XBOW tops US leaderboard on HackerOne Read more
XBOW Logo

Boosting offensive security with AI

XBOW autonomously finds and exploits vulnerabilities in 75% of web benchmarks

Blog

Updates and opinions from the team

June 24, 2025  -  By Nico Waisman

The road to Top 1: How XBOW did it

For the first time in bug bounty history, an autonomous penetration tester has reached the top spot on the US leaderboard.

Read post

June 24, 2025  -  By Oege de Moor

Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series B

XBOW has reached a critical milestone: our AI now rivals and surpasses top-tier human hackers.

Read post

June 24, 2025  -  By Alvaro Muñoz

Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN

XBOW discovered multiple cross-site scripting (XSS) vulnerabilities in Palo Alto Networks’ GlobalProtect VPN web application

Read post

December 20, 2024  -  By Nico Waisman

The Nightmare Before Christmas: An arbitrary file download on Zoo-Project

XBOW discovered an arbitrary file download vulnerability on the WPS open source app Zoo-Project.

Read post

December 13, 2024  -  By Diego Jurado

Stored Cross-Site Scripting (XSS) in 2FAuth

XBOW discovered a Cross-Site Scripting (XSS) vulnerability in the open-source project, 2FAuth.

Read post

December 2, 2024  -  By Diego Jurado

LabsAI’s EDDI project path traversal

XBOW discovered a Path Traversal vulnerability in the open-source project, LabsAI’s EDDI.

Read post

November 22, 2024  -  By Nico Waisman

SSRF & URI validation bypass in 2FAuth

XBOW discovered a Server-Side Request Forgery (SSRF) vulnerability in the OTP preview feature of the open-source project, 2FAuth.

Read post

November 13, 2024  -  By Nico Waisman and Brendan Dolan-Gavitt

How XBOW found a Scoold authentication bypass

As we shift our focus from benchmarks to real world applications, we will be sharing some of the most interesting vulnerabilities XBOW has found in real-world, open-source targets. The first of these is an authentication bypass in Scoold, a popular open-source Q&A platform.

Read post

September 11, 2024  -  By Nico Waisman

XBOW validation benchmarks: show me the numbers!

XBOW is currently making 104 benchmarks available to the public. This allows other security products, tools, and researchers to use and explore these benchmarks.

Read post

August 5, 2024  -  By Oege de Moor

XBOW now matches the capabilities of a top human pentester

Five professional pentesters were asked to find and exploit the vulnerabilities in 104 realistic web security benchmarks. The most senior of them, with over twenty years of experience, solved 85% during 40 hours, while others scored 59% or less. XBOW also scored 85%, doing so in 28 minutes. This illustrates how XBOW can boost offensive security teams, freeing them to focus on the most interesting and challenging parts of their job.

Read post

July 30, 2024  -  By Oege de Moor

Sequoia Capital leads $20M seed round in XBOW

XBOW scales offensive security through AI, boosting the work of pentesters, bug hunters and offensive security researchers. It autonomously solves 75% of web app security benchmarks. Sequoia Capital is leading a $20M seed round in XBOW.

Read post

July 17, 2024  -  By Brendan Dolan-Gavitt

Breaking Crypto with XBOW

When I taught Offensive Security at NYU, padding oracles were the hardest attack we covered in our two-week unit on breaking cryptography. So it shocked me when XBOW managed to successfully build an exploit for this vulnerability in one of our novel benchmarks “Bad Captcha”, using it to decrypt a cookie set by the server and bypass its authentication.

Read post

July 15, 2024  -  By Oege de Moor

Introducing XBOW

XBOW brings AI to offensive security. Today we’re announcing the results of testing XBOW on hundreds of web security benchmarks. Without any human intervention, XBOW correctly finds and exploits the vulnerabilities in most of them.

Read post

Book a demo


Book a demo

Find out more about our technology