application: understands purpose, identifies risk areas, suggests tests
ACT
Runs specialist agents selected by intelligence, spawns dynamic agents, generates and executes tests
LEARN
Reviews results, records findings to Kanban, adjusts strategy for the next iteration
Phase 0 — Project Intelligence
The intelligence layer runs before the first test. It reads the URL and optional codebase, detects signals (URL keywords, package.json dependencies), and produces a full project profile:
- Domain — fintech, healthcare, e-commerce, SaaS B2B, developer tools…
- Risk level — critical / high / medium / low
- Regulations — PCI-DSS, GDPR, HIPAA, WCAG 2.1, SOC 2…
- Mandatory checks — OWASP-referenced tasks seeded directly to Kanban
- Agent blueprints — dynamic agents to create that were never pre-coded
A fintech app gets exhaustive OWASP security testing. A blog gets a standard profile. OpenQA adapts to the project — not the other way around.
Phase 1 — LLM Analysis
The LLM receives the intelligence report as context and produces:
- A detailed understanding of the application
- Specific tests to generate (concrete, not generic)
- Additional risk areas to cover
- Custom agent suggestions beyond the intelligence blueprints
Phase 2 — ReAct Loop
The Brain runs a Reason-Act-Observe loop for up to AGENT_MAX_ITERATIONS cycles:
1🧠 Intelligence: "Fintech app — activate auth-tester, sql-injection, xss-tester"2 + "Create dynamic:PCI-DSS-Validator blueprint"3 ↓4🤖 Specialists launched(selected by intelligence, not hard-coded)5 ↓6🔄 ReAct iteration 1:7 Think: "Login form not tested yet — create test"8 Act: generate_test(type="security", target="login SQL injection")9 Observe: test created, added to queue10 ↓11🔄 ReAct iteration 2:12 Think: "Payment flow is critical path — need coverage"13 Act: create_dynamic_agent(blueprint="PCI-DSS-Validator")14 Observe: agent created, running...15 ↓16🗂️ Findings → Kanban tickets(live, during session)Triggering the Brain
Manual Trigger
1# Start a full autonomous session2curl -X POST http://localhost:3000/api/brain/run3 4# Just analyze without running tests5curl -X POST http://localhost:3000/api/brain/analyzeAutomatic Triggers
The Brain can be triggered automatically:
- On merge - When code is merged to main branch
- On deploy - After a successful CI/CD pipeline
- On schedule - At regular intervals (configurable)
Brain API
| Endpoint | Description |
|---|---|
| POST /api/brain/analyze | Analyze app, get suggestions without running |
| POST /api/brain/run | Start full autonomous testing session |
| POST /api/brain/generate-test | Generate a specific test |
| POST /api/brain/create-agent | Create a custom specialized agent |
| POST /api/brain/run-test/:id | Execute a specific test |