logo
ENع
#

Latest news with #HackerOne

What is XBOW? An AI Tool that is America's 'Best Hacker' Secures $75M in Funding
What is XBOW? An AI Tool that is America's 'Best Hacker' Secures $75M in Funding

International Business Times

time14 hours ago

  • Business
  • International Business Times

What is XBOW? An AI Tool that is America's 'Best Hacker' Secures $75M in Funding

An unexpected hacker has topped the leaderboard in discovering real-world cyberthreats, beating some of the very talented human reviewers. Its name is XBOW, a new artificial intelligence system designed to explore for vulnerabilities in software, and it just claimed first place on HackerOne, an international bug bounty-based competition in which hackers work to uncover bugs for big companies. It marks the first time that autonomous systems have surpassed all people on the leaderboard. In the past few months alone, XBOW's AI has identified more than 1,000 vulnerabilities. These are not just guesses—companies such as AT&T, Epic Games, Ford, and Disney have verified 132 of these threats and have issued fixes. 330+ more bugs are targeted for resolution, with hundreds more still under review. XBOW is unique in the way it operates; it continuously scans apps and systems like a tireless red team. Instead of being human-driven—requiring scheduled penetration scans—XBOW runs 24x7. It's AI that detects, models, and emulates attacks against live networks—without the need for manual guidance. The result? Faster identification of genuine security issues—including those deeply buried within complex codebases. The creators of XBOW say that the shift is crucial since cyberattacks have become more intricate as hackers have also started leveraging AI to initiate large-scale attacks. In this accelerating arms race, being capable of thinking and acting at machine speed is no longer a luxury—it's a requirement. But the trend of automated testing tools also raises issues. The increasing number of bug reports from AI is worrying some developers. They fear that if services such as XBOW are replicated, it could flood security personnel with too many alerts, some of which may be duplicative or not warrant attention. XBOW, however, asserts that its reports are not only valid but frequently crucial and notes that human reports can also come in varying qualities. Whatever the merits of that debate, the impact of the platform is clear. It can execute full-scale security tests in hours—something that previously took days or even weeks. And it's not just for cybersecurity experts or researchers; the product is already being used by banks, tech giants, and other major organizations. To fuel its burgeoning ambitions, XBOW recently secured $75 million in a Series B round of funding. The round was led by Altimeter's Apoorv Agrawal and included follow-on from Sequoia Capital and Nat Friedman. The investment brings the company's total raise to $117 million. With the fresh funds, XBOW plans to grow its engineering team and build out its go-to-market plan.

AI tool Xbow is one of America's best hackers
AI tool Xbow is one of America's best hackers

