AI Agents Revolutionize Software Security: Xbow Tops HackerOne Leaderboard

AI Agents Are Getting Better at Writing Code -- and Hacking It as Well

The latest artificial intelligence models are not only remarkably good at software engineering -- new research shows they are getting ever-better at finding bugs in software, too. AI researchers at UC Berkeley tested how well the latest AI models and agents could find vulnerabilities in 188 large open source codebases. Using a new benchmark called CyberGym, the AI models identified 17 new bugs including 15 previously unknown, or "zero-day," ones. "Many of these vulnerabilities are critical," says Dawn Song, a professor at UC Berkeley who led the work. Many experts expect AI models to become formidable cybersecurity weapons. An AI tool from startup Xbow currently has crept up the ranks of HackerOne's leaderboard for bug hunting and currently sits in top place. The company recently announced $75 million in new funding. Song says that the coding skills of the latest AI models combined with improving reasoning abilities are starting to change the cybersecurity landscape. "This is a pivotal moment," she says. "It actually exceeded our general expectations." As the models continue to improve they will automate the process of both discovering and exploiting security flaws. This could help companies keep their software safe but may also aid hackers in breaking into systems. "We didn't even try that hard," Song says. "If we ramped up on the budget, allowed the agents to run for longer, they could do even better." The UC Berkeley team tested conventional frontier AI models from OpenAI, Google, and Anthropic, as well as open source offerings from Meta, DeepSeek, and Alibaba combined with several agents for finding bugs, including OpenHands, Cybench, and EnIGMA. The researchers used descriptions of known software vulnerabilities from the 188 software projects. They then fed the descriptions to the cybersecurity agents powered by frontier AI models to see if they could identify the same flaws for themselves by analyzing new codebases, running tests, and crafting proof-of-concept exploits. The team also asked the agents to hunt for new vulnerabilities in the codebases by themselves. Through the process, the AI tools generated hundreds of proof-of-concept exploits, and of these exploits the researchers identified 15 previously unseen vulnerabilities and two vulnerabilities that had previously been disclosed and patched. The work adds to growing evidence that AI can automate the discovery of zero-day vulnerabilities, which are potentially dangerous (and valuable) because they may provide a way to hack live systems. AI seems destined to become an important part of the cybersecurity industry nonetheless. Security expert Sean Heelan recently discovered a zero-day flaw in the widely used Linux kernel with help from OpenAI's reasoning model o3. Last November, Google announced that it had discovered a previously unknown software vulnerability using AI through a program called Project Zero. Like other parts of the software industry, many cybersecurity firms are enamored with the potential of AI. The new work indeed shows that AI can routinely find new flaws, but it also highlights remaining limitations with the technology. The AI systems were unable to find most flaws and were stumped by especially complex ones.

