AI Tool Xbow Surpasses Ethical Hackers in Vulnerability Detection Rankings

The AI tool Xbow, developed by the company of the same name, has topped the list of white hat hackers who have identified and reported the most vulnerabilities in the software of major corporations.

HackerOne provides a platform where companies can test their software and offer rewards for reporting bugs. There are both open and invite-only programs. Xbow participates in both types.

The tool has successfully identified flaws in the systems of Amazon, Disney, PayPal, and Sony Group Corporation.

Mikhail Prince, co-founder of HackerOne, has noted that this is the first instance of an AI service leading the American reputation leaderboard, which measures the quantity and significance of found vulnerabilities.

Founded in January 2024 by former Copilot head Oge de Moor, Xbow has raised $75 million in a new funding round led by Altimeter Capital, with participation from Sequoia Capital and NFDG.

Companies often hire individuals to test corporate networks for potential vulnerabilities. This process typically takes several weeks and costs around $18,000. De Moor aims to sell a product that will enable regular assessments of this nature.

The co-founder of HackerOne emphasized that vulnerability researchers have long automated parts of their tasks, and over the past two years, AI has become a crucial tool in their work. Nearly all human experts now complement their efforts with artificial intelligence, and some are even attempting to create a product similar to Xbow.

The challenge is that malicious hackers are also leveraging AI algorithms to automate their attacks, increasing their scale while reducing costs.

“We can finally hope that defenders will be able to discover and fix all vulnerabilities before a system fails,” de Moor asserted.

The Xbow algorithm excels at detecting common coding errors but struggles with understanding the flaws in product design logic.

It’s worth noting that in May 2025, Google integrated a new AI-powered protection mechanism into its Chrome browser, further advancing security measures.