Lightnews — Scholar-powered news

XBOW @xbow.com · Aug 15

4/ The full technical breakdown is here: xbow.com/blog/gpt-5

XBOW @xbow.com · Aug 15

3/ The results speak for themselves:

- 30% fewer iterations to exploit targets

- nearly 2x more vulnerabilities found in real world targets

- improved consistency across different attack scenarios

XBOW's agents are now faster, more consistent, and more effective.

1

XBOW @xbow.com · Aug 15

2/ OpenAI's own benchmarks were conservative, showing GPT-5 performing comparably to older models in CTF challenges and unable to solve cyber range scenarios unaided.

See Figure 14 from the OpenAI System Card:

1

XBOW @xbow.com · Aug 15

1/ XBOW Unleashes GPT-5’s Hidden Hacking Power.

OpenAI
's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled.

More on what we found: 🧵

1 2 9

XBOW @xbow.com · Aug 1

See autonomous pentesting live at #BlackHat!

Next week, XBOW will run on active HackerOne programs from the expo floor.
Watch AI agents find and validate real vulns—fast.

📍 Booth 3257

1 1

XBOW @xbow.com · Jul 31

XBOW is now the #1 hacker on HackerOne, globally.

For the first time, our autonomous AI pentester tops the worldwide leaderboard.

Next week at #BlackHat, we’re taking it live:
We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities.

📍 Booth 3257

2

XBOW @xbow.com · Jul 31

Went hunting for geo-bypass.
Found blind SQLi instead.
/redacted/ + 'SLEEP' infused cookie = 15s nap.
Logs don’t lie.

Technical breakdown -> xbow.com/blog/xbow-geolocati...

XBOW – The campaign is not available in your country: XBOW discovered an SQLi while attempting to bypass geolocation restrictions.

As much as an AI might get discouraged, it’s also incredibly relentless in its pursuit.

xbow.com

1

XBOW @xbow.com · Jul 30

“Even when we started Copilot, I wouldn’t have dreamt we’d soon have offensive security agents like XBOW.”

CEO Oege de Moor joins Altimeter to talk:
⚔️ AI red teams
🥇 #1 on HackerOne
🔁 From quarterly scans → daily defense
🎥 Watch the full convo: bit.ly/4moktwc

XBOW Founder Spotlight | Oege de Moor

A conversation with XBOW founder and CEO Oege de MoorChapters:(0:00) Intro(0:44) XBOW as a Fully Autonomous AI Hacker(1:47) What XBOW Offers Security Teams(3...

bit.ly

1

XBOW @xbow.com · Jul 28

False positives waste your time.
False negatives cost you breaches.

At @BlackHatEvents , @moyix shows how XBOW agents fight false positives — validating real exploits at scale, in hours.

📍Aug 7 | 11:20am

3 3

XBOW @xbow.com · Jul 24

From SSRF discovery to RCE exploitation in 32 iterations.

XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution.

Complete analysis: bit.ly/46XzOiA

XBOW – Beyond the Bands: Exploiting TiTiler’s Expression Parser for Remote Code Execution

A methodical analysis of TiTiler's API endpoints and its expression parser, leading to arbitrary Python code execution on the server.

bit.ly

1 5 4

XBOW @xbow.com · Jul 23

AI-powered attacks evolve faster than most orgs can adapt.

Recent trends:

Attackers using LLMs for phishing
Threat actors leveraging AI for vuln discovery
Automated social engineering at scale

The defense? Autonomous security that matches attacker velocity.

More at BlackHat | Booth #3257 🎯

6

XBOW @xbow.com · Jun 30

Even mature products hide critical flaws – and @xbow.com just found another one.

CVE-2025-49493: XXE in Akamai CloudTest discovered during its climb to #1 on HackerOne.

A complete technical breakdown from an error-based detection to a full exfiltration by Diego Jurado: xbow.com/blog/xbow-ak...

XBOW – CVE-2025-49493: XML External Entity (XXE) Injection in Akamai CloudTest

When XBOW met Akamai: a walkthrough of discovering and exploiting an XML External Entity vulnerability (CVE-2025-49493) in a widely-deployed application.

xbow.com

5 8

XBOW @xbow.com · Jun 24

XBOW is now generally available.

