What just happened? Just a year after its founding, cybersecurity startup Xbow has risen to the top of the HackerOne leaderboard, a platform that ranks the world's most effective bug hunters by the number and severity of vulnerabilities they uncover for major companies. This marks the first time an artificial intelligence system has claimed the number one spot, outpacing thousands of human ethical hackers and security researchers who have traditionally dominated the field.
Xbow's rapid ascent is a striking signal of how artificial intelligence is reshaping the landscape of software security. The AI-driven tool, developed by a team led by founder and CEO Oege de Moor, has earned a "reputation" score on HackerOne that is nearly 25 percent higher than its closest human competitor. Since its launch, Xbow has identified hundreds of software flaws – ranging from SQL injections and cross-site scripting to remote code execution – across products from high-profile companies including Toyota, Disney, IBM, AT&T, PayPal, and Sony.
The technology behind Xbow operates by autonomously conducting penetration testing, a process where systems are probed for weaknesses that malicious actors could exploit. Unlike traditional red teams, which often require weeks of manual effort and can cost tens of thousands of dollars per engagement, Xbow's AI can continuously scan for vulnerabilities at a fraction of the time and cost. The system uses a series of automated peer reviewers to verify the legitimacy of each finding, reducing the need for human intervention and minimizing false positives.
Xbow's effectiveness has been validated through industry-standard benchmarks. The AI has autonomously passed 75 percent of web security benchmarks from recognized providers, and when tested on a set of novel challenges designed to prevent recycled solutions, it solved 85 percent of them. This demonstrates not only its ability to detect known flaws but also to generate original solutions to new problems.
The company's momentum has attracted significant investment. In its first year, Xbow secured over $117 million in funding from prominent backers, including former GitHub CEO Nat Friedman and venture capital firms such as Sequoia Capital and Altimeter Capital.
For the first time in history, the #1 hacker in the US is an AI.
– XBOW (@Xbow) June 24, 2025
(1/8) pic.twitter.com/iVgvdqptAE
Despite its success, Xbow faces challenges common to AI systems. Some of its reports have been marked as duplicates or merely informative, requiring human teams to filter out less actionable findings. The technology also struggles with vulnerabilities that stem from business logic or contextual nuances, such as privacy rules specific to certain industries, which still require explicit guidance.
As AI-driven tools like Xbow become more prevalent, the cybersecurity field is entering a new era where machines increasingly defend – and sometimes attack – other machines. While this raises concerns about the potential for AI to be used by malicious hackers, Xbow's creators argue that such technology is essential to help defenders keep pace. "We can, for the first time, have a good hope that defenders can find and fix all the vulnerabilities before a system goes out," de Moor told The Economic Times.
AI tool Xbow becomes first non-human to top ethical hacker leaderboard
