An unexpected hacker has topped the leaderboard in discovering real-world cyberthreats, beating some of the very talented human reviewers. Its name is XBOW, a new artificial intelligence system designed to explore for vulnerabilities in software, and it just claimed first place on HackerOne, an international bug bounty-based competition in which hackers work to uncover bugs for big companies. It marks the first time that autonomous systems have surpassed all people on the leaderboard.
In the past few months alone, XBOW’s AI has identified more than 1,000 vulnerabilities. These are not just guesses—companies such as AT&T, Epic Games, Ford, and Disney have verified 132 of these threats and have issued fixes. 330+ more bugs are targeted for resolution, with hundreds more still under review.
XBOW is unique in the way it operates; it continuously scans apps and systems like a tireless red team. Instead of being human-driven—requiring scheduled penetration scans—XBOW runs 24×7. It’s AI that detects, models, and emulates attacks against live networks—without the need for manual guidance.
The result? Faster identification of genuine security issues—including those deeply buried within complex codebases. The creators of XBOW say that the shift is crucial since cyberattacks have become more intricate as hackers have also started leveraging AI to initiate large-scale attacks. In this accelerating arms race, being capable of thinking and acting at machine speed is no longer a luxury—it’s a requirement.
But the trend of automated testing tools also raises issues. The increasing number of bug reports from AI is worrying some developers. They fear that if services such as XBOW are replicated, it could flood security personnel with too many alerts, some of which may be duplicative or not warrant attention. XBOW, however, asserts that its reports are not only valid but frequently crucial and notes that human reports can also come in varying qualities.
Whatever the merits of that debate, the impact of the platform is clear. It can execute full-scale security tests in hours—something that previously took days or even weeks. And it’s not just for cybersecurity experts or researchers; the product is already being used by banks, tech giants, and other major organizations.
To fuel its burgeoning ambitions, XBOW recently secured $75 million in a Series B round of funding. The round was led by Altimeter’s Apoorv Agrawal and included follow-on from Sequoia Capital and Nat Friedman. The investment brings the company’s total raise to $117 million.
With the fresh funds, XBOW plans to grow its engineering team and build out its go-to-market plan.
