XBOW
@xbow.com
Bringing AI to offensive security by autonomously finding and exploiting web vulnerabilities. Watch XBOW hack things: https://xbow.com/traces
1/ XBOW Unleashes GPT-5’s Hidden Hacking Power.
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
August 15, 2025 at 9:31 PM
1/ XBOW Unleashes GPT-5’s Hidden Hacking Power.
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
See autonomous pentesting live at #BlackHat!
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
August 1, 2025 at 5:00 PM
See autonomous pentesting live at #BlackHat!
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
XBOW is now the #1 hacker on HackerOne, globally.
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
July 31, 2025 at 10:02 PM
XBOW is now the #1 hacker on HackerOne, globally.
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
Went hunting for geo-bypass.
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
XBOW – The campaign is not available in your country: XBOW discovered an SQLi while attempting to bypass geolocation restrictions.
As much as an AI might get discouraged, it’s also incredibly relentless in its pursuit.
xbow.com
July 31, 2025 at 6:50 PM
Went hunting for geo-bypass.
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
“Even when we started Copilot, I wouldn’t have dreamt we’d soon have offensive security agents like XBOW.”
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
XBOW Founder Spotlight | Oege de Moor
A conversation with XBOW founder and CEO Oege de MoorChapters:(0:00) Intro(0:44) XBOW as a Fully Autonomous AI Hacker(1:47) What XBOW Offers Security Teams(3...
bit.ly
July 30, 2025 at 8:44 PM
“Even when we started Copilot, I wouldn’t have dreamt we’d soon have offensive security agents like XBOW.”
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
False positives waste your time.
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
July 28, 2025 at 3:02 PM
False positives waste your time.
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
From SSRF discovery to RCE exploitation in 32 iterations.
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
XBOW – Beyond the Bands: Exploiting TiTiler’s Expression Parser for Remote Code Execution
A methodical analysis of TiTiler's API endpoints and its expression parser,
leading to arbitrary Python code execution on the server.
bit.ly
July 24, 2025 at 2:18 PM
From SSRF discovery to RCE exploitation in 32 iterations.
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
AI-powered attacks evolve faster than most orgs can adapt.
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
July 23, 2025 at 1:59 PM
AI-powered attacks evolve faster than most orgs can adapt.
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
Even mature products hide critical flaws – and @xbow.com just found another one.
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
XBOW – CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest
When XBOW met Akamai: a walkthrough of discovering and exploiting an XML External Entity vulnerability (CVE-2025-49493) in a widely-deployed application.
xbow.com
June 30, 2025 at 7:42 PM
Even mature products hide critical flaws – and @xbow.com just found another one.
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
Do you want to work at the cutting edge of AI and cybersecurity?
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
May 28, 2025 at 5:20 PM
Do you want to work at the cutting edge of AI and cybersecurity?
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
XBOW is growing and we're looking for talented folks to join us! Apply here: jobs.ashbyhq.com/xbowcareers
XBOW Jobs
XBOW Jobs
jobs.ashbyhq.com
April 24, 2025 at 6:31 PM
XBOW is growing and we're looking for talented folks to join us! Apply here: jobs.ashbyhq.com/xbowcareers
Happy birthday, @xbow.com! Exactly one year ago we partnered with Konstantine at Sequoia, bringing the power of AI agents to cybersecurity. Here’s Konstantine summing up our year together, on CNBC. www.youtube.com/watch?v=jieB...
Watch CNBC's full interview with Sequoia Capital partner Konstantine Buhler
YouTube video by CNBC Television
www.youtube.com
January 29, 2025 at 6:09 PM
Happy birthday, @xbow.com! Exactly one year ago we partnered with Konstantine at Sequoia, bringing the power of AI agents to cybersecurity. Here’s Konstantine summing up our year together, on CNBC. www.youtube.com/watch?v=jieB...
Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! xbow.com/blog/xbow-zo...
XBOW – The Nightmare Before Christmas: An arbitrary file download on Zoo-Project
XBOW discovered an arbitrary file download vulnerability on the WPS open source app Zoo-Project.
xbow.com
December 20, 2024 at 4:24 PM
Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! xbow.com/blog/xbow-zo...
While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne:
December 17, 2024 at 4:17 PM
While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne:
XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post gives the full details: xbow.com/blog/xbow-2f...
December 13, 2024 at 6:11 PM
XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post gives the full details: xbow.com/blog/xbow-2f...
XBOW found a critical path traversal vulnerability in ZOO-Project (CVE-2024-53982). The vulnerability exists in the Echo example (enabled by default) and allows an attacker to retrieve any file on the server. Users should upgrade to the latest version.
