Introducing the XBOW Public API
The XBOW Public API is now in Public Preview—programmatic access to assessments, findings, and webhooks, built for production from day one.
You've seen what XBOW can do: run a pentest at machine speed, find real exploits, deliver results in hours instead of weeks. That's the breakthrough. But a breakthrough only matters if you can build on it.
Today, we're releasing the XBOW Public API in Public Preview.
From One to One Hundred
Here’s what changes:
Imagine running one pentest with XBOW. Results streaming in, vulnerabilities surfaced, exploits validated. Now imagine running a hundred pentests. Same speed. Same depth. All in parallel.
That’s what the API unlocks.
Security teams managing dozens of applications no longer need to choose which ones get tested this quarter.
The constraint was never XBOW’s capability. It was access. The API removes that constraint.
What You Can Build
The API provides programmatic access to everything you’d expect:
- Assessments—start, pause, resume, cancel pentests
- Findings—retrieve vulnerabilities, trigger fix verification
- Assets—manage what you’re testing
- Reports—pull results for downstream consumption
- Webhooks—get notified when things change (
assessment.changed,finding.changed,asset.changed)
All endpoints are versioned, paginated and rate-limited. Full OpeAPI spec available for code generation and tooling.
# Fetch findings from XBOW API
FINDINGS=$(curl -s -X GET "${BASE_URL}/assets/${ASSET_ID}/findings" \
-H "Authorization: Bearer ${API_KEY}" \
-H "X-XBOW-API-Version: ${API_VERSION}" \
-H "Accept: application/json" \
-H "Content-Type: application/json")
# Count findings by severity
CRITICAL=$(echo "$FINDINGS" | jq '[.items[]? | select(.severity=="critical")] | length')
HIGH=$(echo "$FINDINGS" | jq '[.items[]? | select(.severity=="high")] | length')
MEDIUM=$(echo "$FINDINGS" | jq '[.items[]? | select(.severity=="medium")] | length')
LOW=$(echo "$FINDINGS" | jq '[.items[]? | select(.severity=="low")] | length')
TOTAL=$(echo "$FINDINGS" | jq '.items | length')
# Deployment decision
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
echo "DEPLOYMENT BLOCKED: $CRITICAL critical, $HIGH high severity findings found"
echo ""
echo "Action Required: Fix security issues before deploying to production"
echo ""
# Show the blocking findings
if [ "$TOTAL" -gt 0 ]; then
echo "Blocking Findings:"
echo "$FINDINGS" | jq -r '.items[] | select(.severity=="critical" or .severity=="high") | " • [\(.severity | ascii_upcase)] \(.title // .name // "Finding")"'
echo ""
fi
exit 1 # Exit with error to block deployment
else
echo "DEPLOYMENT APPROVED: No critical or high severity findings"
echo ""
exit 0 # Exit successfully to allow deployment
fi
We've built this for production use from day one.
Watch Marco, the engineering lead behind the API, demo what's possible:
Use Cases We're Excited About
Automated Assessment Management
Programmatically start, pause, resume, and monitor pentests across your entire application portfolio. No more manual scheduling, trigger assessments when you need them.
Embed Into Your Workflow
Dashboard fatigue is real. You can only manage so many tools before you need one source of truth. The API lets you pull XBOW findings directly into your existing tooling. No new dashboard to check; just security data where you already work.
Real-Time Notifications
Webhooks notify you the moment something changes—new findings, assessment state changes, asset updates. Build workflows that respond instantly.
Why This Matters
Eighteen months ago, the question was whether an autonomous AI pentester was even possible. We answered that, unequivocally.
Now we're answering a different question: what happens when autonomous pentesting becomes infrastructure?
The API is how XBOW evolves from a product you use into a platform you build on. It's how we go from high-touch pilots to high-scale deployments. And it's how our customers stop choosing which applications get tested...and start testing everything.
Getting Started
The API launched February 1, 2026 in Public Preview.
- Log into console.xbow.com
- Navigate to Settings → API Key
- Generate your key
- Start building
Full documentation at docs.xbow.com/api.
This is just the beginning. If you build something cool—or just want to talk shop—find us on X or LinkedIn.
We'd love to hear from you.
.avif)