This AI Is Outranking Humans as a Top Software Bug Hunter

An AI program has climbed the leaderboard for discovering real-world software vulnerabilities, besting the human reviewers to take the top spot in the US. The program, called Xbow, currently ranks number one on the US-based leaderboard at HackerOne, a platform that coordinates software vulnerability discoveries with major companies. Over the last few months, Xbow has increased its reputation score at HackerOne by reporting over 1,000 apparent software flaws; 132 have been reported as officially discovered and resolved. Impacted companies include The Walt Disney Company, AT&T, Ford and Epic Games. In total, the AI program has submitted nearly 1,060 vulnerabilities, the startup behind Xbow announced on Tuesday. "All findings were fully automated," the team added, "though our security team reviewed them pre-submission to comply with HackerOne's policy on automated tools." While 132 of the flaws were officially resolved, another 303 were classified as "triaged," meaning the reported bug has been acknowledged, but not resolved. Another 125 are pending review. So, it's possible Xbow may have discovered an even larger crop of vulnerabilities that still need to be confirmed. But the AI program didn't always find a new security issue; 208 of the submitted reports were marked as "duplicates" while another 209 were flagged as merely "informative." The remaining 36 were declared not applicable. Still, the results show how new AI programs could shake up the cybersecurity industry through automated vulnerability discovery at a scale that outpaces human security researchers. "Notably, around 45% of Xbow's findings are still awaiting resolution, highlighting the volume and impact of the submissions across live targets," the Xbow team adds. In addition, technology promises to help companies stay ahead of malicious hackers who have also been trying to adopt generative AI. Xbow is designed to be fully autonomous, with the ability to complete "comprehensive penetration tests in just a few hours," the company says. But Xbow is also raising some concerns about whether it's generating quantity over quality in terms of vulnerability reports. "Receiving hundreds of AI-generated bug reports would be so demoralizing and probably turn me off from maintaining an open source project forever," wrote one user on the Hacker News forum. "I think developers are going to eventually need tools to filter out slop." Brendan Dolan-Gavitt, an Xbow AI researcher, responded to the skepticism and criticism, writing: "The main difference is that all of the vulnerabilities reported here are real, many quite critical." Others also point out the submissions from human security researchers on HackerOne can also be of low-quality. In the meantime, Xbow released the results as it's trying to sell its technology to customers. Bloomberg reports that Xbox recently raised $75 million through a new funding round.

One of the Best Hackers in the Country is an AI Bot

A hacker named Xbow has topped a prestigious security industry US leaderboard that tracks who has found and reported the most vulnerabilities in software from large companies. Xbow isn't a person -- it's an artificial intelligence tool developed by a company of the same name. This is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne co-founder Michiel Prins. Now, the year-old startup has raised $75 million in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its valuation.

AI tool Xbow becomes first non-human to top ethical hacker leaderboard

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust. What just happened? Just a year after its founding, cybersecurity startup Xbow has risen to the top of the HackerOne leaderboard, a platform that ranks the world's most effective bug hunters by the number and severity of vulnerabilities they uncover for major companies. This marks the first time an artificial intelligence system has claimed the number one spot, outpacing thousands of human ethical hackers and security researchers who have traditionally dominated the field. Xbow's rapid ascent is a striking signal of how artificial intelligence is reshaping the landscape of software security. The AI-driven tool, developed by a team led by founder and CEO Oege de Moor, has earned a "reputation" score on HackerOne that is nearly 25 percent higher than its closest human competitor. Since its launch, Xbow has identified hundreds of software flaws - ranging from SQL injections and cross-site scripting to remote code execution - across products from high-profile companies including Toyota, Disney, IBM, AT&T, PayPal, and Sony. The technology behind Xbow operates by autonomously conducting penetration testing, a process where systems are probed for weaknesses that malicious actors could exploit. Unlike traditional red teams, which often require weeks of manual effort and can cost tens of thousands of dollars per engagement, Xbow's AI can continuously scan for vulnerabilities at a fraction of the time and cost. The system uses a series of automated peer reviewers to verify the legitimacy of each finding, reducing the need for human intervention and minimizing false positives. Xbow's effectiveness has been validated through industry-standard benchmarks. The AI has autonomously passed 75 percent of web security benchmarks from recognized providers, and when tested on a set of novel challenges designed to prevent recycled solutions, it solved 85 percent of them. This demonstrates not only its ability to detect known flaws but also to generate original solutions to new problems. The company's momentum has attracted significant investment. In its first year, Xbow secured over $117 million in funding from prominent backers, including former GitHub CEO Nat Friedman and venture capital firms such as Sequoia Capital and Altimeter Capital. Despite its success, Xbow faces challenges common to AI systems. Some of its reports have been marked as duplicates or merely informative, requiring human teams to filter out less actionable findings. The technology also struggles with vulnerabilities that stem from business logic or contextual nuances, such as privacy rules specific to certain industries, which still require explicit guidance. As AI-driven tools like Xbow become more prevalent, the cybersecurity field is entering a new era where machines increasingly defend - and sometimes attack - other machines. While this raises concerns about the potential for AI to be used by malicious hackers, Xbow's creators argue that such technology is essential to help defenders keep pace. "We can, for the first time, have a good hope that defenders can find and fix all the vulnerabilities before a system goes out," de Moor told The Economic Times.

