August 18, 2025

Empowering Defenders in the Age of AI: My Journey to XBOW

Niroshan Rajadurai joins XBOW as Chief Revenue Officer to help scale the company’s mission of harnessing AI for offensive security. With a track record building GitHub Advanced Security and shaping the rise of GitHub Copilot, Niro brings deep experience at the intersection of AI, security, and developer empowerment to this pivotal moment in cybersecurity.

Niroshan Rajadurai

August 18, 2025

XBOW on HackerOne: What’s Next

XBOW, our autonomous AI pen-tester, reached #1 on HackerOne's global leaderboards, proving AI can match human-level security research. With that question answered, we're now focused on helping customers integrate XBOW into their pre-production workflows.

Nico Waisman

August 15, 2025

XBOW Unleashes GPT-5’s Hidden Hacking Power, Doubling Performance

OpenAI's initial assessment of GPT-5 showed modest cyber capabilities, yet integrating it into the XBOW platform unleashed its hidden hacking power and doubled our agent's performance

Oege de Moor

Albert Ziegler

August 13, 2025

Black Hat & DEF CON: Running XBOW Live, Presentation Slides, and The Talk You Didn’t Miss

A recap of our week at Black Hat and DEF CON, where we put XBOW to the ultimate test: running it live against real targets and discovering dozens of vulnerabilities.

Nico Waisman

August 5, 2025

XBOW Partners with Vanta to Bring Autonomous Penetration Testing to Startups

We are bringing XBOW’s autonomous penetration testing directly into the Vanta platform.

Joanna Clifton

July 31, 2025

The campaign is not available in your country: XBOW discovered an SQLi while attempting to bypass geolocation restrictions.

As much as an AI might get discouraged, it’s also incredibly relentless in its pursuit.

No items found.

July 28, 2025

Another Byte Bites the Dust - How XBOW Turned a Blind SSRF into a File Reading Oracle

A complete arbitrary local file read vulnerability achieved through an ingenious byte-by-byte exfiltration technique.

Alvaro Muñoz

July 24, 2025

Beyond the Bands: Exploiting TiTiler’s Expression Parser for Remote Code Execution

A methodical analysis of TiTiler's API endpoints and its expression parser, leading to arbitrary Python code execution on the server.

Alvaro Muñoz

July 21, 2025

How XBOW turned a JavaScript hint into a working file inclusion

The XBOW bug bounty effort continues, and this time it uncovered a critical local file inclusion vulnerability by transforming an intriguing SSRF into a full file read exploit.

Nico Waisman

July 17, 2025

Agents Built From Alloys

This spring, we had a simple and, to my knowledge, novel idea that turned out to dramatically boost the performance of our vulnerability detection agents at XBOW. On fixed benchmarks and with a constrained number of iterations, we saw success rates rise from 25% to 40%, and then soon after to 55%.

Albert Ziegler

July 14, 2025

XBOW battles Ninja Tables: Who’s the Real Ninja?

Sharing the story of how XBOW sniffed out a sneaky arbitrary file read bug in the popular WordPress Ninja Tables plugin.

Alvaro Muñoz

July 10, 2025

When the Heat Gets to Your Database: A Refreshing SQL Injection Discovery in Z-Push

Summer's scorching heat is particularly brutal this season, making even the most seasoned pentesters dream of cool shade and refreshing drinks. But sometimes, when you're deep in the trenches of vulnerability research, you stumble upon something that's equally refreshing: a crisp, clean SQL injection vulnerability as good as an ice-cold beverage on a sweltering day.

Javier Gil

July 7, 2025

Finding XSS in Salesforce Aura Components: How XBOW Got Creative

How artificial intelligence discovered a widespread XSS vulnerability through methodical testing and creative parameter combinations.

Diego Jurado

June 30, 2025

CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest

When XBOW met Akamai: a walkthrough of discovering and exploiting an XML External Entity vulnerability (CVE-2025-49493) in a widely-deployed application.

Diego Jurado

June 24, 2025

Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN

XBOW discovered multiple cross-site scripting (XSS) vulnerabilities in Palo Alto Networks’ GlobalProtect VPN web application

Alvaro Muñoz

June 24, 2025

Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series B

XBOW has reached a critical milestone: our AI now rivals and surpasses top-tier human hackers.

Oege de Moor

June 24, 2025

The road to Top 1: How XBOW did it

For the first time in bug bounty history, an autonomous penetration tester has reached the top spot on the US leaderboard.

Nico Waisman

December 20, 2024

The Nightmare Before Christmas: An arbitrary file download on Zoo-Project

XBOW discovered an arbitrary file download vulnerability on the WPS open source app Zoo-Project.

Nico Waisman

December 13, 2024

Stored Cross-Site Scripting (XSS) in 2FAuth

XBOW discovered a Cross-Site Scripting (XSS) vulnerability in the open-source project, 2FAuth.

Diego Jurado

December 2, 2024

LabsAI’s EDDI project path traversal

XBOW discovered a Path Traversal vulnerability in the open-source project, LabsAI’s EDDI.

Diego Jurado

November 22, 2024

SSRF & URI validation bypass in 2FAuth

XBOW discovered a Server-Side Request Forgery (SSRF) vulnerability in the OTP preview feature of the open-source project, 2FAuth.

Nico Waisman

November 13, 2024

How XBOW found a Scoold authentication bypass

As we shift our focus from benchmarks to real world applications, we will be sharing some of the most interesting vulnerabilities XBOW has found in real-world, open-source targets. The first of these is an authentication bypass in Scoold, a popular open-source Q&A platform.

Nico Waisman

November 9, 2024

XBOW validation benchmarks: show me the numbers!

XBOW is currently making 104 benchmarks available to the public. This allows other security products, tools, and researchers to use and explore these benchmarks.

Nico Waisman

August 5, 2024

XBOW now matches the capabilities of a top human pentester

Five professional pentesters were asked to find and exploit the vulnerabilities in 104 realistic web security benchmarks. The most senior of them, with over twenty years of experience, solved 85% during 40 hours, while others scored 59% or less. XBOW also scored 85%, doing so in 28 minutes. This illustrates how XBOW can boost offensive security teams, freeing them to focus on the most interesting and challenging parts of their job.

Oege de Moor

July 17, 2024

Breaking Crypto with XBOW

When I taught Offensive Security at NYU, padding oracles were the hardest attack we covered in our two-week unit on breaking cryptography. So it shocked me when XBOW managed to successfully build an exploit for this vulnerability in one of our novel benchmarks “Bad Captcha”, using it to decrypt a cookie set by the server and bypass its authentication.

Brendan Dolan‑Gavitt

July 15, 2024

Introducing XBOW

XBOW brings AI to offensive security. Today we’re announcing the results of testing XBOW on hundreds of web security benchmarks. Without any human intervention, XBOW correctly finds and exploits the vulnerabilities in most of them.

Oege de Moor

July 30, 2023

Sequoia Capital leads $20M seed round in XBOW

XBOW scales offensive security through AI, boosting the work of pentesters, bug hunters and offensive security researchers. It autonomously solves 75% of web app security benchmarks. Sequoia Capital is leading a $20M seed round in XBOW.

Oege de Moor