See it in action → Book a demo with our team.

www.xbow.com

XBOW

Boosting offensive security with AI

www.xbow.com

1 1 2

XBOW @xbow.com · Jun 24

Our previous investors, Konstantine Buhler of Sequoia Capital and Nat Friedman, are participating super pro rata.

We could not wish for better partners in this fight.

This brings the total funding of @xbow.com to $117M, allowing us to move as fast as the problem demands.

1 1

XBOW @xbow.com · Jun 24

We are thrilled to announce our $75M Series B, led by Apoorv Agrawal of Altimeter Capital.

Bad actors are adopting AI to automate and accelerate attacks.

@xbow.com fights back: AI vs. AI to secure software. Let’s out-hack the hackers.

xbow.com/blog/series-b/

XBOW – Taking the Top Hacker in the US to New Heights: XBOW Raises $75M Series B

XBOW has reached a critical milestone: our AI now rivals and surpasses top-tier human hackers.

xbow.com

1 2

XBOW @xbow.com · Jun 24

Real security is POC || GTFO – and XBOW agrees.

We’re releasing technical deep-dives on cool findings from our journey to the top of the HackerOne US leaderboard.

The first is a zero-day XSS in Palo Alto Networks GlobalProtect by @pwntester.bsky.social.

xbow.com/blog/xbow-gl...

XBOW – Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN

XBOW discovered multiple cross-site scripting (XSS) vulnerabilities in Palo Alto Networks’ GlobalProtect VPN web application

xbow.com

1 2 5

XBOW @xbow.com · Jun 24

How did @xbow.com become the top-ranked hacker in the US on HackerOne?

@nicowaisman.bsky.social takes you behind the scenes to show how it all works, from reconnaissance to zero day discovery:

xbow.com/blog/top-1-h...

XBOW – The road to Top 1: How XBOW did it

For the first time in bug bounty history, an autonomous penetration tester has reached the top spot on the US leaderboard.

xbow.com

1 4

XBOW @xbow.com · Jun 24

XBOW automatically runs expert-level attacks across all webapps, giving security teams unprecedented scale.

@xbow.com reported 1092 vulnerabilities on HackerOne in just a few months, including RCE, XXE, SQLi, SSRF, exposed secrets, and XSS.

Chart showing XBOW's HackerOne reputation, rising from 200 in September 2024 to nearly 5,000 in June 2025.

1 2

XBOW @xbow.com · Jun 24

In 2025, solving CTFs is table stakes. To prove that AI agents can hack, we need attacks on live production systems.

Earlier this year, @xbow.com became the top hacker in the US on @hacker0x01.bsky.social, outperforming every human participant.

It’s the first time an autonomous system has done so.

Hacker One US leaderboard showing XBOW in the #1 position

1 3

XBOW @xbow.com · Jun 24

For the first time in history, the #1 hacker in the US is an AI.

(1/8)

1 7 15

XBOW @xbow.com · May 28

Do you want to work at the cutting edge of AI and cybersecurity?

XBOW now has 8 positions open across Product Marketing, Operations, Customer Success, and Engineering.

Check out all the details here: jobs.ashbyhq.com/xbowcareers.

5 5

XBOW @xbow.com · Apr 24

XBOW is growing and we're looking for talented folks to join us! Apply here: jobs.ashbyhq.com/xbowcareers

XBOW Jobs

jobs.ashbyhq.com

1 1

XBOW @xbow.com · Jan 29

Happy birthday, @xbow.com! Exactly one year ago we partnered with Konstantine at Sequoia, bringing the power of AI agents to cybersecurity. Here’s Konstantine summing up our year together, on CNBC. www.youtube.com/watch?v=jieB...

Watch CNBC's full interview with Sequoia Capital partner Konstantine Buhler

YouTube video by CNBC Television

www.youtube.com

1 1

XBOW @xbow.com · Dec 20

Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! xbow.com/blog/xbow-zo...

XBOW – The Nightmare Before Christmas: An arbitrary file download on Zoo-Project

XBOW discovered an arbitrary file download vulnerability on the WPS open source app Zoo-Project.

xbow.com

3 6

XBOW @xbow.com · Dec 17

65 reports were submitted since September, including 20 critical findings

Stacked bar chart showing HackerOne reports by XBOW from September-December.

6