An AI holds the top slot in a leaderboard that ranks people who hunt for system vulnerabilities used by hackers

In the world of cybercrime and hacking, the rise of AI has been a blessing, as it has given ne'er-do-wells even more ways to steal accounts, nab vital information, or phish you for money. All is not lost, though, as it turns out that there's one AI that's so good at finding security issues and vulnerabilities in code that it's currently the leader in the US HackerOne leaderboard. The company that developed the AI model is called Xbow (no, not Xbox) and it's used the same name for the system itself. Xbow is also relatively new, as a Bloomberg report states that the start-up has only been around for a year. So far, it's picked up $75 million in funding but I suspect given just how successful it's been at finding security problems, that there will be more investors interested in getting involved. What Xbow is doing isn't exactly new, as ethical hackers have been using all kinds of automated tools to test and check code, websites, and the like for years. AI has been of particular interest more recently, of course, because if there is one thing that artificial intelligence models are good at, it's trawling through vast amounts of data to find common patterns. The Xbow AI carries something called automated penetration testing, which simulates cyberattacks or any kind of systematic abuse of security vulnerabilities in code. In the past, this has been done somewhat manually, making the whole process very time-consuming and therefore costly. In the case of the latter, it's sometimes so expensive that some companies will just fire out code without ensuring that it's memory-safe. Given that Xbow currently tops the US HackerOne leaderboard, it's clearly doing a good job. That said, it's not perfect and part of that is down to AI hallucination, which the model spits out an entirely wrong answer because it's come across data that it's never been trained on or not enough, at the very least. Xbow, the company that is, gets around this issue by manually vetting each reported issue. There's also the fact that the AI has no notion of context. For example, as Xbow co-founder Oege de Moor told Bloomberg, "it needs to be explicitly told when looking at a medical website that prescriptions should be kept private." Given just how important it is for code to be memory-safe these days, where programs don't produce unexpected errors in memory which makes them vulnerable to attack, I dare say that we're going to see a lot more start-ups and projects like Xbow appearing in the next few years. And if they all happen to be machine-powered but human-verified, for the ultimate in speed and accuracy, then that's surely one great thing we'll be able to say AI has done for us all.

