XBOW
@xbow.com
Bringing AI to offensive security by autonomously finding and exploiting web vulnerabilities. Watch XBOW hack things: https://xbow.com/traces
Where security goes on offense.
Trained by top hackers, proven in the wild. Ranked #1 on HackerOne worldwide leaderboard.
Explore it during our limited 10-day promotion. xbow.com/pentest
Trained by top hackers, proven in the wild. Ranked #1 on HackerOne worldwide leaderboard.
Explore it during our limited 10-day promotion. xbow.com/pentest
December 16, 2025 at 5:48 PM
Where security goes on offense.
Trained by top hackers, proven in the wild. Ranked #1 on HackerOne worldwide leaderboard.
Explore it during our limited 10-day promotion. xbow.com/pentest
Trained by top hackers, proven in the wild. Ranked #1 on HackerOne worldwide leaderboard.
Explore it during our limited 10-day promotion. xbow.com/pentest
Seznam needed answers fast.
XBOW delivered. ⚡
Real pentest results. No drag. No drama.
For a limited time, we’re offering the same fast-track pentest experience and we will guarantee an exploit-validated security finding or you don’t pay.
⏰ Offer ends 12/26.
👉 xbow.com/pentest
XBOW delivered. ⚡
Real pentest results. No drag. No drama.
For a limited time, we’re offering the same fast-track pentest experience and we will guarantee an exploit-validated security finding or you don’t pay.
⏰ Offer ends 12/26.
👉 xbow.com/pentest
December 15, 2025 at 4:55 PM
Seznam needed answers fast.
XBOW delivered. ⚡
Real pentest results. No drag. No drama.
For a limited time, we’re offering the same fast-track pentest experience and we will guarantee an exploit-validated security finding or you don’t pay.
⏰ Offer ends 12/26.
👉 xbow.com/pentest
XBOW delivered. ⚡
Real pentest results. No drag. No drama.
For a limited time, we’re offering the same fast-track pentest experience and we will guarantee an exploit-validated security finding or you don’t pay.
⏰ Offer ends 12/26.
👉 xbow.com/pentest
Pentests that take weeks cannot secure software that changes daily.
🚀 XBOW Lightspeed provides expert-level testing in hours with autonomous offensive security.
📍 See it live at Booth 215 today!
🚀 XBOW Lightspeed provides expert-level testing in hours with autonomous offensive security.
📍 See it live at Booth 215 today!
December 10, 2025 at 9:25 AM
Pentests that take weeks cannot secure software that changes daily.
🚀 XBOW Lightspeed provides expert-level testing in hours with autonomous offensive security.
📍 See it live at Booth 215 today!
🚀 XBOW Lightspeed provides expert-level testing in hours with autonomous offensive security.
📍 See it live at Booth 215 today!
🗓️ Today at the AI Summit join our talk on The Autonomous Offense Era: Securing a World Where Attackers Don’t Sleep
XBOW's Nico, Aqueel, and Sarah unpack autonomous exploitation, what works, what fails, and what to expect next.
📍 Find us at Booth 215 for live walkthroughs after the session.
XBOW's Nico, Aqueel, and Sarah unpack autonomous exploitation, what works, what fails, and what to expect next.
📍 Find us at Booth 215 for live walkthroughs after the session.
December 9, 2025 at 10:12 AM
🗓️ Today at the AI Summit join our talk on The Autonomous Offense Era: Securing a World Where Attackers Don’t Sleep
XBOW's Nico, Aqueel, and Sarah unpack autonomous exploitation, what works, what fails, and what to expect next.
📍 Find us at Booth 215 for live walkthroughs after the session.
XBOW's Nico, Aqueel, and Sarah unpack autonomous exploitation, what works, what fails, and what to expect next.
📍 Find us at Booth 215 for live walkthroughs after the session.
Huge appreciation to the Seznam team!
On their first demo, XBOW identified a critical vulnerability with zero access and zero prep, just autonomous offensive security doing real work for a real customer.
It’s the kind of partnership that proves what matters.
www.youtube.com/watch?v=w4L2...
On their first demo, XBOW identified a critical vulnerability with zero access and zero prep, just autonomous offensive security doing real work for a real customer.
