- Resources
- Customer Stories
- How Lumios Got a Compliance-Ready Pentest Without the Wait

How Lumios Got a Compliance-Ready Pentest Without the Wait
A litigation tech startup needed a third-party pentest to close a deal and XBOW delivered
Background
Lumios builds litigation technology for law firms and corporate legal teams handling large-scale cases. Their platform processes some of the most sensitive documents in existence, including evidence, filings, and discovery materials produced on behalf of clients. A data leak would not just be a setback. It would be the end of the company.
Security has been a priority since day one. Before Lumios had a single paying customer, the founding team was already thinking about what a credible security program needed to look like. A third-party penetration test was not a nice-to-have, but a go-to-market requirement.
Challange
Lumios had done basic browser-based security scans early on, which helped to give them some security visibility, but lacked the depth and comprehension of a comprehensive third-party test. When a prospective customer made it a condition of signing, Lumios needed something credible fast. Traditional pentest providers were quoting six to eight weeks, and that was a non-starter.
“We needed a third-party pen test. Six to eight weeks is a ridiculous amount of time to have to wait.”
Why XBOW
Lumios looked at a few options, including traditional manual pentest providers. For the timeline they needed, manual testing was simply out of reach, and the quotes came back well over budget and weeks too slow. Then Dhruv Kulkarni, Lumios's other co-founder, came across XBOW through a LinkedIn post describing it as autonomous, fast, and a fraction of the cost of a traditional engagement. For a two-person founding team, it was an easy decision.
Solution
Lumios pointed XBOW at their API layer with approximately 400 endpoints, and ran a blackbox assessment. XBOW approached the application the way an attacker would: a target with no source code access and no inside knowledge.
The test kicked off in early May 2026, and results came back fast enough to keep the deal on track, and a clean remediated report followed shortly after.
The findings validated the approach. XBOW surfaced vulnerabilities that Lumios's existing automated checks had missed, including a multi-step exploit that required chaining two endpoints: forging a hash token on the first to extract data from the second. That kind of chained attack is exactly what scanners overlook.
“There was a convoluted exploit that required jumping from one endpoint to another, forging a hash token on the first to extract data from the second. I was impressed.”
Results
The report satisfied the customer's requirements and the deal closed. What Lumios didn't yet know was if other prospects would accept a report from an AI-powered platform. They have. Lumios has since shared the report broadly and the reception has been positive.
For a two-person founding team running security alongside everything else, the process was as important as the outcome.
Looking Ahead
Lumios is thinking about a quarterly testing cadence as they scale, with an eye on XBOW's continuous monitoring offering down the road.
“If anyone asks where we got our pentest or who they should use, I'd recommend XBOW. We appreciate working with innovative companies, and this was a great experience.”
About
Lumios is an AI-powered litigation platform that helps legal teams organize, analyze, and act on case documents. Attorneys use it to build chronologies, surface critical documents, and prepare for depositions and save 100+ hours per case. lumios.law
XBOW is an autonomous pentesting platform that finds and validates real, exploitable vulnerabilities in applications. Every finding comes with proof-of-concept evidence. Tests complete in hours or days, not weeks. xbow.com