AI tool Xbow is one of America's best hackers - The Economic Times

AI-powered cybersecurity tool Xbow has topped HackerOne's US leaderboard, marking the first time an AI, not a human, leads in reported software vulnerabilities. Founded in 2024 by GitHub veteran Oege de Moor, Xbow automates penetration testing, recently raised $75 million, and is reshaping defense strategies in the era of AI-driven hacking.A hacker named Xbow has topped a prestigious security industry US leaderboard that tracks who has found and reported the most vulnerabilities in software from large companies. Xbow isn't a person -- it's an artificial intelligence tool developed by a company of the same name. This is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne cofounder Michiel Prins. Now, the year-old startup has raised $75 million in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its valuation. Security researchers and hackers have long automated parts of their work and AI has shown up as a key tool in the past two years, Prins said. Nearly all human hackers now augment their efforts with AI and there are a handful of firms trying to do what Xbow does -- Prins calls them hackbot companies. Xbow, founded in January 2024 by GitHub veteran Oege de Moor, automates penetration testing, where hackers try to find security flaws and break into corporate networks. Companies often hire or employ people to do that, called red teams, as a way of improving and protecting their network and software. But red teaming and penetration testing is costly -- $18,000 on average and few weeks of work for a test on a single system, says de Moor -- and so it often doesn't get done frequently enough. De Moor wants to sell his product to enable customers to go through the process continuously or at least more often, and before new products and systems go live. "By automating this we can completely change the equation," said de Moor, who formerly oversaw Microsoft Corp.-owned GitHub's Copilot for AI code-generation. The challenge is that well-financed hackers are also using AI algorithms to automate attacks and increase their frequency at a lower cost. Xbow has "something that works now and it's exciting, but also somewhat terrifying because we are now in the era of machines hacking machines," said Nat Friedman of NFDG, and a former GitHub chief executive officer. De Moor, who also spent two decades as a computer science professor at Oxford University, expects the balance of power to eventually favor defenders, using tools like Xbow. "There might be a period of chaos where not everybody gets ready for these AI-powered attacks," he said. Now, "we can, for the first time, have a good hope that defenders can find and fix all the vulnerabilities before a system goes out." De Moor founded Semmle, a startup for finding security flaws in code that was acquired by GitHub in 2019. Microsoft had bought GitHub the previous year and named Friedman CEO. He wanted to make a series of acquisitions to add new products and entrepreneurial talent. Friedman and Altimeter Capital partner Apoorv Agrawal said they were looking at ways AI could boost cybersecurity when de Moor began Xbow. "Cybersecurity is going through a credibility crisis. There are a lot of alerts," Agrawal said. What chief information security officers "want is less, not more, they want simplicity and less alerts," he added. "How do you make this work? AI can help." HackerOne offers a security platform where companies who want their software vetted can offer bounties for finding bugs. There are open programs and ones that are invitation-only. Xbow is active in both. When an AI like Xbow's finds a vulnerability, HackerOne requires a human at the company to vet it to filter out AI hallucinations. Then Xbow goes to the company whose product contains the supposed flaw. If it confirms the issue, Xbow earns reputation points -- hackers get more points the more severe the issue. As part of that work, the Xbow product successfully found and reported security bugs to more than a dozen well-known companies, according to de Moor. The list includes Amazon.com Inc., Walt Disney Co., PayPal Holdings Inc. and Sony Group Corp. De Moor declined to name Xbow's current customers except to say they are large financial services and technology companies. Xbow's team includes GitHub veterans like Nico Waisman, who served as chief information security officer at Lyft Inc., and is now Xbow head of security, and Albert Ziegler, Xbow's head of AI, who worked at GitHub and Semmle. While Xbow's algorithm does well in finding things like common coding errors and security issues, it does poorly at realizing when a flaw results from product design logic. For example, it needs to be explicitly told when looking at a medical web site that prescriptions should be kept private, de Moor said. And it won't understand that while a doctor or a pharmacist needs to be able to access the prescriptions of multiple patients, it's a security problem if one patient can see another's meds. In the future, Xbow also wants to add the ability to tell customers how to correct the security flaws and make coding suggestions for those fixes. Widespread adoption will also require getting customers to change how they work, Altimeter's Agrawal said. "Whenever there's a sufficiently advanced technology, the last-mile adoption requires a change of workflows," Agrawal said. "It requires a change of people's behaviors that they've been doing for years, sometimes decades."

AI Beats Top Humans Hackers : How Machines Are Dominating the HackerOne Leaderboard