December 5, 2024 at 5:11 PM
XBOW found a critical path traversal vulnerability in ZOO-Project (CVE-2024-53982). The vulnerability exists in the Echo example (enabled by default) and allows an attacker to retrieve any file on the server. Users should upgrade to the latest version.
AI vs AI: How XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI, an open source conversational AI middleware. xbow.com/blog/xbow-ed...
XBOW – LabsAI’s EDDI project path traversal
XBOW discovered a Path Traversal vulnerability in the open-source project, LabsAI’s EDDI.
xbow.com
December 2, 2024 at 4:41 PM
AI vs AI: How XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI, an open source conversational AI middleware. xbow.com/blog/xbow-ed...
XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI project that allows attackers to download any file on the server. XBOW combined a series of URL encodings and path normalization bypasses to trigger the flaw. Users of versions 4.3–5.3 should upgrade.
![def encode_variations(path):
# Single URL encode
single_encoded = ''.join('%' + hex(ord(c))[2:] for c in path)
# Double URL encode
double_encoded = ''.join('%25' + hex (ord(c))[2:] for c in path)
# Mixed encoding (only encode specific characters)
mixed_encoded = path.replace('.', '%2e').replace('/', '%2f')
# Alternate mixed encoding
alt_mixed = path.replace('..', '%2e%2e').replace('/', '%2f')
return [single_encoded, double_encoded, mixed_encoded, alt_mixed]
# Test paths with various encodings
base_paths = [
'../flag.txt',
'../../flag.txt',
'../../../flag.txt',
'....//....//flag.txt',
'.././../././flag.txt'
]](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:gclnfv6x6e2fu4w4qp53m2xx/bafkreicn5dkll2togw5t5rxuxqe6hmcdyqqqijjon3nptt5lhzvc4nxipi@jpeg)
November 26, 2024 at 9:53 PM
XBOW found a path traversal vulnerability (CVE-2024-53844) in LabsAI's EDDI project that allows attackers to download any file on the server. XBOW combined a series of URL encodings and path normalization bypasses to trigger the flaw. Users of versions 4.3–5.3 should upgrade.
XBOW identified a complex XSS vulnerability in WikiDocs (CVE-2024-53930), leveraging deep knowledge of KaTex to craft a macro exploit. Update to version 1.0.65. nvd.nist.gov/vuln/detail/...
November 25, 2024 at 5:37 PM
XBOW identified a complex XSS vulnerability in WikiDocs (CVE-2024-53930), leveraging deep knowledge of KaTex to craft a macro exploit. Update to version 1.0.65. nvd.nist.gov/vuln/detail/...
Reposted by XBOW
I’ve to say that I’m impressed by how @xbow.com managed to identify this SSRF vulnerability (and bypass a MIME filter on its way) 🤖
XBOW – SSRF & URI validation bypass in 2FAuth
XBOW discovered a Server-Side Request Forgery (SSRF) vulnerability in the OTP preview feature of the open-source project, 2FAuth.
xbow.com
November 24, 2024 at 2:38 PM
I’ve to say that I’m impressed by how @xbow.com managed to identify this SSRF vulnerability (and bypass a MIME filter on its way) 🤖
XBOW bypasses a MIME-type filter, abusing an OTP icon preview feature in 2FAuth to exploit an SSRF and discover CVE 2024-52598. Affected users should apply the patch and read about all the details in our latest blog post: xbow.com/blog/xbow-2f...
November 22, 2024 at 11:45 PM
XBOW bypasses a MIME-type filter, abusing an OTP icon preview feature in 2FAuth to exploit an SSRF and discover CVE 2024-52598. Affected users should apply the patch and read about all the details in our latest blog post: xbow.com/blog/xbow-2f...
XBOW autonomously discovered CVE-2024-50334, a critical authentication bypass in Scoold, an open-source Q&A webapp used by major companies like Cisco and IBM. Our recent blog post details how it found the flaw: xbow.com/blog/xbow-sc...
XBOW – How XBOW found a Scoold authentication bypass
As we shift our focus from benchmarks to real world applications, we will be sharing some of the most interesting vulnerabilities XBOW has found in real-world, open-source targets. The first of these ...
xbow.com
November 20, 2024 at 7:24 PM
XBOW autonomously discovered CVE-2024-50334, a critical authentication bypass in Scoold, an open-source Q&A webapp used by major companies like Cisco and IBM. Our recent blog post details how it found the flaw: xbow.com/blog/xbow-sc...