XBOW has made history by becoming the first autonomous artificial intelligence to reach the top of the United States HackerOne leaderboard as a vulnerability researcher. In 2025, XBOW’s AI-driven penetration testing tool surpassed all human participants on the platform, marking the first time an autonomous system has achieved this feat in the bug bounty community.
This milestone is significant because HackerOne’s leaderboard is widely recognized for ranking security researchers based on the number, quality, and impact of reported vulnerabilities. XBOW’s success demonstrates not only the capability of AI to match and exceed top-tier human hackers in real-world environments but also its ability to operate at scale—scanning thousands of web applications simultaneously and completing comprehensive penetration tests in just a few hours.
XBOW reached the top spot in the US by submitting nearly 1,060 vulnerabilities, with a substantial number officially confirmed and fixed by major companies such as Disney, AT&T, Ford, and Epic Games. The AI tool operates fully autonomously, requiring no human intervention, though all findings are reviewed by XBOW’s security team before submission to ensure accuracy and compliance with HackerOne’s policies.
Not content with crushing HackerOne, XBOW ranked first in the institutional sector of the vulnerability disclosure program (VDP) and sixth globally in the combined leaderboard, highlighting its broad impact across different types of bug bounty and disclosure programs.
This achievement is considered a milestone for AI in cybersecurity, showing that AI-powered tools can not only keep pace with human experts but also lead the field in vulnerability discovery.
What is XBOX?
XBOW is an artificial intelligence platform designed to autonomously identify and exploit software vulnerabilities. It was founded by Oege de Moor and has rapidly gained prominence by outperforming human researchers on HackerOne, a leading bug bounty platform. The system operates without human intervention, running continuous security tests and identifying a wide range of vulnerabilities, including remote code execution, SQL injection, XSS, SSRF, and more.
How XBOW Works
XBOW conducts comprehensive penetration tests autonomously, simulating the actions of top-tier human pentesters but at much greater speed and scale. It has demonstrated the ability to find and exploit vulnerabilities in 75% of web benchmarks, including advanced challenges like cryptographic CAPTCHA bypasses and Jenkins remote code execution. All findings are reviewed by XBOW’s security team before submission to ensure accuracy and compliance with HackerOne’s policies.
Industry Impact and Funding
XBOW recently raised $75 million in a Series B funding round, bringing its total funding to $117 million. The round was led by Altimeter, with participation from Sequoia Capital and Nat Friedman.
