Recently, AI security company XBOW announced that its self-developed AI tool "XBOW" has outperformed other participants on the globally renowned bug bounty platform HackerOne, ranking first in the United States. This is the first time an AI tool has surpassed human security researchers to top the HackerOne vulnerability disclosure ranking, marking a milestone breakthrough for AI in the field of vulnerability detection.
XBOW AI: Pioneering Fully Automated Penetration Testing
XBOW's AI tool is a fully autonomous penetration testing (pentest) system that simulates the operations of human security researchers without any human intervention, identifying and exploiting software vulnerabilities. It is reported that the tool can complete comprehensive penetration tests within hours, covering various types of vulnerabilities such as remote code execution (RCE), SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), and information leakage. To date, XBOW has submitted nearly 1,060 vulnerabilities on the HackerOne platform, of which 132 have been officially confirmed and fixed, involving well-known enterprises such as Disney, AT&T, Ford, and Epic Games.
Its unique feature lies in the fact that XBOW trains on real vulnerability data using machine learning technology, accurately identifying complex security vulnerabilities, while also being equipped with an automated verification mechanism to ensure the accuracy of submitted vulnerability reports. This "black-box testing" model does not rely on internal code access, simulating real attack scenarios and demonstrating the strong potential of AI in the field of cybersecurity.
HackerOne Top Rank: A Milestone Where AI Surpasses Humans
HackerOne is a platform connecting enterprises with ethical hackers, encouraging security researchers to discover and report system vulnerabilities through bug bounty programs. XBOW's AI tool successfully topped the HackerOne U.S. ranking in the second quarter of 2025 (April to June), ranking first in the Vulnerability Disclosure Program (VDP) category by comprehensively scoring the number of vulnerabilities submitted, total bounty amount, report quality, and vulnerability impact, surpassing 99 human researchers. It also ranked sixth on the global leaderboard.
Notably, XBOW's success is not just about quantity. The vulnerabilities it discovered include unknown flaws in Palo Alto GlobalProtect VPN, affecting over 2,000 hosts, highlighting its ability to identify high-risk vulnerabilities. Additionally, XBOW significantly reduces the common false positives of traditional AI tools through a strict internal verification process, ensuring the high quality of reports.
Technical Breakthrough: From Easy Vulnerabilities to Complex Ones
The XBOW development team stated that the tool has undergone multiple rigorous benchmark tests, including "capture the flag" challenges from PortSwigger and Pentesterlab, as well as self-built test environments simulating real-world scenarios. The team further optimized the AI's vulnerability detection capabilities through white-box testing and zero-day vulnerability discovery in open-source projects.
Although XBOW currently mainly excels at identifying known pattern vulnerabilities such as SQL injection and XSS, its autonomous exploration and iterative learning capabilities have already attracted industry attention. Experts point out that with the advancement of AI technology, similar tools like XBOW may further break through in the future, gaining the ability to discover complex business logic vulnerabilities or chain attacks, thereby playing a more critical role in the cybersecurity battlefield.
Industry Impact: A New Hope for AI Empowering Defenders
XBOW's success not only brings technological innovation to the cybersecurity industry but also sparks new discussions about the role of AI. Michiel Prins, co-founder of HackerOne, said, "AI tools like XBOW bring amazing innovations to the security field, accelerating the discovery and response to vulnerabilities." XBOW's CEO Oege de Moor believes that AI-driven defense tools will help companies identify and fix all vulnerabilities before systems go live, gradually shifting the balance of power in favor of defenders.
At the same time, there are certain concerns within the industry. Some experts point out that while AI tools perform well in quickly finding "low-hanging fruit" vulnerabilities, their abilities in creative thinking and complex attack scenarios still need verification. Moreover, AI-powered automated testing may lead to a surge in the number of vulnerability reports, putting pressure on enterprise remediation efforts.
Capital Support: XBOW Secures $75 Million in Funding for Expansion
At the same time that XBOW topped the HackerOne ranking, the company announced the completion of a $75 million Series B funding round, bringing the total funding to $117 million. The round was led by Altimeter, with existing investors such as Sequoia Capital participating. The funds will be used to further expand XBOW's AI-driven security platform and accelerate its global market expansion.
The Future Intersection of AI and Cybersecurity
The rise of XBOW marks the huge potential of AI in the field of cybersecurity. Its fully automated penetration testing tool not only improves the efficiency and scale of vulnerability discovery but also provides enterprises with stronger defense mechanisms. AIbase believes that XBOW's success is not only a technological victory but also signals that a new mode of AI and human collaboration is reshaping the cybersecurity landscape. However, how to balance the automation advantages of AI with the creative insights of human researchers remains a key issue for the industry to explore in the future.
As XBOW is set to share more technical details at the Black Hat Briefings security conference in August 2025, the global security community's anticipation for this tool continues to grow.
