We're living in [1]a new world now — one where it's an AI-powered penetration tester that "now tops an eminent US security industry leaderboard that ranks red teamers based on reputation." [2]CSO Online reports:

> On HackerOne, which connects organizations with ethical hackers to participate in their bug bounty programs, "Xbow" scored notably higher than 99 other hackers in identifying and reporting enterprise software vulnerabilities. It's a first in bug bounty history, according to the company that operates the eponymous bot...

>

> Xbow is a fully autonomous AI-driven penetration tester (pentester) that requires no human input, but, its creators said, " [3]operates much like a human pentester " that can scale rapidly and complete comprehensive penetration tests in just a few hours. According to its website, it passes 75% of web security benchmarks, accurately finding and exploiting vulnerabilities.

>

> Xbow submitted nearly 1,060 vulnerabilities to HackerOne, including remote code execution, information disclosures, cache poisoning, SQL injection, XML external entities, path traversal, server-side request forgery (SSRF), cross-site scripting, and secret exposure. The company said it also identified a previously unknown vulnerability in Palo Alto's GlobalProtect VPN platform that impacted more than 2,000 hosts. Of the vulnerabilities Xbow submitted over the last 90 days, 54 were classified as critical, 242 as high and 524 as medium in severity. The company's bug bounty programs have resolved 130 vulnerabilities, and 303 are classified as triaged.

>

> Notably, though, roughly 45% of the vulnerabilities it found are still awaiting resolution, highlighting the "volume and impact of the submissions across live targets," Nico Waisman, Xbow's head of security, wrote in a blog post this week... To further hone the technology, the company developed "validators," — automated peer reviewers that confirm each uncovered vulnerability, Waisman explained.

"As attackers adopt AI to automate and accelerate exploitation, defenders must meet them with even more capable systems," XBOW's CEO said this week, as the company raised $75 million in Series B funding to grow its platform, bringing its total funding to $117 million. [4]Help Net Security reports :

> With the new funding, XBOW plans to grow its engineering team and expand its go-to-market efforts. The product is now generally available, and the company says it is working with large banks, tech firms, and other organizations that helped shape the platform during its early testing phase. XBOW's long-term goal is to help security teams stay ahead of adversaries using advanced automation. As attackers increasingly [5]turn to AI , the company argues that defenders will need equally capable systems to match their speed and sophistication.



[1] https://hackerone.com/leaderboard/country?year=2025&quarter=3&owasp=a1&country=US&assetType=WEB_APP&tab=bbp

[2] https://www.csoonline.com/article/4012801/the-top-red-teamer-in-the-us-is-an-ai-bot.html

[3] https://xbow.com/blog/top-1-how-xbow-did-it/

[4] https://www.helpnetsecurity.com/2025/06/25/xbow-ai-funding/

[5] https://www.helpnetsecurity.com/2025/05/02/threat-actors-automation-cybersecurity/