- Resources
- Customer Stories
- How Rogo Closed the Gap Between Daily Releases and Twice-a-Year Pentests

How Rogo Closed the Gap Between Daily Releases and Twice-a-Year Pentests
Rogo uses XBOW to continuously test its rapidly changing application between required manual pentests, gaining validated findings and full-application coverage at the pace it ships code.
Rogo ships code multiple times a day. Until recently, its pentests happened twice a year. XBOW closed that gap without touching the manual testing Rogo's customers still require.
Key takeaways
- Rogo's manual pentests used to run twice a year, with three months of active testing followed by three months of inactivity. The app kept shipping daily through that whole gap.
- Rogo now gets a full view of the application on every test, the same view an attacker has. That's the level of coverage their security program runs on today.
- XBOW is finding real issues, and the severity ratings it gives generally match what Rogo's own team would rate.
Background
Rogo is a generative AI platform built for financial services, used by professionals at investment banks, private equity firms, and asset managers to improve their workflows. The company was founded in 2021 and has grown fast since, closing a Series D round in April 2026 that pushed its total funding past $300 million.
Patrick O'Boyle is one of Rogo's founding security engineers. He started on the GRC side: policies, procedures, audits, chasing down vulnerability timelines. The company has grown from around 60 employees to more than 150, with plans to scale to over 200 by year end, and his job has grown with it. Today, he touches most of security at Rogo, from automated and manual pen test results to enterprise security, cloud security, and the steady stream of customer security questionnaires.
Challenge
Rogo's customers are global investment banks, private equity firms, and asset managers. Before they trust a vendor with their data, they want proof, usually in the form of third-party attestation. So Rogo's security team brought in outside pentest firms twice a year, the standard cadence in financial services.
Each cycle ran about three months: a month to plan, a month to test, and a month to retest the fixes. Then the team had three months where the testing program was idle before the next cycle started.
But Rogo's engineers don't work in three-month cycles. They ship through CI/CD, sometimes several times in a single day. Their pipeline verifies that a specific change is secure, but they were never built to give Patrick a full picture of the application in real time. An attacker isn't going to check what passed a pipeline test before trying to break in.
“The attacker doesn’t care what your security dashboards say. They're going to try every avenue to attack your systems.”
For three months at a stretch, the application kept changing while nothing was tested end-to-end. That gap is what sent Patrick's team looking for something new.
Why XBOW
Patrick was direct about what mattered to him: how fast the application was changing, and how fast attacker capabilities were changing right alongside it.
"Our application is changing so rapidly, and the capabilities of malicious actors are changing just as rapidly," he said. "We don't want there to be a gap between the confidence the pentest gives us and what our actual threat landscape looks like."
What stuck with him was how little it now takes for someone to point a capable AI model at a target and ask it to find a way in. The barrier that once separated a curious amateur from a real attacker has largely disappeared. Rogo needed a way to test at the same speed.
XBOW wasn't a replacement for the pentests Rogo's customers expect. It was the thing running during the months when those tests weren't.
Solution
Rogo points XBOW at its main customer-facing application, a large platform where the number of endpoints shifts depending on configuration. Patrick's team chose to test the whole application on every run, rather than scoping each test to whatever changed that week. Their CI/CD pipeline already checks whether a given change is secure; what it doesn't give Patrick is a full view of the platform the way an attacker would see it. That full-application approach is what works for Rogo's security program.
One detail stood out to him: XBOW’s creativity, which finds novel attack paths, mimicking the way a human would try to attack an app.
“Automated pentest solutions, like XBOW, aren’t just running a set of scripts against an app. They’re reasoning through it in different ways. ”
Guidance from Rogo's side stays light. Before starting a test, they give XBOW basic instructions to leave certain parts of the application alone, the kind of thing you'd tell a human tester before they start, not a detailed brief written for every single run.
Whatever XBOW finds goes into the same pipeline as any other finding. It gets ticketed, it gets remediated against policy, and if something critical turns up, it's all hands on deck, the same as it would be for a finding from anywhere else. Re-running a test to confirm a fix costs Rogo nothing extra, which Patrick pointed to as one of the more useful parts of the whole setup.
Results
For Patrick, the value shows up in how his team feels about those three quiet months, the stretch between manual pentests when nothing else was watching the application.
"It gives us better assurance that we're covered during those time frames," he said. "These three months that we're not under pentests, there's so much change. This makes us feel better and sleep better at night, because we're actively testing it."
Part of that confidence comes from how closely XBOW's findings track with what Patrick's own team would expect. When something comes back, the severity rating is usually close to what his team would have assigned it themselves, which is what lets those findings sit alongside manual pentest results in the same attestation file rather than off to the side as a separate, lesser source of evidence.
Looking Ahead
Rogo isn't moving away from manual pentests. Its customers' attestation requirements make that a fixed part of the process for the foreseeable future. But Patrick sees automated, continuous testing as the only way for a security team to keep pace with how fast both software and attackers are moving.
"We're really happy with it. We do think it's the future," he said. "The largest financial service institutions expect that we can meet and exceed expectations over coverage of newly found vulnerabilities. With how fast things are changing, automated pentesting is the only way to keep up with the pace, not just from the models, but from the attackers."
About
Rogo Rogo is the leading AI operating system for financial services and a trusted partner to the world's most prestigious financial institutions across investment banking, private equity, asset management, and equity research. Rogo's platform unifies internal knowledge, proprietary data, and trusted third-party research into a single operating system designed to think the way financial professionals do, enabling faster decisions, deeper insights, and more effective execution. rogo.ai
XBOW is an autonomous pentesting platform that helps security teams scale offensive security. XBOW reasons like an attacker to uncover, chain, and validate real, exploitable vulnerabilities, resulting in nearly zero false positives. xbow.com