Time of India

time2 days ago

  • Business
  • Time of India

AI tool Xbow is one of America's best hackers

A hacker named Xbow has topped a prestigious security industry US leaderboard that tracks who has found and reported the most vulnerabilities in software from large companies. Xbow isn't a person — it's an artificial intelligence tool developed by a company of the same is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne cofounder Michiel Prins. Now, the year-old startup has raised $75 million in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its researchers and hackers have long automated parts of their work and AI has shown up as a key tool in the past two years, Prins said. Nearly all human hackers now augment their efforts with AI and there are a handful of firms trying to do what Xbow does — Prins calls them hackbot founded in January 2024 by GitHub veteran Oege de Moor, automates penetration testing, where hackers try to find security flaws and break into corporate networks. Companies often hire or employ people to do that, called red teams, as a way of improving and protecting their network and software. But red teaming and penetration testing is costly — $18,000 on average and few weeks of work for a test on a single system, says de Moor — and so it often doesn't get done frequently enough. De Moor wants to sell his product to enable customers to go through the process continuously or at least more often, and before new products and systems go live.'By automating this we can completely change the equation,' said de Moor, who formerly oversaw Microsoft Corp.-owned GitHub's Copilot for AI challenge is that well-financed hackers are also using AI algorithms to automate attacks and increase their frequency at a lower cost. Xbow has 'something that works now and it's exciting, but also somewhat terrifying because we are now in the era of machines hacking machines,' said Nat Friedman of NFDG, and a former GitHub chief executive Moor, who also spent two decades as a computer science professor at Oxford University, expects the balance of power to eventually favor defenders, using tools like Xbow. 'There might be a period of chaos where not everybody gets ready for these AI-powered attacks,' he said. Now, 'we can, for the first time, have a good hope that defenders can find and fix all the vulnerabilities before a system goes out.'De Moor founded Semmle, a startup for finding security flaws in code that was acquired by GitHub in 2019. Microsoft had bought GitHub the previous year and named Friedman CEO. He wanted to make a series of acquisitions to add new products and entrepreneurial and Altimeter Capital partner Apoorv Agrawal said they were looking at ways AI could boost cybersecurity when de Moor began Xbow. 'Cybersecurity is going through a credibility crisis. There are a lot of alerts,' Agrawal said. What chief information security officers 'want is less, not more, they want simplicity and less alerts,' he added. 'How do you make this work? AI can help.'HackerOne offers a security platform where companies who want their software vetted can offer bounties for finding bugs. There are open programs and ones that are invitation-only. Xbow is active in both. When an AI like Xbow's finds a vulnerability, HackerOne requires a human at the company to vet it to filter out AI hallucinations. Then Xbow goes to the company whose product contains the supposed flaw. If it confirms the issue, Xbow earns reputation points — hackers get more points the more severe the part of that work, the Xbow product successfully found and reported security bugs to more than a dozen well-known companies, according to de Moor. The list includes Inc., Walt Disney Co., PayPal Holdings Inc. and Sony Group Corp. De Moor declined to name Xbow's current customers except to say they are large financial services and technology team includes GitHub veterans like Nico Waisman, who served as chief information security officer at Lyft Inc., and is now Xbow head of security, and Albert Ziegler, Xbow's head of AI, who worked at GitHub and Xbow's algorithm does well in finding things like common coding errors and security issues, it does poorly at realizing when a flaw results from product design logic. For example, it needs to be explicitly told when looking at a medical web site that prescriptions should be kept private, de Moor said. And it won't understand that while a doctor or a pharmacist needs to be able to access the prescriptions of multiple patients, it's a security problem if one patient can see another's the future, Xbow also wants to add the ability to tell customers how to correct the security flaws and make coding suggestions for those adoption will also require getting customers to change how they work, Altimeter's Agrawal said.'Whenever there's a sufficiently advanced technology, the last-mile adoption requires a change of workflows,' Agrawal said. 'It requires a change of people's behaviors that they've been doing for years, sometimes decades."

One of the best hackers in the US is an AI bot
One of the best hackers in the US is an AI bot