What if the world's best hacker wasn't human? In a new twist, an AI bot has outperformed top ethical hackers on HackerOne, a platform renowned for its competitive vulnerability detection. This isn't just a technological milestone -- it's a paradigm shift in how we approach cybersecurity. Imagine a system that scans millions of lines of code, identifies vulnerabilities, and offers solutions faster than any human could. Now, picture that system climbing to the top of a leaderboard traditionally dominated by seasoned professionals. It's not science fiction; it's happening now. As cyberattacks grow more sophisticated, this achievement underscores a critical question: Are we entering an era where machines, not humans, will lead the charge in securing our digital world? This breakthrough offers a glimpse into the fantastic potential of AI-driven cybersecurity. From automating vulnerability detection to scaling defenses across industries like healthcare and finance, this technology is reshaping how organizations protect their most sensitive data. But it's not just about speed and efficiency -- this shift raises profound implications for the future role of human cybersecurity experts. Will AI become a trusted ally, or could it eventually outpace human oversight entirely? As we explore the rise of this AI bot and its implications, one thing is clear: the battle for cybersecurity supremacy is no longer confined to human ingenuity. HackerOne, a platform that connects companies with ethical hackers to identify and resolve vulnerabilities, has traditionally been dominated by human participants. The emergence of an AI bot as the leader signals a significant shift in how cybersecurity challenges are approached. By using advanced algorithms, this AI system can process vast amounts of data, detect vulnerabilities, and provide actionable insights with a speed and precision that surpass human capabilities. This development represents a new era in cybersecurity, where AI complements and enhances traditional methods. The increasing frequency of cyberattacks and the growing complexity of software systems have exposed the limitations of conventional security measures. Vulnerabilities in software can lead to data breaches, operational disruptions, and substantial financial losses. AI offers a robust solution by detecting and addressing these vulnerabilities in real time. Major organizations such as AT&T, Disney, and Sony have already integrated this AI platform into their cybersecurity strategies, demonstrating its effectiveness across diverse industries. This adoption underscores the urgency of using AI to combat the evolving threat landscape. Here are more guides from our previous articles and guides related to AI in Cybersecurity that you may find helpful. One of the most notable advantages of this AI system is its ability to automate vulnerability detection. Traditional manual processes are often time-consuming and prone to human error, whereas AI continuously scans systems for weaknesses with unparalleled accuracy. This automation not only accelerates the detection process but also reduces the likelihood of oversight. By incorporating AI into your cybersecurity framework, you can proactively identify and address vulnerabilities before they are exploited, making sure a more secure digital environment. In the realm of cybersecurity, speed is a critical factor. The longer a vulnerability remains unresolved, the higher the risk of exploitation. This AI platform excels in rapid detection and resolution, allowing organizations to address vulnerabilities almost immediately after they are identified. Additionally, the system is designed to be compute-efficient, delivering high performance without requiring excessive computational resources. This efficiency makes the technology accessible to organizations of all sizes, from small businesses to multinational corporations, making sure that robust cybersecurity measures are within reach for a wide range of users. The scalability of this AI system is another key strength, allowing it to adapt to the needs of both small networks and global infrastructures. It is particularly effective in industries with heightened security requirements, such as financial services and healthcare, where sensitive data is frequently targeted by cybercriminals. By prioritizing these high-risk sectors, the AI ensures that critical systems receive the protection they need. This adaptability makes it a versatile tool for addressing the unique challenges faced by different industries. AI is not merely enhancing cybersecurity -- it is reshaping it. By automating routine tasks such as vulnerability scanning and patch management, AI enables cybersecurity professionals to focus on more strategic and complex initiatives. This shift is especially significant given the ongoing shortage of skilled cybersecurity experts. With AI as a partner, organizations can achieve levels of efficiency and effectiveness that were previously unattainable, allowing professionals to allocate their expertise to areas where human judgment and creativity are most needed. Despite its impressive capabilities, this AI system faces challenges that must be addressed to ensure its long-term success. It must continuously evolve to counter emerging threats and adapt to new attack methods. Ethical considerations, such as making sure the responsible use of AI and maintaining transparency, will also play a crucial role as the technology becomes more widespread. While these challenges are significant, the potential for AI to transform cybersecurity remains undeniable. By addressing these issues, the technology can continue to advance and provide faster, smarter, and more resilient cyber defense solutions. The rise of an AI bot to the top of HackerOne's leaderboard marks a pivotal moment in the evolution of cybersecurity. By automating vulnerability detection and resolution, enhancing scalability, and focusing on critical industries, this technology is setting new standards for cyber defense. As cyber threats continue to grow in complexity, integrating AI into your cybersecurity strategy will be essential for staying ahead of potential risks. The future of cybersecurity is unfolding, and it is being shaped by the fantastic power of AI.