It’s the kind of partnership that proves what matters.
www.youtube.com/watch?v=w4L2...
The Real Impact of AI on Security Testing | XBOW & Seznam
AI is transforming cybersecurity, but can it actually discover real vulnerabilities? In this XBOW & Seznam case study, we break down the practical impact of ...
www.youtube.com
December 8, 2025 at 6:14 PM
Huge appreciation to the Seznam team!
On their first demo, XBOW identified a critical vulnerability with zero access and zero prep, just autonomous offensive security doing real work for a real customer.
It’s the kind of partnership that proves what matters.
www.youtube.com/watch?v=w4L2...
On their first demo, XBOW identified a critical vulnerability with zero access and zero prep, just autonomous offensive security doing real work for a real customer.
It’s the kind of partnership that proves what matters.
www.youtube.com/watch?v=w4L2...
Black Hat Europe starts today!
📍 Booth 215 all week. Autonomous multi-agent offense. Human-level testing in hours. Full exploit validation.
Come see it live.
📍 Booth 215 all week. Autonomous multi-agent offense. Human-level testing in hours. Full exploit validation.
Come see it live.
December 8, 2025 at 11:56 AM
Black Hat Europe starts today!
📍 Booth 215 all week. Autonomous multi-agent offense. Human-level testing in hours. Full exploit validation.
Come see it live.
📍 Booth 215 all week. Autonomous multi-agent offense. Human-level testing in hours. Full exploit validation.
Come see it live.
AI-enabled attackers have already accelerated.
The question: can your offensive security match their speed?
Next week at Black Hat Europe, we’re showing how autonomous offense closes the security scale gap with human-level testing in hours.
Let us show you how @ booth #215
The question: can your offensive security match their speed?
Next week at Black Hat Europe, we’re showing how autonomous offense closes the security scale gap with human-level testing in hours.
Let us show you how @ booth #215
December 5, 2025 at 1:13 PM
AI-enabled attackers have already accelerated.
The question: can your offensive security match their speed?
Next week at Black Hat Europe, we’re showing how autonomous offense closes the security scale gap with human-level testing in hours.
Let us show you how @ booth #215
The question: can your offensive security match their speed?
Next week at Black Hat Europe, we’re showing how autonomous offense closes the security scale gap with human-level testing in hours.
Let us show you how @ booth #215
Pentests that take weeks can’t secure software that changes daily.
XBOW Lightspeed uses autonomous multi-agent offense to deliver human-level testing in hours, with full exploit validation and continuous coverage.
xbow.com/pentest
XBOW Lightspeed uses autonomous multi-agent offense to deliver human-level testing in hours, with full exploit validation and continuous coverage.
xbow.com/pentest
December 3, 2025 at 7:56 PM
Pentests that take weeks can’t secure software that changes daily.
XBOW Lightspeed uses autonomous multi-agent offense to deliver human-level testing in hours, with full exploit validation and continuous coverage.
xbow.com/pentest
XBOW Lightspeed uses autonomous multi-agent offense to deliver human-level testing in hours, with full exploit validation and continuous coverage.
xbow.com/pentest
1/ XBOW Unleashes GPT-5’s Hidden Hacking Power.
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
August 15, 2025 at 9:31 PM
1/ XBOW Unleashes GPT-5’s Hidden Hacking Power.
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.
More on what we found: 🧵
See autonomous pentesting live at #BlackHat!
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
August 1, 2025 at 5:00 PM
See autonomous pentesting live at #BlackHat!
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.
📍 Booth 3257
XBOW is now the #1 hacker on HackerOne, globally.
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
July 31, 2025 at 10:02 PM
XBOW is now the #1 hacker on HackerOne, globally.
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
For the first time, our autonomous AI pentester tops the worldwide leaderboard.
Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.
📍 Booth 3257
Went hunting for geo-bypass.
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
XBOW – The campaign is not available in your country: XBOW discovered an SQLi while attempting to bypass geolocation restrictions.
As much as an AI might get discouraged, it’s also incredibly relentless in its pursuit.
xbow.com
July 31, 2025 at 6:50 PM
Went hunting for geo-bypass.
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.
Technical breakdown -> xbow.com/blog/xbow-geolocati...