The Star

time2 days ago

  • Business
  • The Star

One of the best hackers in the US is an AI bot

A hacker named Xbow has topped a prestigious security industry US leaderboard that tracks who has found and reported the most vulnerabilities in software from large companies. Xbow isn't a person – it's an artificial intelligence tool developed by a company of the same name. This is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne co-founder Michiel Prins. Now, the year-old startup has raised US$75mil (RM317.88mil) in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its valuation. Security researchers and hackers have long automated parts of their work and AI has shown up as a key tool in the past two years, Prins said. Nearly all human hackers now augment their efforts with AI and there are a handful of firms trying to do what Xbow does – Prins calls them hackbot companies. Xbow, founded in January 2024 by GitHub veteran Oege de Moor, automates penetration testing, where hackers try to find security flaws and break into corporate networks. Companies often hire or employ people to do that, called red teams, as a way of improving and protecting their network and software. But red teaming and penetration testing is costly – US$18,000 (RM76,292) on average and few weeks of work for a test on a single system, says de Moor – and so it often doesn't get done frequently enough. De Moor wants to sell his product to enable customers to go through the process continuously or at least more often, and before new products and systems go live. "By automating this we can completely change the equation,' said de Moor, who formerly oversaw Microsoft Corp-owned GitHub's Copilot for AI code-generation. The challenge is that well-financed hackers are also using AI algorithms to automate attacks and increase their frequency at a lower cost. Xbow has "something that works now and it's exciting, but also somewhat terrifying because we are now in the era of machines hacking machines,' said Nat Friedman of NFDG, and a former GitHub chief executive officer. De Moor, who also spent two decades as a computer science professor at Oxford University, expects the balance of power to eventually favor defenders, using tools like Xbow. "There might be a period of chaos where not everybody gets ready for these AI-powered attacks,' he said. Now, "we can, for the first time, have a good hope that defenders can find and fix all the vulnerabilities before a system goes out.' De Moor founded Semmle, a startup for finding security flaws in code that was acquired by GitHub in 2019. Microsoft had bought GitHub the previous year and named Friedman CEO. He wanted to make a series of acquisitions to add new products and entrepreneurial talent. Friedman and Altimeter Capital partner Apoorv Agrawal said they were looking at ways AI could boost cybersecurity when de Moor began Xbow. "Cybersecurity is going through a credibility crisis. There are a lot of alerts,' Agrawal said. What chief information security officers "want is less, not more, they want simplicity and less alerts,' he added. "How do you make this work? AI can help.' HackerOne offers a security platform where companies who want their software vetted can offer bounties for finding bugs. There are open programs and ones that are invitation-only. Xbow is active in both. When an AI like Xbow's finds a vulnerability, HackerOne requires a human at the company to vet it to filter out AI hallucinations. Then Xbow goes to the company whose product contains the supposed flaw. If it confirms the issue, Xbow earns reputation points – hackers get more points the more severe the issue. As part of that work, the Xbow product successfully found and reported security bugs to more than a dozen well-known companies, according to de Moor. The list includes Inc, Walt Disney Co, PayPal Holdings Inc and Sony Group Corp. De Moor declined to name Xbow's current customers except to say they are large financial services and technology companies. Xbow's team includes GitHub veterans like Nico Waisman, who served as chief information security officer at Lyft Inc, and is now Xbow head of security, and Albert Ziegler, Xbow's head of AI, who worked at GitHub and Semmle. While Xbow's algorithm does well in finding things like common coding errors and security issues, it does poorly at realising when a flaw results from product design logic. For example, it needs to be explicitly told when looking at a medical web site that prescriptions should be kept private, de Moor said. And it won't understand that while a doctor or a pharmacist needs to be able to access the prescriptions of multiple patients, it's a security problem if one patient can see another's meds. In the future, Xbow also wants to add the ability to tell customers how to correct the security flaws and make coding suggestions for those fixes. Widespread adoption will also require getting customers to change how they work, Altimeter's Agrawal said. "Whenever there's a sufficiently advanced technology, the last-mile adoption requires a change of workflows,' Agrawal said. "It requires a change of people's behaviors that they've been doing for years, sometimes decades." – Bloomberg

AI Agents Are Getting Better at Writing Code—and Hacking It as Well
AI Agents Are Getting Better at Writing Code—and Hacking It as Well

