Empowering Defenders in the Age of AI: My Journey to XBOW

From Semmle to GitHub: Building Developer-First Security

Seven and a half years ago, I joined a small security startup called Semmle, driven by the belief that developers could solve security problems if we gave them the right tools. That journey took me through the acquisition by GitHub, where I had the privilege to help build GitHub Advanced Security (GHAS) from the ground up.

Watching GHAS grow from a nascent idea into one of the industry’s leading AppSec platforms, and in the process changing how our industry approaches DevSecOps by putting developers first, has been one of the most rewarding experiences of my career. We proved that empowering developers with security tooling, integrating scans directly into their workflows and even using AI to suggest fixes, leads to better outcomes. In doing so, we helped transform GitHub from a DevOps platform into a DevSecOps leader, making security a natural part of software development.

AI in the Wrong Hands

At GitHub, I also had the chance to be part of innovations like GitHub Actions and the early vision for Copilot, which showed how AI could fundamentally reshape the developer experience. Using AI to not only accelerate productivity but also assist in fixing vulnerabilities demonstrated its potential as a force multiplier for defenders.

But AI is not only in the hands of the good guys. Adversaries are now using generative AI as a malicious productivity suite: automating reconnaissance, creating malware variants, and scaling phishing attacks with unprecedented precision and speed. As I’ve written before, AI is a double-edged lightsaber. It can empower defenders, but it can just as easily be weaponized against us. With nearly 80% of CISOs already reporting a material impact from AI-driven threats, the message is clear. We must meet this challenge with equally advanced tools.

Why Offensive Security Needs AI

Traditional penetration testing, while valuable, is too manual and too slow to keep pace with AI-powered attacks. Adversaries can now probe systems continuously, exploiting weaknesses at machine speed. Defenders need the same advantage.

That is why I believe offensive security must embrace AI. Intelligent systems capable of probing, validating, and exploiting vulnerabilities at scale can help us identify weaknesses before attackers do. This is not about replacing human creativity, it is about augmenting it. AI can handle the exhaustive, high-volume work while human experts focus on strategy and the hardest problems. In doing so, we can finally shift from reactive defense to proactive resilience.

Joining XBOW: The Next Frontier

This conviction is what led me to join XBOW. The company has already made history as the first AI to achieve the #1 hacker ranking on HackerOne, outperforming thousands of human researchers. That milestone was more than a headline. It was proof that AI can stand shoulder to shoulder with the best human talent in offensive security.

At XBOW, I see the culmination of my journey: developer-first security, AI-powered innovation, and a mission to empower defenders. The platform we are building is game-changing: autonomous AI agents that continuously test systems, validate findings, and scale offensive security to levels previously unimaginable. It is the clearest path I have seen to putting defenders back in control.

The Time Is Now

The threats ahead are daunting, but the tools at our disposal are more powerful than ever. By harnessing AI responsibly and keeping a mission-first mindset, I believe we can tip the balance in favor of the defenders.

I am excited to embark on this journey with XBOW and our community. I invite you to join us, share your thoughts, follow our progress, and above all, let’s talk. Together, we can build a future where intelligent offensive security keeps us all safer.