“Even when we started Copilot, I wouldn’t have dreamt we’d soon have offensive security agents like XBOW.”
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
XBOW Founder Spotlight | Oege de Moor
A conversation with XBOW founder and CEO Oege de MoorChapters:(0:00) Intro(0:44) XBOW as a Fully Autonomous AI Hacker(1:47) What XBOW Offers Security Teams(3...
bit.ly
July 30, 2025 at 8:44 PM
“Even when we started Copilot, I wouldn’t have dreamt we’d soon have offensive security agents like XBOW.”
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc
False positives waste your time.
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
July 28, 2025 at 3:02 PM
False positives waste your time.
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
False negatives cost you breaches.
At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.
📍Aug 7 | 11:20am
From SSRF discovery to RCE exploitation in 32 iterations.
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
XBOW – Beyond the Bands: Exploiting TiTiler’s Expression Parser for Remote Code Execution
A methodical analysis of TiTiler's API endpoints and its expression parser,
leading to arbitrary Python code execution on the server.
bit.ly
July 24, 2025 at 2:18 PM
From SSRF discovery to RCE exploitation in 32 iterations.
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.
Complete analysis: bit.ly/46XzOiA
AI-powered attacks evolve faster than most orgs can adapt.
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
July 23, 2025 at 1:59 PM
AI-powered attacks evolve faster than most orgs can adapt.
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
Recent trends:
Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale
The defense? Autonomous security that matches attacker velocity.
More at BlackHat | Booth #3257 🎯
Even mature products hide critical flaws – and @xbow.com just found another one.
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
XBOW – CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest
When XBOW met Akamai: a walkthrough of discovering and exploiting an XML External Entity vulnerability (CVE-2025-49493) in a widely-deployed application.
xbow.com
June 30, 2025 at 7:42 PM
Even mature products hide critical flaws – and @xbow.com just found another one.
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.
A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...
Do you want to work at the cutting edge of AI and cybersecurity?
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
May 28, 2025 at 5:20 PM
Do you want to work at the cutting edge of AI and cybersecurity?
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.
Check out all the details here: jobs.ashbyhq.com/xbowcareers.
XBOW is growing and we're looking for talented folks to join us! Apply here: jobs.ashbyhq.com/xbowcareers
XBOW Jobs
XBOW Jobs
jobs.ashbyhq.com
April 24, 2025 at 6:31 PM
XBOW is growing and we're looking for talented folks to join us! Apply here: jobs.ashbyhq.com/xbowcareers
Happy birthday, @xbow.com! Exactly one year ago we partnered with Konstantine at Sequoia, bringing the power of AI agents to cybersecurity. Here’s Konstantine summing up our year together, on CNBC. www.youtube.com/watch?v=jieB...
Watch CNBC's full interview with Sequoia Capital partner Konstantine Buhler
YouTube video by CNBC Television
www.youtube.com
January 29, 2025 at 6:09 PM
Happy birthday, @xbow.com! Exactly one year ago we partnered with Konstantine at Sequoia, bringing the power of AI agents to cybersecurity. Here’s Konstantine summing up our year together, on CNBC. www.youtube.com/watch?v=jieB...
Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! xbow.com/blog/xbow-zo...
XBOW – The Nightmare Before Christmas: An arbitrary file download on Zoo-Project
XBOW discovered an arbitrary file download vulnerability on the WPS open source app Zoo-Project.
xbow.com
December 20, 2024 at 4:24 PM
Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! xbow.com/blog/xbow-zo...
While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne:
December 17, 2024 at 4:17 PM
While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne:
XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post gives the full details: xbow.com/blog/xbow-2f...
December 13, 2024 at 6:11 PM
XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post gives the full details: xbow.com/blog/xbow-2f...
XBOW found a critical path traversal vulnerability in ZOO-Project (CVE-2024-53982). The vulnerability exists in the Echo example (enabled by default) and allows an attacker to retrieve any file on the server. Users should upgrade to the latest version.
December 5, 2024 at 5:11 PM
XBOW found a critical path traversal vulnerability in ZOO-Project (CVE-2024-53982). The vulnerability exists in the Echo example (enabled by default) and allows an attacker to retrieve any file on the server. Users should upgrade to the latest version.