XBOW
@Xbow
Bringing AI to offensive security by autonomously finding and exploiting web vulnerabilities. Watch XBOW hack things: https://xbow.com/traces
For the first time in history, the #1 hacker in the US is an AI. (1/8)
From SSRF discovery to RCE exploitation in 32 iterations. XBOW systematically analyzed TiTiler's expression parser, discovered Python execution through error patterns, then crafted payloads using subclass traversal to achieve command execution. Complete analysis:…
AI-powered attacks are evolving faster than most organizations can adapt. Recent trends we're tracking: Attackers using LLMs for phishing campaigns Threat actors leveraging AI for vuln discovery Automated social engineering at scale The defense? Autonomous security that…
⚡️XBOW found LFI where most tools would have given up. Photo download endpoint blocked all path traversal attempts. But JavaScript analysis revealed /photo/proxy?url= - vulnerable to file:// scheme access. Successfully read a password file via proxy endpoint. Technical…
Meet the #1 AI Pentester in America at BlackHat! We're bringing XBOW to Vegas — join us at booth #3257 to see it in action. #BlackHat2025
What if two AI models could collaborate without knowing it? Our Head of AI, Albert Ziegler developed "model alloys" - alternating between different LLMs in a single conversation. Sonnet handles some steps, Gemini others, but neither knows about the switch. Result: 55% solve…
Proud to have @djurado9 and @niemand_sec representing XBOW at @defcon Bug Bounty Village 🎯 XBOW finds vulns, our team shares the insights. See you in Vegas! #DEFCON
Don't miss "Prompt. Scan. Exploit: AI’s Journey Through Zero-Days and a Thousand Bugs" by Diego Jurado (djurado9) and Joel Noguera (@niemand_sec) on Friday, August 8 at 10:00 AM on Creator Stage 3. Read more at bugbountydefcon.com/agenda #BugBounty #DEFCON33
When simple attack vectors fail, XBOW doesn't give up. ⚡️New discovery: Arbitrary file read in WordPress Ninja Tables plugin. Hidden in plain JavaScript sight, protected by nonce validation, but XBOW pieced together the exact request format needed. Technical breakdown here:…
When standard SQL injection vectors fail, dig deeper. ⚡️New XBOW discovery: Z-Push vulnerability hidden in Basic Authentication username field. Response timing differences revealed PostgreSQL time-based injection where obvious targets were clean. Full analysis:…
Sometimes the most illogical approach wins. XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterintuitively returns text/html content type instead of JSON. The kind of discovery that comes from systematic testing without assumptions. Full hunt…
Tomorrow in Paris 🇫🇷 @oegerikus and @apoorv03 will be discussing AI's impact on cybersecurity, the urgent need for AI-powered defense + hot takes on AI at @RaiseSummit 🗓️ Tuesday 9:40-10:00 CEST 📍 Ada Lovelace stage
Even mature products hide critical flaws – and @XBOW just found another one. CVE-2025-49493: XXE in Akamai CloudTest discovered during our climb to #1 on HackerOne. A complete technical breakdown from an error-based detection to a full exfiltration by @djurado9…
Xbow, the startup behind a highly ranked hacking security tool, has raised $75 million bloomberg.com/news/articles/…
One of the top-ranked hackers in the US isn't a person - it's an AI from a company called @Xbow. Founded by former GitHub Copilot chief Oege de Moor, Xbow has closed a Series B round backed by Altimeter, Sequoia and Nat Friedman: bloomberg.com/news/articles/…