WIRED

time3 days ago

  • Business
  • WIRED

AI Agents Are Getting Better at Writing Code—and Hacking It as Well

Jun 25, 2025 12:58 PM One of the best bug-hunters in the world is an AI tool called Xbow, just one of many signs of the coming age of cybersecurity automation. Photo-Illustration:The latest artificial intelligence models are not only remarkably good at software engineering—new research shows they are getting ever-better at finding bugs in software, too. AI researchers at UC Berkeley tested how well the latest AI models and agents could find vulnerabilities in 188 large open source codebases. Using a new benchmark called CyberGym, the AI models identified 17 new bugs including 15 previously unknown, or 'zero-day,' ones. 'Many of these vulnerabilities are critical,' says Dawn Song, a professor at UC Berkeley who led the work. Many experts expect AI models to become formidable cybersecurity weapons. An AI tool from startup Xbow currently has crept up the ranks of HackerOne's leaderboard for bug hunting and currently sits in top place. The company recently announced $75 million in new funding. Song says that the coding skills of the latest AI models combined with improving reasoning abilities are starting to change the cybersecurity landscape. 'This is a pivotal moment,' she says. 'It actually exceeded our general expectations.' As the models continue to improve they will automate the process of both discovering and exploiting security flaws. This could help companies keep their software safe but may also aid hackers in breaking into systems. 'We didn't even try that hard,' Song says. 'If we ramped up on the budget, allowed the agents to run for longer, they could do even better.' The UC Berkeley team tested conventional frontier AI models from OpenAI, Google, and Anthropic, as well as open source offerings from Meta, DeepSeek, and Alibaba combined with several agents for finding bugs, including OpenHands, Cybench, and EnIGMA. The researchers used descriptions of known software vulnerabilities from the 188 software projects. They then fed the descriptions to the cybersecurity agents powered by frontier AI models to see if they could identify the same flaws for themselves by analyzing new codebases, running tests, and crafting proof-of-concept exploits. The team also asked the agents to hunt for new vulnerabilities in the codebases by themselves. Through the process, the AI tools generated hundreds of proof-of-concept exploits, and of these exploits the researchers identified 15 previously unseen vulnerabilities and two vulnerabilities that had previously been disclosed and patched. The work adds to growing evidence that AI can automate the discovery of zero-day vulnerabilities, which are potentially dangerous (and valuable) because they may provide a way to hack live systems. AI seems destined to become an important part of the cybersecurity industry nonetheless. Security expert Sean Heelan recently discovered a zero-day flaw in the widely used Linux kernel with help from OpenAI's reasoning model o3. Last November, Google announced that it had discovered a previously unknown software vulnerability using AI through a program called Project Zero. Like other parts of the software industry, many cybersecurity firms are enamored with the potential of AI. The new work indeed shows that AI can routinely find new flaws, but it also highlights remaining limitations with the technology. The AI systems were unable to find most flaws and were stumped by especially complex ones. 'The work is fantastic,' says Katie Moussouris, founder and CEO of Luta Security, in part because it shows that AI is still no match for human expertise—the best of the model and agent combination (Claude and and OpenHands) were only able to find around 2 percent of the vulnerabilities. 'Don't replace your human bug hunters yet,' Moussouris says. Moussouris says she is less worried about AI hacking software than companies investing too much in AI at the expense of other techniques. Brendan Dolan-Gavitt, an associate professor at New York University Tandon and a researcher at Xbow, says the new work shows realistic zero-day discovery across a relatively large amount of code using a wide range of AI-powered tasks. Dolan-Gavitt says he expects AI to drive an uptick in attacks involving zero-day exploits. 'That's rare right now, because there are very few people who have the expertise to find new vulnerabilities and build exploits for them,' he says. 'I think the agentic stuff is fascinating for zero-day discoveries,' says Hayden Smith, a cofounder of Hunted Labs, a startup that provides various tools including some incorporating AI for analyzing code for weaknesses. Smith adds that as it becomes possible for more people to discover vulnerabilities with AI it will be more important to ensure that those vulnerabilities are disclosed responsibly. In work posted online in May, Song and other researchers measured the capacity for AI models to find bugs that earned cash payouts through bug-bounty rewards. The effort showed that these tools could potentially earn tens of thousands of dollars. Claude Code, from Anthropic, was most successful, finding bugs worth $1,350 on bug bounty boards and designing patches for vulnerabilities worth $13,862 for a cost of a few hundred dollars in API calls. In a blog post in April, Song and several other AI security experts warn that steadily improving models are likely to benefit attackers over defenders in the near future. This could make it especially important to closely track how capable these tools are becoming. To this end, Song and other researchers have also established the AI Frontiers CyberSecurity Observatory, a collaborative effort that will track the capabilities of different AI models and tools through several benchmarks. Among all the AI risk domains, cybersecurity is going to be one of the first that could become a major problem, Song says. How do you feel about using AI tools to test software vulnerabilities? Are the benefits worth the risk of making it easier for hackers too? Let me know in the comments below, or email me at hello@

One of the Best Hackers in the Country is an AI Bot
One of the Best Hackers in the Country is an AI Bot

Bloomberg

time4 days ago

  • Business
  • Bloomberg

One of the Best Hackers in the Country is an AI Bot

By A hacker named Xbow has topped a prestigious security industry US leaderboard that tracks who has found and reported the most vulnerabilities in software from large companies. Xbow isn't a person — it's an artificial intelligence tool developed by a company of the same name. This is the first time a company's AI product has topped HackerOne's US leaderboard by reputation, which measures how many vulnerabilities have been found and the importance of each one, according to HackerOne co-founder Michiel Prins. Now, the year-old startup has raised $75 million in a new funding round led by Altimeter Capital, with participation from existing investors Sequoia Capital and NFDG. It declined to share its valuation.

DOWNLOAD THE APP

Get Started Now: Download the App

Ready to dive into a world of global content with local flavor? Download Daily8 app today from your preferred app store and start exploring.
app-storeplay-store